Re: odd style of URL on download.o.o (but causing a lot of traffic)

31 Dec 2021

      On 30/12/2021 23.36, Jan Engelhardt wrote:
...
Can we get a full line of the httpd log?
here are some:
...
pontifex2 (download.o.o):/var/log/apache2/download.opensuse.org # grep /build.opensuse.org access_log|head
139.180.217.245 - - [30/Dec/2021:23:59:59 +0000] "GET /repositories/./Apache:/Shibboleth/SLE_15/x86_64/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:20473 P:139.180.192.0/19     864 6757 size:- -     "-" "-"
123.59.120.132 - - [30/Dec/2021:23:59:59 +0000] "GET /repositories/./Apache:/Modules/SLE_15/x86_64/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:4808 P:123.59.0.0/16     808 7207 size:- -     "-" "-"
45.33.42.112 - - [30/Dec/2021:23:59:59 +0000] "GET /repositories/./Apache:/Modules/Apache_SLE_15_SP1/src/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:63949 P:45.33.0.0/17     869 6757 size:- -     "-" "-"
223.166.174.4 - - [30/Dec/2021:23:59:59 +0000] "GET /repositories/./Apache:/Shibboleth/openSUSE_Leap_42.3/x86_64/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:17621 P:223.166.0.0/16     823 7207 size:- -     "-" "-"
192.248.154.55 - - [30/Dec/2021:23:59:59 +0000] "GET /repositories/Archiving/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:20473 P:192.248.128.0/18     839 6757 size:- -     "-" "-"
139.162.219.171 - - [30/Dec/2021:23:59:59 +0000] "GET /repositories/./Application:/./ERP:/./GNUHealth:/3.6/openSUSE_Leap_15.2/repodata/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:63949 P:139.162.0.0/16     896 6757 size:- -     "-" "-"
45.33.42.112 - - [31/Dec/2021:00:00:00 +0000] "GET /repositories/./Apache:/MirrorBrain/openSUSE_Factory/x86_64/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:63949 P:45.33.0.0/17     875 6757 size:- -     "-" "-"
123.59.120.156 - - [31/Dec/2021:00:00:00 +0000] "GET /repositories/Apache/openSUSE_Leap_15.2/x86_64/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:4808 P:123.59.0.0/16     809 7207 size:- -     "-" "-"
45.33.116.69 - - [31/Dec/2021:00:00:00 +0000] "GET /repositories/./Application:/./ERP:/./Tryton:/5.0/openSUSE_Leap_15.3/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:63949 P:45.33.0.0/17     884 6757 size:- -     "-" "-"
172.104.98.170 - - [31/Dec/2021:00:00:00 +0000] "GET /repositories/./Apache:/Modules/openSUSE_Factory/repodata/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:63949 P:172.104.64.0/18     873 6757 size:- -     "-" "-"
pontifex2 (download.o.o):/var/log/apache2/download.opensuse.org # grep /build.opensuse.org access_log|tail
139.180.217.245 - - [31/Dec/2021:01:57:36 +0000] "GET /repositories/./Apache:/Modules/Apache_SLE_15_SP1/src/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:20473 P:139.180.192.0/19     869 6757 size:- -     "-" "-"
172.105.232.137 - - [31/Dec/2021:01:57:36 +0000] "GET /repositories/./Apache:/MirrorBrain/openSUSE_Leap_15.1/noarch/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:63949 P:172.105.192.0/18     877 6757 size:- -     "-" "-"
173.230.131.60 - - [31/Dec/2021:01:57:36 +0000] "GET /repositories/./Apache:/Modules/openSUSE_Factory/src/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "Wget/1.17.1 (linux-curl)"     want:- give:- r:- -     -:- ASN:63949 P:173.230.128.0/19     881 6757 size:- -     "-" "-"
172.105.232.137 - - [31/Dec/2021:01:57:36 +0000] "GET /repositories/Apache/SLE_15_SP2/src/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:63949 P:172.105.192.0/18     851 6757 size:- -     "-" "-"
