[gentoo-mirrors] Abuse Traffic

[gentoo-mirrors] Abuse Traffic

[Alex Howells]

81.149.130.33 - - [20/Feb/2008:00:18:22 +0000] "GET
/gentoo/releases/x86/2007.0/livecd/livecd-i686-installer-2007.0.iso
HTTP/1.1" 200 734308352 "-" "eeWifi(tm) Dealer Software"

217.37.231.230 - - [20/Feb/2008:00:17:51 +0000] "GET
/gentoo/releases/x86/2007.0/livecd/livecd-i686-installer-2007.0.iso
HTTP/1.1" 200 734308352 "-" "eeWifi(tm) Dealer Software"

We're seeing ungodly amounts of abuse against those ISOs at the
moment, with just a few IPs accounting for 70% of our daily traffic
via HTTP.

Could anyone else please poke through access logs to identify these
trends. I'm interested if it's widespread or just my mirror.

Thanks,
Alex
-- 
gentoo-mirrors@lists.gentoo.org mailing list

Re: [gentoo-mirrors] Abuse Traffic

[Szabó Zsombor]

Everything normal here.

Greets,
Zsombor

Alex Howells wrote:
> 81.149.130.33 - - [20/Feb/2008:00:18:22 +0000] "GET
> /gentoo/releases/x86/2007.0/livecd/livecd-i686-installer-2007.0.iso
> HTTP/1.1" 200 734308352 "-" "eeWifi(tm) Dealer Software"
>
> 217.37.231.230 - - [20/Feb/2008:00:17:51 +0000] "GET
> /gentoo/releases/x86/2007.0/livecd/livecd-i686-installer-2007.0.iso
> HTTP/1.1" 200 734308352 "-" "eeWifi(tm) Dealer Software"
>
> We're seeing ungodly amounts of abuse against those ISOs at the
> moment, with just a few IPs accounting for 70% of our daily traffic
> via HTTP.
>
> Could anyone else please poke through access logs to identify these
> trends. I'm interested if it's widespread or just my mirror.
>
> Thanks,
> Alex
>   
-- 
gentoo-mirrors@lists.gentoo.org mailing list

Re: [gentoo-mirrors] Abuse Traffic

[Alex Howells]

> Alex Howells wrote:
> 81.149.130.33 - - [20/Feb/2008:00:18:22 +0000] "GET
> /gentoo/releases/x86/2007.0/livecd/livecd-i686-installer-2007.0.iso
> HTTP/1.1" 200 734308352 "-" "eeWifi(tm) Dealer Software"

Amazingly enough these guys got back to us overnight - they claim
they're downloading the first 256KB of the .ISO to speed test their
ADSL connections being provided by British Telecom, and then Apache
logs that as 700MB of transfer.

Anyone seen this behaviour from a WWW server before?  Is this a known
bug or problem?  Is there a fix?

Alex
-- 
gentoo-mirrors@lists.gentoo.org mailing list

Re: [gentoo-mirrors] Abuse Traffic

[Новиков Александр]

Hello.


What a Apache version?

В письме от Срд, 20 Фев 2008, 14:29 Alex Howells пишет:
>> Alex Howells wrote:
>> 81.149.130.33 - - [20/Feb/2008:00:18:22 +0000] "GET
>> /gentoo/releases/x86/2007.0/livecd/livecd-i686-installer-2007.0.iso
>> HTTP/1.1" 200 734308352 "-" "eeWifi(tm) Dealer Software"
>
> Amazingly enough these guys got back to us overnight - they claim
> they're downloading the first 256KB of the .ISO to speed test their
> ADSL connections being provided by British Telecom, and then Apache
> logs that as 700MB of transfer.
>
> Anyone seen this behaviour from a WWW server before?  Is this a known
> bug or problem?  Is there a fix?
>
> Alex
> --
> gentoo-mirrors@lists.gentoo.org mailing list
>
>


-- 
Novikov Alexandr              /alex@izmaylovo.net/
system administrator
service exploitation network Izmaylovo.RU
phone:   +7 095 7881288 + int 219
faxno:   +7 095 7809300
mobile:  +7 909 1354698


-- 
gentoo-mirrors@lists.gentoo.org mailing list

Re: [gentoo-mirrors] Abuse Traffic

[Alex Howells]

>
> What a Apache version?
>

Apache 2.2

Speaking to the chaps on #apache it seems standard logging via
Combined Log Format just logs *requests* not the amount of I/O
performed to send/receive/service a request; you need to install
mod_logio to handle that, which isn't standard.

