LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-25-2024, 10:08 AM   #1
tadgy
Member
 
Registered: May 2018
Location: UK
Distribution: Slackware (servers), Void (desktop/laptop)
Posts: 307

Rep: Reputation: 417Reputation: 417Reputation: 417Reputation: 417Reputation: 417
Angry DoS against slackware.uk and other Slackware mirrors


For the past few days my external and internal monitoring of slackware.uk has been going ape-shit with warnings of dropped connections and service unavailability.

A couple of days ago 'lamerix', who also runs a Slackware mirror let me know that they were getting bombarded with requests also.

I had a look through my logs and identified these IP ranges as repeatedly downloading the same .iso file, over and over and over, pushing my bandwidth to 100% usage:

2409:873c:f03::/48
223.78.0.0/16

Make what you will of the country of origin (China).

So, just a warning for my fellow mirror admins - check you are not being DoSed too. Look out for IPs within those ranges downloading the same .iso file repeatedly.

I've firewalled both those network ranges, but I'm still getting some small alerts for accessibility of my server, so there may be other ranges that are requesting more random files.

In the meantime, please be aware that slackware.uk (and some other mirrors) may appear slower than usual.

Cheers.
 
Old 05-25-2024, 11:44 AM   #2
GazL
LQ Veteran
 
Registered: May 2008
Posts: 6,922

Rep: Reputation: 5040Reputation: 5040Reputation: 5040Reputation: 5040Reputation: 5040Reputation: 5040Reputation: 5040Reputation: 5040Reputation: 5040Reputation: 5040Reputation: 5040
So, first LQ, the primary home of the Slackware community, gets DOSed, and now Slackware mirrors are being hit. Coincidence, or has someone got all butt-hurt against Slackers for some reason?
 
Old 05-25-2024, 01:03 PM   #3
garpu
Senior Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 1,617

Rep: Reputation: 935Reputation: 935Reputation: 935Reputation: 935Reputation: 935Reputation: 935Reputation: 935Reputation: 935
Probably not even related. These sorts of things happen all the time.
 
Old 05-25-2024, 02:26 PM   #4
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Slarm64 & Android
Posts: 16,489

Rep: Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361
Maybe whoever hacked them was using Slackware .
 
Old 06-02-2024, 09:24 AM   #5
tadgy
Member
 
Registered: May 2018
Location: UK
Distribution: Slackware (servers), Void (desktop/laptop)
Posts: 307

Original Poster
Rep: Reputation: 417Reputation: 417Reputation: 417Reputation: 417Reputation: 417
On top of the DoS, there has been a bot, "ClaudeBot", which is apparently an AI training bot, hammering the shite out of the site for a while, slowing things down further.

It doesn't respect a robots.txt, so has been hammering at full speed every part of the site.

I've just added the Apache Bad Bot Blocker (available on github) to match and give a 403 to bad bots. This may cause some collateral damage to legitimate users - if this is you, please get in touch with me in this thread or email the mirrors@ address; and I'll do my best to resolve your access.

This is the first time in nearly 20 years that I've had a DoS or had to institute blocking of abusive bots. Times have not moved on in a good way
 
7 members found this post helpful.
Old 06-02-2024, 11:10 AM   #6
rizitis
Member
 
Registered: Mar 2009
Location: Greece,Crete
Distribution: Slackware64-current, Slint
Posts: 722
Blog Entries: 2

Rep: Reputation: 533Reputation: 533Reputation: 533Reputation: 533Reputation: 533Reputation: 533
@tadgy plz read my pm
 
Old 06-02-2024, 11:37 AM   #7
tadgy
Member
 
Registered: May 2018
Location: UK
Distribution: Slackware (servers), Void (desktop/laptop)
Posts: 307

Original Poster
Rep: Reputation: 417Reputation: 417Reputation: 417Reputation: 417Reputation: 417
Thanks for the link, but I've already instituted bot blocking on the server using this project on GitHub.

Also, the Chinese haven't give up their attack... I've found another IP they are using to request the same .iso over and over:
111.44.249.117

That's been firewalled along with the other Chinese IPs from before and along with the bot blocker, the load/bandwidth usage has gone right down.
 
2 members found this post helpful.
Old 06-02-2024, 12:03 PM   #8
rizitis
Member
 
Registered: Mar 2009
Location: Greece,Crete
Distribution: Slackware64-current, Slint
Posts: 722
Blog Entries: 2

Rep: Reputation: 533Reputation: 533Reputation: 533Reputation: 533Reputation: 533Reputation: 533
Quote:
Originally Posted by tadgy View Post
Thanks for the link, but I've already instituted bot blocking on the server using this project on GitHub.

Also, the Chinese haven't give up their attack... I've found another IP they are using to request the same .iso over and over:
111.44.249.117

That's been firewalled along with the other Chinese IPs from before and along with the bot blocker, the load/bandwidth usage has gone right down.
RewriteEngine On
RewriteRule ^file\.iso$ http://111.44.249.117/ [R=302,L]

I know its not correct but some times...

Last edited by rizitis; 06-02-2024 at 12:04 PM.
 
Old 06-02-2024, 12:16 PM   #9
Petri Kaukasoina
Senior Member
 
Registered: Mar 2007
Posts: 1,960

Rep: Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571
Quote:
Originally Posted by tadgy View Post
I've found another IP they are using to request the same .iso over and over:
Do they succeed downloading the whole iso or do they download only a small part of it and then again?
 
