[CentOS-mirror] Weird traffic pattern spotted, is it just us?
Quantum Mirror
root at quantum-mirror.huThu Jul 8 18:11:39 UTC 2021
- Previous message: [CentOS-mirror] Weird traffic pattern spotted, is it just us?
- Next message: [CentOS-mirror] Weird traffic pattern spotted, is it just us?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi! This is an old problem. Solution: https://lists.centos.org/pipermail/centos-mirror/2020-October/024445.html Cheers, Peter 2021. 07. 08. 19:38 keltezéssel, Alex Iribarren írta: > Hi all, > > First of all, sorry if this is the wrong mailing list for this, feel > free to point me to a more appropriate place. > > Some time ago, I was looking at the httpd logs of our mirror servers > and I noticed a weird pattern: we seem to have an awful lot of > suspicious-looking partial content requests for ISO images. In the > past 24 hours, we've had 64k requests for 98 different ISOs coming > from 508 different IPs. > > A single IP address has sent 3115 partial content requests for > CentOS-7.0-1406-x86_64-DVD.iso, and then moved on to requesting > CentOS-5.11-i386-bin-DVD-1of2.iso 2069 times (in the last 24 hours). > Downloading the full file doesn't seem to be the goal of this traffic, > in most cases the clients download fewer bytes than the total > filesize. To test this, I disabled partial requests on the server side > so the full file would be served regardless of how many bytes a client > requested, and the clients would carry on sending requesting even > though they had already downloaded the entire file multiple times. > > The requests seem to all have random-ish useragents, but all of them > start with "Mozilla/5.0", so they're pretending to be web browsers. > The web browsers I've tested don't issue HTTP 206 requests when > downloading files, even big ones, and they would probably stop when > they had the full file anyway. The vast majority of these strange > requests, 95%, seem to come from Chinese IPs. We get requests all the > time, but they seem to pick up around 3am CEST and they start to be > less frequent by 5pm, which sort-of matches Chinese daytime. > > Globally, these requests don't seem to be doing any harm, they are > less than 1.2% of the requests we got in the last 24 hours, but they > don't look like legitimate traffic and I just can't figure out what > the point of it would be. Are we being used for weird speedtests from > China? Or is this a really lazy DDoS attack? > > Does anybody else see this kind of traffic? Try looking for > `http_status=206 useragent="Mozilla *" uri_path="*.iso"` in your logs, > I'm curious to see if this is common or not. > > Cheers, > Alex > _______________________________________________ > CentOS-mirror mailing list > CentOS-mirror at centos.org > https://lists.centos.org/mailman/listinfo/centos-mirror
- Previous message: [CentOS-mirror] Weird traffic pattern spotted, is it just us?
- Next message: [CentOS-mirror] Weird traffic pattern spotted, is it just us?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS-mirror mailing list