[CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror

Mon Oct 5 17:23:04 UTC 2020
CEDIA FOSS Mirrors <mirror at cedia.org.ec>


This issue has been running for several days and finally I decided to check
the stats: we have noticed a sudden increase in bandwidth used by one of our

Our other mirror's traffic pales compared to this one. A sustained traffic of
600-800mbps when others hardly reaches 50-70mbps.

We checked the stats and noticed that the most downloaded file, summing up
several TB is CentOS-7.8.2003/isos/x86_64/CentOS-7-x86_64-Everything-2003.iso,
it has been downloaded several times summing up 5.21TB in the last 7 days.

BTW 5.21TB of the traffic from this mirror goes to China.

One single IP: has tried to connect to our mirror 17516 times.
And in sum 8 IPs from China has actually downloaded several CentOS isos in the
last 7 days: in total we have served 26113 connections only to access .iso
files (CentOS-7 and CentOS-8) from those 8 ips: - China Unicom Guangdong province network   - China Mobile Communications Corporation       - CHINANET Hubei province network   - China Unicom Guangdong province network   - China Unicom Shandong province network   - China Unicom Shandong province network     - China Mobile Communications Corporation   - China Unicom Shandong province network

Have you noticed that in your mirrors? look for these IP and notice if they
have been trying to continously download iso

BTW: Why is centos-8.1.1911 isos being served even when centos-8.2.2003 has
been available for a long time? Why isn't centos- being moved to


Ernesto Perez--

Ladrón de Guevara E11-253 y Andalucía, EPN, Casa Patrimonial. Quito - Ecuador
Telf: (593) 7 407 9300 Ext. 115
csirt at cedia.org.ec / [1]https://csirt.cedia.org.ec

[1] https://csirt.cedia.org.ec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-mirror/attachments/20201005/b6d62a7c/attachment-0002.html>