Old 06-02-2024, 01:10 PM   #10
tadgy
Member
 
Registered: May 2018
Location: UK
Distribution: Slackware (servers), Void (desktop/laptop)
Posts: 307

Original Poster
Rep: Reputation: 417Reputation: 417Reputation: 417Reputation: 417Reputation: 417
Quote:
Originally Posted by Petri Kaukasoina View Post
Do they succeed downloading the whole iso or do they download only a small part of it and then again?
They would literally download the whole ISO from multiple connections over and over, which not only used bandwidth but also took an Apache thread to process the download; thus causing a DoS to other users.

Last edited by tadgy; 06-02-2024 at 01:13 PM.
 
Old 06-02-2024, 01:15 PM   #11
Petri Kaukasoina
Senior Member
 
Registered: Mar 2007
Posts: 1,960

Rep: Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571Reputation: 1571
Quote:
Originally Posted by tadgy View Post
They would literally download the whole ISO from multiple connections over and over, which not only used bandwidth but also took an Apache thread to process the download; thus causing a DoS to other users.
OK, I haven't seen that...
 
Old 06-02-2024, 01:26 PM   #12
reddog83
Member
 
Registered: Apr 2018
Distribution: Slackware 15.0/Current
Posts: 469

Rep: Reputation: 246Reputation: 246Reputation: 246
Cool

Quote:
Originally Posted by tadgy View Post
Thanks for the link, but I've already instituted bot blocking on the server using this project on GitHub.

Also, the Chinese haven't give up their attack... I've found another IP they are using to request the same .iso over and over:
111.44.249.117

That's been firewalled along with the other Chinese IPs from before and along with the bot blocker, the load/bandwidth usage has gone right down.
I need to check this out cause I am getting some IP's going to the same page every 2 secs.
 
Old 06-02-2024, 01:35 PM   #13
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Slarm64 & Android
Posts: 16,489

Rep: Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361Reputation: 2361
Quote:
Originally Posted by tadgy View Post
On top of the DoS, there has been a bot, "ClaudeBot", which is apparently an AI training bot, hammering the shite out of the site for a while, slowing things down further.

It doesn't respect a robots.txt, so has been hammering at full speed every part of the site.

I've just added the Apache Bad Bot Blocker (available on github) to match and give a 403 to bad bots. This may cause some collateral damage to legitimate users - if this is you, please get in touch with me in this thread or email the mirrors@ address; and I'll do my best to resolve your access.

This is the first time in nearly 20 years that I've had a DoS or had to institute blocking of abusive bots. Times have not moved on in a good way
With the times/dates of these attacks, and the IPs they can trace the offender in China. Have you tried that approach, perhaps through your embassy in China? That might mean going through Foreign affairs, Interpol or someone. But a few phone calls should make it happen, which might at least nudge them in the right direction.
 
Old 06-02-2024, 02:14 PM   #14
tadgy
Member
 
Registered: May 2018
Location: UK
Distribution: Slackware (servers), Void (desktop/laptop)
Posts: 307

Original Poster
Rep: Reputation: 417Reputation: 417Reputation: 417Reputation: 417Reputation: 417
Quote:
Originally Posted by business_kid View Post
With the times/dates of these attacks, and the IPs they can trace the offender in China. Have you tried that approach, perhaps through your embassy in China? That might mean going through Foreign affairs, Interpol or someone. But a few phone calls should make it happen, which might at least nudge them in the right direction.
Reward to effort value doesn't make this worthwhile.

China isn't going to give two shits about stopping an attack on a small site like slackware.uk, even if it /is/ the state that is doing it (it could just be some script kiddy with a grudge against Slackware for some reason).
 
3 members found this post helpful.
Old 06-03-2024, 12:50 AM   #15
henca
Senior Member
 
Registered: Aug 2007
Location: Linköping, Sweden
Distribution: Slackware
Posts: 1,024

Rep: Reputation: 688Reputation: 688Reputation: 688Reputation: 688Reputation: 688Reputation: 688
Quote:
Originally Posted by tadgy View Post
China isn't going to give two shits about stopping an attack on a small site like slackware.uk, even if it /is/ the state that is doing it (it could just be some script kiddy with a grudge against Slackware for some reason).
Yes, lets face it. Internet is not a very nice place. Even though a low percentage of the internet population, it has far too many evil people wishing to abuse all those systems out there for their own economical gain or political interest. They will send spam to every email they can find, they will break into all machines they can to start bitcoin mining, they will DDoS systems they don't like.

I have a list of 48257 IP addresses which all have made multiple failed attempts to log in to my IP address by ssh. Maybe half of those addresses are from China (does anyone know an easy automated way to translate a list of IP addresses to a list of countries?). In most cases, the evil person is not sitting at those adresses. Instead those addresses are owned by clueless people unable to keep their internet connected equipment secure.

regards Henrik
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Canonical's and Red Hat's Shameful War Against One Another... and Against the Already-Marginalised Linux Media LXer Syndicated Linux News 0 06-17-2016 12:44 PM
fdisk - defaults to non Dos but yet uses Dos disklabel dman777 Linux - Hardware 3 04-11-2015 02:40 PM
Executing Perl under Dos /Creating an executable for DOS alix123 Programming 1 02-15-2006 04:07 AM
Dos Emulator without Dos dtheorem Linux - Software 1 10-14-2003 01:18 PM
Dos Emulator without Dos dtheorem Linux - Software 1 10-14-2003 12:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 03:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration