[CentOS-mirror] Weird traffic pattern spotted, is it just us?

Mon Jul 12 11:23:10 UTC 2021
Alex Iribarren <alex.m.lists3 at gmail.com>

Hi Peter,

Thanks for pointing this out. I solved it less aggressively, and also 
those user agents are not the ones that I'm seeing. I'm simply ignoring 
the requests with Apache's ModSecurity.

In any case, I'm still wondering what they're trying to do with these 
requests. If anyone has any ideas, I'd love to hear them.


On 7/8/21 8:11 PM, Quantum Mirror wrote:
> Hi!
> This is an old problem.
> Solution:
> https://lists.centos.org/pipermail/centos-mirror/2020-October/024445.html
> Cheers,
> Peter
> 2021. 07. 08. 19:38 keltezéssel, Alex Iribarren írta:
>> Hi all,
>> First of all, sorry if this is the wrong mailing list for this, feel 
>> free to point me to a more appropriate place.
>> Some time ago, I was looking at the httpd logs of our mirror servers 
>> and I noticed a weird pattern: we seem to have an awful lot of 
>> suspicious-looking partial content requests for ISO images. In the 
>> past 24 hours, we've had 64k requests for 98 different ISOs coming 
>> from 508 different IPs.
>> A single IP address has sent 3115 partial content requests for 
>> CentOS-7.0-1406-x86_64-DVD.iso, and then moved on to requesting 
>> CentOS-5.11-i386-bin-DVD-1of2.iso 2069 times (in the last 24 hours). 
>> Downloading the full file doesn't seem to be the goal of this traffic, 
>> in most cases the clients download fewer bytes than the total 
>> filesize. To test this, I disabled partial requests on the server side 
>> so the full file would be served regardless of how many bytes a client 
>> requested, and the clients would carry on sending requesting even 
>> though they had already downloaded the entire file multiple times.
>> The requests seem to all have random-ish useragents, but all of them 
>> start with "Mozilla/5.0", so they're pretending to be web browsers. 
>> The web browsers I've tested don't issue HTTP 206 requests when 
>> downloading files, even big ones, and they would probably stop when 
>> they had the full file anyway. The vast majority of these strange 
>> requests, 95%, seem to come from Chinese IPs. We get requests all the 
>> time, but they seem to pick up around 3am CEST and they start to be 
>> less frequent by 5pm, which sort-of matches Chinese daytime.
>> Globally, these requests don't seem to be doing any harm, they are 
>> less than 1.2% of the requests we got in the last 24 hours, but they 
>> don't look like legitimate traffic and I just can't figure out what 
>> the point of it would be. Are we being used for weird speedtests from 
>> China? Or is this a really lazy DDoS attack?
>> Does anybody else see this kind of traffic? Try looking for 
>> `http_status=206 useragent="Mozilla *" uri_path="*.iso"` in your logs, 
>> I'm curious to see if this is common or not.
>> Cheers,
>> Alex
>> _______________________________________________
>> CentOS-mirror mailing list
>> CentOS-mirror at centos.org
>> https://lists.centos.org/mailman/listinfo/centos-mirror
> _______________________________________________
> CentOS-mirror mailing list
> CentOS-mirror at centos.org
> https://lists.centos.org/mailman/listinfo/centos-mirror