centos-infra

Clone
Source Code
GIT

#758 Remove codingflyboy.mm.fcix.net due to high volume of abuse from Chinese addresses
Closed: Fixed 2 years ago by phsmoura. Opened 2 years ago by phirephly.

Closed: Fixed
Reopen Issue

Howdy Team,

Please remove codingflyboy.mm.fcix.net from the /centos/ mirror pool. This server is only on a 1Gbps connection, and as soon as we were added to the centos mirror system (not yet qualified by the prober) we started to see 600Mbps of traffic serving the centos 7 ISOs to Chinese addresses.

These addresses are using curl 7.29.0 to download the centos 7 and (try) centos 8 (non-stream). They never complete, but are prematurely terminated, and they're started/terminated in large batches, which indicate some kind of global coordination. We also only see this traffic between 8AM and 4AM Pacific time (so 20 hours per day) at which point it halts for 4 hours.

We see the same traffic pattern and scale on mirror.fcix.net, which has 10G so the 600Mbps is ignorable, if still the majority of the total traffic for our mirror. We've also had other mirror operators mention that they see the same traffic.

While mostly from AS56046, we are seeing the abuse from AS4134 and a few others, and I think it is better for Centos if I don't start randomly blocking whole blocks of IP addresses on a mirror, breaking centos updates for legitimate China users. These are the announced subnets I was seeing this abuse from:

223.64.0.0/10
183.192.0.0/10
120.32.0.0/12
112.0.0.0/10
110.80.0.0/13
222.76.0.0/14
221.136.0.0/14
221.136.0.0/13
112.109.128.0/17
27.152.0.0/13
59.56.0.0/14
140.237.0.0/16
2409:8000::/20
101.64.0.0/13
211.136.0.0/13
110.52.0.0/15
2408:8000::/20
58.22.0.0/15
36.248.0.0/14
175.42.0.0/15
220.250.32.0/19
240e::/20
114.224.0.0/12
121.224.0.0/12

And a sample of the nginx logs we're seeing.

183.206.58.164 - - [21/Apr/2022:03:22:34 -0700] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 200 100380941 "-" "curl/7.29.0" "-"
223.107.39.46 - - [21/Apr/2022:03:22:34 -0700] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 200 95481886 "-" "curl/7.29.0" "-"
223.107.38.178 - - [21/Apr/2022:03:22:36 -0700] "GET /centos/8.5.2111/isos/aarch64/CentOS-8.5.2111-aarch64-dvd1.iso HTTP/1.1" 404 153 "-" "curl/7.29.0" "-"
112.22.132.218 - - [21/Apr/2022:03:22:37 -0700] "GET /centos/8.5.2111/isos/aarch64/CentOS-8.5.2111-aarch64-dvd1.iso HTTP/1.1" 404 153 "-" "curl/7.29.0" "-"
223.107.38.159 - - [21/Apr/2022:03:22:37 -0700] "GET /centos/8.5.2111/isos/aarch64/CentOS-8.5.2111-aarch64-dvd1.iso HTTP/1.1" 404 153 "-" "curl/7.29.0" "-"
223.107.36.70 - - [21/Apr/2022:03:22:37 -0700] "GET /centos/8.5.2111/isos/aarch64/CentOS-8.5.2111-aarch64-dvd1.iso HTTP/1.1" 404 153 "-" "curl/7.29.0" "-"
183.206.60.116 - - [21/Apr/2022:03:22:37 -0700] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 404 153 "-" "curl/7.29.0" "-"
223.107.40.106 - - [21/Apr/2022:03:22:38 -0700] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 200 72852393 "-" "curl/7.29.0" "-"
112.22.157.195 - - [21/Apr/2022:03:22:38 -0700] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 404 153 "-" "curl/7.29.0" "-"
223.107.37.254 - - [21/Apr/2022:03:22:40 -0700] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 404 153 "-" "curl/7.29.0" "-"
222.77.6.13 - - [21/Apr/2022:03:22:41 -0700] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 404 153 "-" "curl/7.29.0" "-"
183.206.60.184 - - [21/Apr/2022:03:22:41 -0700] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 200 336733 "-" "curl/7.29.0" "-"
223.107.42.219 - - [21/Apr/2022:03:22:43 -0700] "GET /centos/8.5.2111/isos/aarch64/CentOS-8.5.2111-aarch64-dvd1.iso HTTP/1.1" 404 153 "-" "curl/7.29.0" "-"
183.250.141.209 - - [21/Apr/2022:03:22:43 -0700] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 200 66237757 "-" "curl/7.29.0" "-"
223.107.40.109 - - [21/Apr/2022:03:22:44 -0700] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 404 153 "-" "curl/7.29.0" "-"
183.250.140.191 - - [21/Apr/2022:03:22:44 -0700] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 200 66237757 "-" "curl/7.29.0" "-"
112.22.135.2 - - [21/Apr/2022:03:22:44 -0700] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 200 72508237 "-" "curl/7.29.0" "-"
183.250.140.74 - - [21/Apr/2022:03:22:44 -0700] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 200 37854269 "-" "curl/7.29.0" "-"
112.22.156.44 - - [21/Apr/2022:03:22:44 -0700] "GET /centos/8.5.2111/isos/aarch64/CentOS-8.5.2111-aarch64-dvd1.iso HTTP/1.1" 404 153 "-" "curl/7.29.0" "-"
223.107.42.100 - - [21/Apr/2022:03:22:44 -0700] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 404 153 "-" "curl/7.29.0" "-"
183.250.140.74 - - [21/Apr/2022:03:22:45 -0700] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 200 40449169 "-" "curl/7.29.0" "-"

Metadata Update from @arrfab:
- Issue assigned to phsmoura
- Issue tagged with: high-gain, low-trouble, mirror-linux
2 years ago

hi @phirephly,

codingflyboy.mm.fcix.net was disabled

Metadata Update from @phsmoura:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
2 years ago

Login to comment on this ticket.

Metadata

high-gain mirror-linux low-trouble

None
None
Needs Review
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.