Tuesday, 18 March 2008

Blocking China

The last few days there are so many connections to our mirror server
from China that I started to block certain subnets. There are usually
around 10 clients connecting via HTTP and each is opening over 50
connections to our server. They are downloading mainly ISO images and
other big files. I can see that each client is starting to download
lots of different things. From Fedora 3 to Fedora 7 ISO images, Ubuntu ISO images,
openSUSE ISO images and other old and large files.

I started to block individual IP addresses but there are just too many so
that I started to block whole subnets. I am using the following command to get
an overview about which clients are opening many connections at once:

lynx -dump -width=2000 http://localhost/server-status | awk -F\ '{ print $11} ' | sort -n | uniq -c | sort -n.

The output looks something like this:

63 ::1

With the following command I am calculating the netmask which will be blocked:

$ whois | grep inetn | sed -e "s, - ,:,g" | awk ' { print "netmask "$2 }' | sh

And then I am using a simple iptables rule to drop any traffic coming from that network:

iptables -A INETIN -s -j DROP

Currently this is the only idea I have how to get rid of those ~500 connections which seem to be some kind of abuse.

No comments:

My photo
London, United Kingdom

Facebook & Twitter