[CentOS-mirror] DDOS Attacks

Wed Aug 6 10:12:33 UTC 2014
Paul Stewart <pstewart at nexicomgroup.net>

Hi there and thank you.  We have not performed traffic analysis yet via sniffers as the attacks suddenly stopped overnight.

That output is from Arbor Peakflow/TMS system.


From: Ricardo David Carrillo Sanchez <dominus.ceo at gmail.com<mailto:dominus.ceo at gmail.com>>
Reply-To: "Mailing list for CentOS mirrors." <centos-mirror at centos.org<mailto:centos-mirror at centos.org>>
Date: Tuesday, August 5, 2014 at 11:00 PM
To: "Mailing list for CentOS mirrors." <centos-mirror at centos.org<mailto:centos-mirror at centos.org>>
Cc: "Mailing list for CentOS mirrors." <centos-mirror at centos.org<mailto:centos-mirror at centos.org>>
Subject: Re: [CentOS-mirror] DDOS Attacks

Which tool did you use to get this output, perhaps it is not an attack  or do you have any kind of log to complement the output?
Sent from My mobile device

On Tue, Aug 5, 2014 at 8:01 PM, Paul Stewart <pstewart at nexicomgroup.net<mailto:pstewart at nexicomgroup.net>> wrote:

Thanks for the input. This is new and just started today - it’s
definitely an attack towards the server. We are seeing the exact same
attacks now against other servers but all day until about an hour ago it
was the CentOS mirror specifically (which may have just been dumb luck).
If nobody else is seeing anything like this then that’s good news - the
closest in the past that we have seen is Chinese IP addresses downloading
the same ISO images over and over. This attack is seeing the source IP
addresses worldwide (about 175 of them on average) indicating it’s botnet
related likely.

The attacks look like this:

Type: TCP SYN Misuse
ID: 198828
Resource: xx.xxx.xx.2/32 Other
Router: Not Applicable
Interface: Not Applicable
Severity: high
Impact: 662.58 Mbps/93.27 Kpps
Started: 2014-08-05 23:55:40
Ended: 2014-08-06 00:02:41
Link rate: 93.27 Kpps, 186.530000% of 50.00 Kpps
Protocol: tcp
Flags: S
Router: xx.xx.xxx.59 (core1.xxxxxxxxx)
Input If.: 694 (xe-4/2/0.101)
Output If.: 604 (xe-2/3/0.0)
URL: https://xxxxxxxxxxxxxxxxxxxxxxxxxxx



On 2014-08-05, 7:24 PM, "Anssi Johansson" <centos at miuku.net<mailto:centos at miuku.net>> wrote:

>6.8.2014 1.59, Paul Stewart kirjoitti:
>> Hi there…
>> Today, we started getting hit with DDOS attacks specifically against our
>> CentOS mirror. Has anyone else seen this behavior before?
>> These are TCP SYN and TCP RST misuse type attacks.
>I don't run a mirror myself, but please note that what you're seeing
>might be simply yum-plugin-fastestmirror doing what's it's supposed to
>do. yum-plugin-fastestmirror determines the closest mirror by opening a
>TCP connection to each mirror and then closing the connection
>immediately. The time spent is measured, and the fastest mirror as
>determined by this process gets selected.
>CentOS-mirror mailing list
>CentOS-mirror at centos.org<mailto:CentOS-mirror at centos.org>

CentOS-mirror mailing list
CentOS-mirror at centos.org<mailto:CentOS-mirror at centos.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-mirror/attachments/20140806/0cb2eac3/attachment-0006.html>