[CentOS-mirror] DDOS Attacks

Wed Aug 6 01:01:49 UTC 2014
Paul Stewart <pstewart at nexicomgroup.net>

Thanks for the input.  This is new and just started today - it’s
definitely an attack towards the server.  We are seeing the exact same
attacks now against other servers but all day until about an hour ago it
was the CentOS mirror specifically (which may have just been dumb luck).
If nobody else is seeing anything like this then that’s good news - the
closest in the past that we have seen is Chinese IP addresses downloading
the same ISO images over and over.  This attack is seeing the source IP
addresses worldwide (about 175 of them on average) indicating it’s botnet
related likely.

The attacks look like this:

Type:        TCP SYN Misuse
ID:          198828
Resource:    xx.xxx.xx.2/32 Other
Router:      Not Applicable
Interface:   Not Applicable
Severity:    high
Impact:      662.58 Mbps/93.27 Kpps
Started:     2014-08-05 23:55:40
Ended:       2014-08-06 00:02:41
Link rate:   93.27 Kpps, 186.530000% of 50.00 Kpps
Protocol:    tcp
Flags:       S
Router:      xx.xx.xxx.59 (core1.xxxxxxxxx)
             Input If.: 694 (xe-4/2/0.101)
             Output If.: 604 (xe-2/3/0.0)
URL:         https://xxxxxxxxxxxxxxxxxxxxxxxxxxx



On 2014-08-05, 7:24 PM, "Anssi Johansson" <centos at miuku.net> wrote:

>6.8.2014 1.59, Paul Stewart kirjoitti:
>> Hi there…
>> Today, we started getting hit with DDOS attacks specifically against our
>> CentOS mirror.  Has anyone else seen this behavior before?
>> These are TCP SYN and TCP RST misuse type attacks.
>I don't run a mirror myself, but please note that what you're seeing
>might be simply yum-plugin-fastestmirror doing what's it's supposed to
>do. yum-plugin-fastestmirror determines the closest mirror by opening a
>TCP connection to each mirror and then closing the connection
>immediately. The time spent is measured, and the fastest mirror as
>determined by this process gets selected.
>CentOS-mirror mailing list
>CentOS-mirror at centos.org