[CentOS-mirror] Weird traffic pattern spotted, is it just us?

Thu Jul 8 18:11:39 UTC 2021
Quantum Mirror <root at quantum-mirror.hu>


This is an old problem.





2021. 07. 08. 19:38 keltezéssel, Alex Iribarren írta:
> Hi all,
> First of all, sorry if this is the wrong mailing list for this, feel 
> free to point me to a more appropriate place.
> Some time ago, I was looking at the httpd logs of our mirror servers 
> and I noticed a weird pattern: we seem to have an awful lot of 
> suspicious-looking partial content requests for ISO images. In the 
> past 24 hours, we've had 64k requests for 98 different ISOs coming 
> from 508 different IPs.
> A single IP address has sent 3115 partial content requests for 
> CentOS-7.0-1406-x86_64-DVD.iso, and then moved on to requesting 
> CentOS-5.11-i386-bin-DVD-1of2.iso 2069 times (in the last 24 hours). 
> Downloading the full file doesn't seem to be the goal of this traffic, 
> in most cases the clients download fewer bytes than the total 
> filesize. To test this, I disabled partial requests on the server side 
> so the full file would be served regardless of how many bytes a client 
> requested, and the clients would carry on sending requesting even 
> though they had already downloaded the entire file multiple times.
> The requests seem to all have random-ish useragents, but all of them 
> start with "Mozilla/5.0", so they're pretending to be web browsers. 
> The web browsers I've tested don't issue HTTP 206 requests when 
> downloading files, even big ones, and they would probably stop when 
> they had the full file anyway. The vast majority of these strange 
> requests, 95%, seem to come from Chinese IPs. We get requests all the 
> time, but they seem to pick up around 3am CEST and they start to be 
> less frequent by 5pm, which sort-of matches Chinese daytime.
> Globally, these requests don't seem to be doing any harm, they are 
> less than 1.2% of the requests we got in the last 24 hours, but they 
> don't look like legitimate traffic and I just can't figure out what 
> the point of it would be. Are we being used for weird speedtests from 
> China? Or is this a really lazy DDoS attack?
> Does anybody else see this kind of traffic? Try looking for 
> `http_status=206 useragent="Mozilla *" uri_path="*.iso"` in your logs, 
> I'm curious to see if this is common or not.
> Cheers,
> Alex
> _______________________________________________
> CentOS-mirror mailing list
> CentOS-mirror at centos.org
> https://lists.centos.org/mailman/listinfo/centos-mirror