[CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror

Mon Oct 5 17:23:04 UTC 2020
CEDIA FOSS Mirrors <mirror at cedia.org.ec>

hi

This issue has been running for several days and finally I decided to check
the stats: we have noticed a sudden increase in bandwidth used by one of our
mirrors.

Our other mirror's traffic pales compared to this one. A sustained traffic of
600-800mbps when others hardly reaches 50-70mbps.

We checked the stats and noticed that the most downloaded file, summing up
several TB is CentOS-7.8.2003/isos/x86_64/CentOS-7-x86_64-Everything-2003.iso,
it has been downloaded several times summing up 5.21TB in the last 7 days.

BTW 5.21TB of the traffic from this mirror goes to China.

One single IP: 112.95.214.226 has tried to connect to our mirror 17516 times.
And in sum 8 IPs from China has actually downloaded several CentOS isos in the
last 7 days: in total we have served 26113 connections only to access .iso
files (CentOS-7 and CentOS-8) from those 8 ips:

112.95.214.226 - China Unicom Guangdong province network
223.88.61.170   - China Mobile Communications Corporation
171.41.7.29       - CHINANET Hubei province network
120.84.10.190   - China Unicom Guangdong province network
27.221.66.104   - China Unicom Shandong province network
27.221.66.105   - China Unicom Shandong province network
112.32.21.93     - China Mobile Communications Corporation
27.221.49.135   - China Unicom Shandong province network

Have you noticed that in your mirrors? look for these IP and notice if they
have been trying to continously download iso

BTW: Why is centos-8.1.1911 isos being served even when centos-8.2.2003 has
been available for a long time? Why isn't centos-8.1.19.11 being moved to
vault?

regards

Ernesto Perez--
CSIRT-CEDIA

Ladrón de Guevara E11-253 y Andalucía, EPN, Casa Patrimonial. Quito - Ecuador
Telf: (593) 7 407 9300 Ext. 115
csirt at cedia.org.ec / [1]https://csirt.cedia.org.ec


[1] https://csirt.cedia.org.ec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-mirror/attachments/20201005/b6d62a7c/attachment-0004.html>