2 Nov
2020
2 Nov
'20
6:31 p.m.
On Monday 02 of November 2020 16:46:00 Mike Bird via tde-devels wrote:
Thanks Slávek.
OK, so here's the state of play if someone smarter than me has
any ideas.
Felix is downloading at 10.4MB/s - over 80Mbps. Could the
server think this is a DOS attack? I'm 99% certain there's not
a transparent proxy involved.
On mirror.ppa.trinitydesktop.org (37.205.10.16), which is not preceded by a
foreign firewall, there is apache with a redirector that handles requests.
The apache log shows the IP address from Felix, so yes, it should confirm
that the requests are coming from his address, not hidden behind some
transparent proxy. I have no idea if there could be some hidden UTM
inspecting traffic and acting weird.
For example, on UPC (now Vodafone) I observe that downloaded packages are
sometimes damaged. Usually the size is correct, but the checksum is
incorrect. I observed this behavior when there was a UTM in the way that
behaved poorly when downloading using HTTP/1.1. When HTTP/1.0 was used, it
behaved correctly. However, even in this case I see the requests in the
apache log from the correct IP address :(
In any case, this is clearly a different case from Felix's.
I don't see any unusual network load on the VPS. The bandwidth on a VPS
should provide 300 MBps, however this is not so important because the file
download redirector refers to mirrors. Currently, our VPS is located on
node9.prg, which does not show any significant load:
https://prasiatko.vpsfree.cz/munin/prg.vpsfree.cz/node9.prg.vpsfree.cz/inde…
This really doesn't look like a DOS attack.
Any ideas what to verify?
--Mike
Felix during apt upgrade (from multiple repos in parallel) sees:
===================================
Get:22 http://mirror.ppa.trinitydesktop.org/trinity-sb bullseye/main-r14
amd64 juk-trinity amd64 4:14.0.9-0debian11.0.0+0~a [699 kB]
[33m
31% [22 juk-trinity 46.3 kB/699 kB 7%] [316 python3.8-minimal 14.0
kB/1,863 kB 1%] [Waiting for headers]
9,609 kB/s 33s[0m
Err:30 http://mirror.ppa.trinitydesktop.org/trinity-sb bullseye/main-r14
amd64 kbstate-trinity amd64 4:14.0.9-0debian11.0.0+0~a
Error reading from server. Remote end closed connection [IP:
37.205.10.16 80]
[33m
31% [22 juk-trinity 305 kB/699 kB 44%] [316 python3.8-minimal 14.0
kB/1,863 kB 1%] [Connecting to mirror.ppa.trinitydesktop.org
(37.205.10.16)] 9,609 kB/s 33s[0m[33m
31% [316 python3.8-minimal 16.9 kB/1,863 kB 1%] [Connecting to
mirror.ppa.trinitydesktop.org (37.205.10.16)]
9,609 kB/s 33s[0m
Get:23 http://mirror.ppa.trinitydesktop.org/trinity-sb bullseye/main-r14
amd64 kaboodle-trinity amd64 4:14.0.9-0debian11.0.0+0~a [120 kB]
[33m
31% [23 kaboodle-trinity 65.5 kB/120 kB 55%] [316 python3.8-minimal 16.9
kB/1,863 kB 1%] [Connecting to mirror.ppa.trinitydesktop.org
(37.205.10.16)] 9,609 kB/s 33s[0m[33m
===================================
Meanwhile the server sees only:
===================================
/var/log/apache2/ppa-access.log:24.75.154.218 - - [02/Nov/2020:09:20:19
+0000] "GET
/trinity-sb/pool/main-r14/t/tdemultimedia-trinity/juk-trinity_14.0.9-0de
bian11.0.0%2b0%7ea_amd64.deb HTTP/1.1" 302 0 "-" "Debian APT-HTTP/1.3
(1.8.2.1)"
/var/log/apache2/ppa-access.log:24.75.154.218 - - [02/Nov/2020:09:20:19
+0000] "GET
/trinity-sb/pool/main-r14/t/tdemultimedia-trinity/kaboodle-trinity_14.0.
9-0debian11.0.0%2b0%7ea_amd64.deb HTTP/1.1" 302 0 "-" "Debian
APT-HTTP/1.3 (1.8.2.1)"
===================================
____________________________________________________
tde-devels mailing list -- devels(a)trinitydesktop.org
To unsubscribe send an email to devels-leave(a)trinitydesktop.org
Web mail archive available at
https://mail.trinitydesktop.org/mailman3/hyperkitty/list/devels@trinityd
esktop.org
Cheers
--
Slávek