[CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror

Thu Oct 15 15:10:43 UTC 2020
CEDIA FOSS Mirrors <mirror at cedia.org.ec>

10/12/2020 10:50 - CEDIA FOSS Mirrors via CentOS-mirror wrote: 10/07/2020
21:50 - TUNA Mirror Team wrote: Hi, all

On our servers, the following UAs are blocked and similar repeated requests
against large iso files can be rejected:

map $http_user_agent $isbadbrowser {
 default 0;
 "~*Mozilla/5\.0 \(Linux; Android\)" 1;
 "~*Chrome/49\.0\.2623\.87" 1;
 "~*Firefox/3.6.3" 1;

According to our experience of operating largest mirror site in China, such
User-Agent list is able to protect against most of those traffic, IP blocking
not needed and the list didn't require an update for several years.
Great to know. I have just implemented it with your suggestion. I will monitor
the traffic for  2-3 days and see if it works.
just to let know that the traffic during this week has been lower than last
week when we blocked CN and way lower than 2 weeks ago when we have no control

So to sum it up: as suggested by TUNA team, by blocking queries based on
misbehaved user-agents we were able to lower the traffic in a significant
amount (25-30% lower than 2 weeks ago).



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-mirror/attachments/20201015/bc0f44a3/attachment-0003.html>