Hi there and thank you. We have not performed traffic analysis yet via sniffers as the attacks suddenly stopped overnight. That output is from Arbor Peakflow/TMS system. Thanks, Paul From: Ricardo David Carrillo Sanchez <dominus.ceo at gmail.com<mailto:dominus.ceo at gmail.com>> Reply-To: "Mailing list for CentOS mirrors." <centos-mirror at centos.org<mailto:centos-mirror at centos.org>> Date: Tuesday, August 5, 2014 at 11:00 PM To: "Mailing list for CentOS mirrors." <centos-mirror at centos.org<mailto:centos-mirror at centos.org>> Cc: "Mailing list for CentOS mirrors." <centos-mirror at centos.org<mailto:centos-mirror at centos.org>> Subject: Re: [CentOS-mirror] DDOS Attacks Which tool did you use to get this output, perhaps it is not an attack or do you have any kind of log to complement the output? — Sent from My mobile device On Tue, Aug 5, 2014 at 8:01 PM, Paul Stewart <pstewart at nexicomgroup.net<mailto:pstewart at nexicomgroup.net>> wrote: Thanks for the input. This is new and just started today - it’s definitely an attack towards the server. We are seeing the exact same attacks now against other servers but all day until about an hour ago it was the CentOS mirror specifically (which may have just been dumb luck). If nobody else is seeing anything like this then that’s good news - the closest in the past that we have seen is Chinese IP addresses downloading the same ISO images over and over. This attack is seeing the source IP addresses worldwide (about 175 of them on average) indicating it’s botnet related likely. The attacks look like this: Type: TCP SYN Misuse ID: 198828 Resource: xx.xxx.xx.2/32 Other Router: Not Applicable Interface: Not Applicable Severity: high Impact: 662.58 Mbps/93.27 Kpps Started: 2014-08-05 23:55:40 Ended: 2014-08-06 00:02:41 Link rate: 93.27 Kpps, 186.530000% of 50.00 Kpps Protocol: tcp Flags: S Router: xx.xx.xxx.59 (core1.xxxxxxxxx) Input If.: 694 (xe-4/2/0.101) Output If.: 604 (xe-2/3/0.0) URL: https://xxxxxxxxxxxxxxxxxxxxxxxxxxx Thanks, Paul On 2014-08-05, 7:24 PM, "Anssi Johansson" <centos at miuku.net<mailto:centos at miuku.net>> wrote: >6.8.2014 1.59, Paul Stewart kirjoitti: >> Hi there… >> >> Today, we started getting hit with DDOS attacks specifically against our >> CentOS mirror. Has anyone else seen this behavior before? >> >> These are TCP SYN and TCP RST misuse type attacks. > >I don't run a mirror myself, but please note that what you're seeing >might be simply yum-plugin-fastestmirror doing what's it's supposed to >do. yum-plugin-fastestmirror determines the closest mirror by opening a >TCP connection to each mirror and then closing the connection >immediately. The time spent is measured, and the fastest mirror as >determined by this process gets selected. >_______________________________________________ >CentOS-mirror mailing list >CentOS-mirror at centos.org<mailto:CentOS-mirror at centos.org> >http://lists.centos.org/mailman/listinfo/centos-mirror _______________________________________________ CentOS-mirror mailing list CentOS-mirror at centos.org<mailto:CentOS-mirror at centos.org> http://lists.centos.org/mailman/listinfo/centos-mirror -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-mirror/attachments/20140806/0cb2eac3/attachment-0006.html>