On 31/12/2021 03.39, Bernhard M. Wiedemann wrote:
which is a Zyxel home router, so maybe these are some hacked servers scanning the web for more stuff to hack?
I temporarily blacklisted those 66 IPs and now we are down to (more normal?) 20000 requests per minute.
Maybe it is even more interesting. Accessing different ports/URLs on these IPs lets me believe these are honeypots. That we see these log entries, means that these honeypots run actual untrusted code from strangers on the internet. When watching all requests from a single IP, it becomes very obvious that it is a (very stupid) crawler and the Apache repos were requested, because they come first in http://download.opensuse.org/repositories/ . grep -o "GET /[^ ]*" single-ip.log
GET /repositories/ GET /repositories/http://build.opensuse.org/ GET /repositories/https://software.opensuse.org/ GET /repositories/Apache/ GET /repositories/Apache/http://build.opensuse.org/ GET /repositories/Apache/https://software.opensuse.org/ GET /repositories/Apache//repositories/ GET /repositories/Apache//repositories/ GET /repositories/Apache/openSUSE_Factory/ GET /repositories/Apache/openSUSE_Factory//repositories/Apache/ GET /repositories/Apache/openSUSE_Factory/http://build.opensuse.org/ GET /repositories/Apache/openSUSE_Factory/https://software.opensuse.org/ GET /repositories/Apache/openSUSE_Factory//repositories/Apache/ GET /repositories/Apache/openSUSE_Factory/i586/ GET /repositories/Apache/openSUSE_Factory/i586//repositories/Apache/openSUSE_Factory/ GET /repositories/Apache/openSUSE_Factory/i586/http://build.opensuse.org/ GET /repositories/Apache/openSUSE_Factory/i586/https://software.opensuse.org/ GET /repositories/Apache/openSUSE_Factory/i586/ GET /repositories/Apache/openSUSE_Factory/i586//repositories/Apache/openSUSE_Factory/ GET /repositories/Apache/openSUSE_Factory/i586//repositories/Apache/openSUSE_Factory/ GET /repositories/Apache/openSUSE_Factory/i586/http://build.opensuse.org/ GET /repositories/Apache/openSUSE_Factory/i586/https://software.opensuse.org/ GET /repositories/Apache/openSUSE_Factory/i586//repositories/Apache/openSUSE_Factory/ GET /repositories/Apache/openSUSE_Factory/noarch/ GET /repositories/Apache/openSUSE_Factory/noarch//repositories/Apache/openSUSE_Factory/