DoS against slackware.uk and other Slackware mirrors
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
DoS against slackware.uk and other Slackware mirrors
For the past few days my external and internal monitoring of slackware.uk has been going ape-shit with warnings of dropped connections and service unavailability.
A couple of days ago 'lamerix', who also runs a Slackware mirror let me know that they were getting bombarded with requests also.
I had a look through my logs and identified these IP ranges as repeatedly downloading the same .iso file, over and over and over, pushing my bandwidth to 100% usage:
2409:873c:f03::/48
223.78.0.0/16
Make what you will of the country of origin (China).
So, just a warning for my fellow mirror admins - check you are not being DoSed too. Look out for IPs within those ranges downloading the same .iso file repeatedly.
I've firewalled both those network ranges, but I'm still getting some small alerts for accessibility of my server, so there may be other ranges that are requesting more random files.
In the meantime, please be aware that slackware.uk (and some other mirrors) may appear slower than usual.
So, first LQ, the primary home of the Slackware community, gets DOSed, and now Slackware mirrors are being hit. Coincidence, or has someone got all butt-hurt against Slackers for some reason?
On top of the DoS, there has been a bot, "ClaudeBot", which is apparently an AI training bot, hammering the shite out of the site for a while, slowing things down further.
It doesn't respect a robots.txt, so has been hammering at full speed every part of the site.
I've just added the Apache Bad Bot Blocker (available on github) to match and give a 403 to bad bots. This may cause some collateral damage to legitimate users - if this is you, please get in touch with me in this thread or email the mirrors@ address; and I'll do my best to resolve your access.
This is the first time in nearly 20 years that I've had a DoS or had to institute blocking of abusive bots. Times have not moved on in a good way
Do they succeed downloading the whole iso or do they download only a small part of it and then again?
They would literally download the whole ISO from multiple connections over and over, which not only used bandwidth but also took an Apache thread to process the download; thus causing a DoS to other users.
They would literally download the whole ISO from multiple connections over and over, which not only used bandwidth but also took an Apache thread to process the download; thus causing a DoS to other users.
On top of the DoS, there has been a bot, "ClaudeBot", which is apparently an AI training bot, hammering the shite out of the site for a while, slowing things down further.
It doesn't respect a robots.txt, so has been hammering at full speed every part of the site.
I've just added the Apache Bad Bot Blocker (available on github) to match and give a 403 to bad bots. This may cause some collateral damage to legitimate users - if this is you, please get in touch with me in this thread or email the mirrors@ address; and I'll do my best to resolve your access.
This is the first time in nearly 20 years that I've had a DoS or had to institute blocking of abusive bots. Times have not moved on in a good way
With the times/dates of these attacks, and the IPs they can trace the offender in China. Have you tried that approach, perhaps through your embassy in China? That might mean going through Foreign affairs, Interpol or someone. But a few phone calls should make it happen, which might at least nudge them in the right direction.
With the times/dates of these attacks, and the IPs they can trace the offender in China. Have you tried that approach, perhaps through your embassy in China? That might mean going through Foreign affairs, Interpol or someone. But a few phone calls should make it happen, which might at least nudge them in the right direction.
Reward to effort value doesn't make this worthwhile.
China isn't going to give two shits about stopping an attack on a small site like slackware.uk, even if it /is/ the state that is doing it (it could just be some script kiddy with a grudge against Slackware for some reason).
China isn't going to give two shits about stopping an attack on a small site like slackware.uk, even if it /is/ the state that is doing it (it could just be some script kiddy with a grudge against Slackware for some reason).
Yes, lets face it. Internet is not a very nice place. Even though a low percentage of the internet population, it has far too many evil people wishing to abuse all those systems out there for their own economical gain or political interest. They will send spam to every email they can find, they will break into all machines they can to start bitcoin mining, they will DDoS systems they don't like.
I have a list of 48257 IP addresses which all have made multiple failed attempts to log in to my IP address by ssh. Maybe half of those addresses are from China (does anyone know an easy automated way to translate a list of IP addresses to a list of countries?). In most cases, the evil person is not sitting at those adresses. Instead those addresses are owned by clueless people unable to keep their internet connected equipment secure.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.