The last few days there are so many connections to our mirror server
from China that I started to block certain subnets. There are usually
around 10 clients connecting via HTTP and each is opening over 50
connections to our server. They are downloading mainly ISO images and
other big files. I can see that each client is starting to download
lots of different things. From Fedora 3 to Fedora 7 ISO images, Ubuntu ISO images,
openSUSE ISO images and other old and large files.
I started to block individual IP addresses but there are just too many so
that I started to block whole subnets. I am using the following command to get
an overview about which clients are opening many connections at once:
lynx -dump -width=2000 http://localhost/server-status | awk -F\ '{ print $11} ' | sort -n | uniq -c | sort -n.
The output looks something like this:
21 122.48.129.75
23 210.21.106.229
24 218.17.228.216
26 220.175.101.252
27 222.67.18.227
30 222.27.89.136
39 123.116.101.186
52 121.231.17.153
63
63 ::1
With the following command I am calculating the netmask which will be blocked:
$ whois 121.231.17.153 | grep inetn | sed -e "s, - ,:,g" | awk ' { print "netmask "$2 }' | sh
121.224.0.0/12
And then I am using a simple iptables rule to drop any traffic coming from that network:
iptables -A INETIN -s 121.224.0.0/12 -j DROP
Currently this is the only idea I have how to get rid of those ~500 connections which seem to be some kind of abuse.
No comments:
Post a Comment