For the past few days my external and internal monitoring of slackware.uk has been going ape-shit with warnings of dropped connections and service unavailability.

A couple of days ago 'lamerix', who also runs a Slackware mirror let me know that they were getting bombarded with requests also.

I had a look through my logs and identified these IP ranges as repeatedly downloading the same .iso file, over and over and over, pushing my bandwidth to 100% usage:

2409:873c:f03::/48
223.78.0.0/16

Make what you will of the country of origin (China).

So, just a warning for my fellow mirror admins - check you are not being DoSed too. Look out for IPs within those ranges downloading the same .iso file repeatedly.

I've firewalled both those network ranges, but I'm still getting some small alerts for accessibility of my server, so there may be other ranges that are requesting more random files.

In the meantime, please be aware that slackware.uk (and some other mirrors) may appear slower than usual.

Cheers.

So, first LQ, the primary home of the Slackware community, gets DOSed, and now Slackware mirrors are being hit. Coincidence, or has someone got all butt-hurt against Slackers for some reason?

Probably not even related. These sorts of things happen all the time.

Maybe whoever hacked them was using Slackware .

On top of the DoS, there has been a bot, "ClaudeBot", which is apparently an AI training bot, hammering the shite out of the site for a while, slowing things down further.

It doesn't respect a robots.txt, so has been hammering at full speed every part of the site.

I've just added the Apache Bad Bot Blocker (available on github) to match and give a 403 to bad bots. This may cause some collateral damage to legitimate users - if this is you, please get in touch with me in this thread or email the mirrors@ address; and I'll do my best to resolve your access.

This is the first time in nearly 20 years that I've had a DoS or had to institute blocking of abusive bots. Times have not moved on in a good way

7 members found this post helpful.

@tadgy plz read my pm

Thanks for the link, but I've already instituted bot blocking on the server using this project on GitHub.

Also, the Chinese haven't give up their attack... I've found another IP they are using to request the same .iso over and over:
111.44.249.117

That's been firewalled along with the other Chinese IPs from before and along with the bot blocker, the load/bandwidth usage has gone right down.

2 members found this post helpful.

RewriteEngine On
RewriteRule ^file\.iso$ http://111.44.249.117/ [R=302,L]

I know its not correct but some times...

Do they succeed downloading the whole iso or do they download only a small part of it and then again?

They would literally download the whole ISO from multiple connections over and over, which not only used bandwidth but also took an Apache thread to process the download; thus causing a DoS to other users.

OK, I haven't seen that...

I need to check this out cause I am getting some IP's going to the same page every 2 secs.

With the times/dates of these attacks, and the IPs they can trace the offender in China. Have you tried that approach, perhaps through your embassy in China? That might mean going through Foreign affairs, Interpol or someone. But a few phone calls should make it happen, which might at least nudge them in the right direction.

Reward to effort value doesn't make this worthwhile.

China isn't going to give two shits about stopping an attack on a small site like slackware.uk, even if it /is/ the state that is doing it (it could just be some script kiddy with a grudge against Slackware for some reason).

3 members found this post helpful.

Yes, lets face it. Internet is not a very nice place. Even though a low percentage of the internet population, it has far too many evil people wishing to abuse all those systems out there for their own economical gain or political interest. They will send spam to every email they can find, they will break into all machines they can to start bitcoin mining, they will DDoS systems they don't like.

I have a list of 48257 IP addresses which all have made multiple failed attempts to log in to my IP address by ssh. Maybe half of those addresses are from China (does anyone know an easy automated way to translate a list of IP addresses to a list of countries?). In most cases, the evil person is not sitting at those adresses. Instead those addresses are owned by clueless people unable to keep their internet connected equipment secure.

regards Henrik

1 members found this post helpful.