The last few days there are so many connections to our mirror server from China that I started to block certain subnets. There are usually around 10 clients connecting via HTTP and each is opening over 50 connections to our server. They are downloading mainly ISO images and other big files. I can see that each client is starting to download lots of different things. From Fedora 3 to Fedora 7 ISO images, Ubuntu ISO images, openSUSE ISO images and other old and large files.
I started to block individual IP addresses but there are just too many so that I started to block whole subnets. I am using the following command to get an overview about which clients are opening many connections at once:
lynx -dump -width=2000 http://localhost/server-status awk -F\ '{ print $11} ' sort -n uniq -c sort -n.
The output looks something like this: 21 122.48.129.75
23 210.21.106.229
24 218.17.228.216
26 220.175.101.252
27 222.67.18.227
30 222.27.89.136
39 123.116.101.186
52 121.231.17.153
63
63 ::1
With the following command I am calculating the netmask which will be blocked:
$ whois 121.231.17.153 grep inetn sed -e "s, - ,:,g" awk ' { print "netmask "$2 }' sh
121.224.0.0/12
And then I am using a simple iptables rule to drop any traffic coming from that network:
iptables -A INETIN -s 121.224.0.0/12 -j DROP
Currently this is the only idea I have how to get rid of those ~500 connections which seem to be some kind of abuse.
-------------------------------
今天早上看cnBeta得到的消息,Adrian doing the blog 的BLOG来的,迅雷带来的影响看来波及国外了,无节制的获取而不付出,不知道是为了什么。
I started to block individual IP addresses but there are just too many so that I started to block whole subnets. I am using the following command to get an overview about which clients are opening many connections at once:
lynx -dump -width=2000 http://localhost/server-status awk -F\ '{ print $11} ' sort -n uniq -c sort -n.
The output looks something like this: 21 122.48.129.75
23 210.21.106.229
24 218.17.228.216
26 220.175.101.252
27 222.67.18.227
30 222.27.89.136
39 123.116.101.186
52 121.231.17.153
63
63 ::1
With the following command I am calculating the netmask which will be blocked:
$ whois 121.231.17.153 grep inetn sed -e "s, - ,:,g" awk ' { print "netmask "$2 }' sh
121.224.0.0/12
And then I am using a simple iptables rule to drop any traffic coming from that network:
iptables -A INETIN -s 121.224.0.0/12 -j DROP
Currently this is the only idea I have how to get rid of those ~500 connections which seem to be some kind of abuse.
-------------------------------
今天早上看cnBeta得到的消息,Adrian doing the blog 的BLOG来的,迅雷带来的影响看来波及国外了,无节制的获取而不付出,不知道是为了什么。
评论