139.162.176.152 - - [31/Dec/2021:01:57:36 +0000] "GET /repositories/./Apache:/Modules/Apache_openSUSE_Leap_15.1/src/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:63949 P:139.162.0.0/16     877 6757 size:- -     "-" "-"
95.179.217.30 - - [31/Dec/2021:01:57:36 +0000] "GET /repositories/./Application:/./ERP:/./Tryton:/5.0/openSUSE_Leap_15.3/noarch/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:20473 P:95.179.128.0/17     891 6757 size:- -     "-" "-"
104.237.135.81 - - [31/Dec/2021:01:57:36 +0000] "GET /repositories/./Apache:/MirrorBrain/openSUSE_Factory/src/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:63949 P:104.237.128.0/19     872 6757 size:- -     "-" "-"
139.162.225.134 - - [31/Dec/2021:01:57:36 +0000] "GET /repositories/./Apache:/Test/openSUSE_Tumbleweed/repodata/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:63949 P:139.162.0.0/16     873 6757 size:- -     "-" "-"
123.59.120.200 - - [31/Dec/2021:01:57:36 +0000] "GET /repositories/./Apache:/MirrorBrain/Debian_10/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:4808 P:123.59.0.0/16     808 7207 size:- -     "-" "-"
149.248.53.80 - - [31/Dec/2021:01:57:36 +0000] "GET /repositories/./Apache:/Shibboleth/openSUSE_Tumbleweed/i586/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0"     want:- give:- r:- -     -:- ASN:20473 P:149.248.0.0/18     875 6757 size:- -     "-" "-"
pontifex2 (download.o.o):/var/log/apache2/download.opensuse.org # grep /software.opensuse.org/ access_log|wc
 580274 14582099 158685814
pontifex2 (download.o.o):/var/log/apache2/download.opensuse.org # grep /build.opensuse.org/ access_log|wc
 582160 14628988 156865540
one interesting fact is that it seems to do requests with both incorrect
suffixes at the same rate of around 84/s
...
pontifex2 (download.o.o):/var/log/apache2/download.opensuse.org # grep /software.opensuse.org/ access_log|cut -d\  -f1|sort|uniq -c|sort -n|tail -40
   7700 45.63.124.224
   8031 123.59.120.44
   8480 172.105.232.137
   8926 223.166.174.30
   9281 172.104.163.142
   9838 180.153.180.97
   9929 172.104.49.212
   9991 223.166.174.4
  10089 223.166.174.27
  11108 45.33.42.112
  11145 172.104.98.170
  11244 123.59.120.253
  11716 173.230.131.60
  11795 123.59.120.176
  11820 139.162.71.138
  12067 223.166.174.39
  12162 123.59.120.132
  12202 123.59.120.200
  12368 180.153.180.102
  12861 149.248.53.80
  12920 123.59.211.81
  12940 45.79.150.80
  12949 139.162.225.134
  13032 123.59.120.201
  13093 123.59.120.35
  13132 123.59.120.156
  13489 172.105.17.61
  13859 223.166.174.34
  15366 45.33.116.69
  15584 198.58.105.17
  15695 45.33.110.152
  16294 123.59.120.135
  16388 95.179.217.30
  16773 104.237.135.81
  16878 123.59.120.73
  17073 45.77.60.139
  17180 123.59.120.240
  18870 123.59.120.230
  26303 139.162.176.152
  41749 139.162.219.171
...
pontifex2 (download.o.o):/var/log/apache2/download.opensuse.org # grep /software.opensuse.org/ access_log|cut -d\  -f1|sort|uniq -c|wc -l
112
only 66 of those did more than 100 requests

Interestingly, there are webservers responding on all IPs I checked. All
with some login form. Some said
P-660R-T1 v2
PMG5317-T20B
which is a Zyxel home router, so maybe these are some hacked servers
scanning the web for more stuff to hack?

I temporarily blacklisted those 66 IPs and now we are down to (more
normal?) 20000 requests per minute.

Somewhat unrelated: there are 6% of requests like this:
...
"HEAD /update/leap/15.3/oss/media.1/media HTTP/2.0" 404 1083 "-" "ZYpp 17.27.0 (curl 7.66.0) "

Re: odd style of URL on download.o.o (but causing a lot of traffic)

Bernhard M. Wiedemann