[CentOS-mirror] Weird traffic pattern spotted, is it just us?

Thu Jul 8 17:38:04 UTC 2021
Alex Iribarren <alex.m.lists3 at gmail.com>

Hi all,

First of all, sorry if this is the wrong mailing list for this, feel 
free to point me to a more appropriate place.

Some time ago, I was looking at the httpd logs of our mirror servers and 
I noticed a weird pattern: we seem to have an awful lot of 
suspicious-looking partial content requests for ISO images. In the past 
24 hours, we've had 64k requests for 98 different ISOs coming from 508 
different IPs.

A single IP address has sent 3115 partial content requests for 
CentOS-7.0-1406-x86_64-DVD.iso, and then moved on to requesting 
CentOS-5.11-i386-bin-DVD-1of2.iso 2069 times (in the last 24 hours). 
Downloading the full file doesn't seem to be the goal of this traffic, 
in most cases the clients download fewer bytes than the total filesize. 
To test this, I disabled partial requests on the server side so the full 
file would be served regardless of how many bytes a client requested, 
and the clients would carry on sending requesting even though they had 
already downloaded the entire file multiple times.

The requests seem to all have random-ish useragents, but all of them 
start with "Mozilla/5.0", so they're pretending to be web browsers. The 
web browsers I've tested don't issue HTTP 206 requests when downloading 
files, even big ones, and they would probably stop when they had the 
full file anyway. The vast majority of these strange requests, 95%, seem 
to come from Chinese IPs. We get requests all the time, but they seem to 
pick up around 3am CEST and they start to be less frequent by 5pm, which 
sort-of matches Chinese daytime.

Globally, these requests don't seem to be doing any harm, they are less 
than 1.2% of the requests we got in the last 24 hours, but they don't 
look like legitimate traffic and I just can't figure out what the point 
of it would be. Are we being used for weird speedtests from China? Or is 
this a really lazy DDoS attack?

Does anybody else see this kind of traffic? Try looking for 
`http_status=206 useragent="Mozilla *" uri_path="*.iso"` in your logs, 
I'm curious to see if this is common or not.