So it's not a bug, its just a very frustrating standard feature, which
badly skews AWstats and Webalizer, plus any other reporting software
you might be running which parses CLF.
-- 
gentoo-mirrors@lists.gentoo.org mailing list

Re: [gentoo-mirrors] Abuse Traffic

[Alex Howells]

> I think, that it is normal work apache
>
> %%%
> 81.17.157.18 - - [20/Feb/2008:16:34:00 +0300] "GET
> /releases/x86/current/installcd/install-x86-minimal-2007.0-r1.iso
> HTTP/1.1" 200 59940864
> "http://gentoo.izmaylovo.net/releases/x86/current/installcd/" "Opera/9.24
> (X11; Linux i686; U; en)"
> %%%
>
> Apache write log this request to GET file (size of 59940864), but now
> downloading NOT full size
>

I tested out my theory on another local server, with a 1GB test file.
I stopped the wget after 10% yet it still logged the transfer in my
access.log as the full request, mod_logio fixes this and only says the
sent bytes.

Alex
-- 
gentoo-mirrors@lists.gentoo.org mailing list

Re: [gentoo-mirrors] Abuse Traffic

[Новиков Александр]

I think, that it is normal work apache

%%%
81.17.157.18 - - [20/Feb/2008:16:34:00 +0300] "GET
/releases/x86/current/installcd/install-x86-minimal-2007.0-r1.iso
HTTP/1.1" 200 59940864
"http://gentoo.izmaylovo.net/releases/x86/current/installcd/" "Opera/9.24
(X11; Linux i686; U; en)"
%%%

Apache write log this request to GET file (size of 59940864), but now
downloading NOT full size



В письме от Срд, 20 Фев 2008, 15:33 Alex Howells пишет:
>>
>> What a Apache version?
>>
>
> Apache 2.2
>
> Speaking to the chaps on #apache it seems standard logging via
> Combined Log Format just logs *requests* not the amount of I/O
> performed to send/receive/service a request; you need to install
> mod_logio to handle that, which isn't standard.
>
> So it's not a bug, its just a very frustrating standard feature, which
> badly skews AWstats and Webalizer, plus any other reporting software
> you might be running which parses CLF.
> --
> gentoo-mirrors@lists.gentoo.org mailing list
>
>


-- 
Novikov Alexandr              /alex@izmaylovo.net/
system administrator
service exploitation network Izmaylovo.RU
phone:   +7 095 7881288 + int 219
faxno:   +7 095 7809300
mobile:  +7 909 1354698


-- 
gentoo-mirrors@lists.gentoo.org mailing list

Re: [gentoo-mirrors] Abuse Traffic

[Новиков Александр]

i understood you, but owing mod_logio.


В письме от Срд, 20 Фев 2008, 15:55 Alex Howells пишет:
>> I think, that it is normal work apache
>>
>> %%%
>> 81.17.157.18 - - [20/Feb/2008:16:34:00 +0300] "GET
>> /releases/x86/current/installcd/install-x86-minimal-2007.0-r1.iso
>> HTTP/1.1" 200 59940864
>> "http://gentoo.izmaylovo.net/releases/x86/current/installcd/"
>> "Opera/9.24
>> (X11; Linux i686; U; en)"
>> %%%
>>
>> Apache write log this request to GET file (size of 59940864), but now
>> downloading NOT full size
>>
>
> I tested out my theory on another local server, with a 1GB test file.
> I stopped the wget after 10% yet it still logged the transfer in my
> access.log as the full request, mod_logio fixes this and only says the
> sent bytes.
>
> Alex
> --
> gentoo-mirrors@lists.gentoo.org mailing list
>
>


-- 
Novikov Alexandr              /alex@izmaylovo.net/
system administrator
service exploitation network Izmaylovo.RU
phone:   +7 095 7881288 + int 219
faxno:   +7 095 7809300
mobile:  +7 909 1354698


-- 
gentoo-mirrors@lists.gentoo.org mailing list

Re: [gentoo-mirrors] Abuse Traffic

[Llarian]

Yes.  Webalizer also doesn't handle partial content at all, so if that's 
what you're using to parse stats, it'll be horribly inaccurate.


On Wed, 20 Feb 2008, Alex Howells wrote:

>> Alex Howells wrote:
>> 81.149.130.33 - - [20/Feb/2008:00:18:22 +0000] "GET
>> /gentoo/releases/x86/2007.0/livecd/livecd-i686-installer-2007.0.iso
>> HTTP/1.1" 200 734308352 "-" "eeWifi(tm) Dealer Software"
>
> Amazingly enough these guys got back to us overnight - they claim
> they're downloading the first 256KB of the .ISO to speed test their
> ADSL connections being provided by British Telecom, and then Apache
> logs that as 700MB of transfer.
>
> Anyone seen this behaviour from a WWW server before?  Is this a known
> bug or problem?  Is there a fix?
>
> Alex
>
-- 
gentoo-mirrors@lists.gentoo.org mailing list