alanorth/cgspace-notes
1
0
Fork 0
mirror of https://github.com/alanorth/cgspace-notes.git synced 2024-06-28 09:03:49 +02:00
Code Issues Projects Releases Wiki Activity

Add notes for 2019-05-10

Browse Source
This commit is contained in:
Alan Orth 2019-05-10 17:27:11 +03:00
parent a34c071939
commit c4cec66b4b
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
3 changed files with 83 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
content/posts/2019-05.md
View File

@ -292,4 +292,36 @@ UPDATE metadatavalue SET text_lang='es_ES' WHERE resource_type_id=2 AND metadata
- Send Francesca Giampieri from Bioversity a CSV export of all their items issued in 2018
- They will be doing a migration of 1500 items from their TYPO3 database into CGSpace soon and want an example CSV with all required metadata columns
## 2019-05-10
- I finally had time to analyze the 7,000 IPs from the major traffic spike on 2019-05-06 after several runs of my `resolve-addresses.py` script (ipapi.co has a limit of 1,000 requests per day)
- Resolving the unique IP addresses to organization and AS names reveals some pretty big abusers:
- 1213 from Region40 LLC (AS200557)
- 697 from Trusov Ilya Igorevych (AS50896)
- 687 from UGB Hosting OU (AS206485)
- 620 from UAB Rakrejus (AS62282)
- 491 from Dedipath (AS35913)
- 476 from Global Layer B.V. (AS49453)
- 333 from QuadraNet Enterprises LLC (AS8100)
- 278 from GigeNET (AS32181)
- 261 from Psychz Networks (AS40676)
- 196 from Cogent Communications (AS174)
- 125 from Blockchain Network Solutions Ltd (AS43444)
- 118 from Silverstar Invest Limited (AS35624)
- All of the IPs from these networks are using generic user agents like this, but MANY more, and they change many times:
```
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2703.0 Safari/537.36"
```
- I found a [blog post from 2018 detailing an attack from a DDoS service](https://www.qurium.org/alerts/azerbaijan/azerbaijan-and-the-region40-ddos-service/) that matches our pattern exactly
- They specifically mention:
<pre>The attack that targeted the “Search” functionality of the website, aimed to bypass our mitigation by performing slow but simultaneous searches from 5500 IP addresses.</pre>
- So this was definitely an attack of some sort... only God knows why
- I noticed a few new bots that don't use the word "bot" in their user agent and therefore don't match Tomcat's Crawler Session Manager Valve:
- `Blackboard Safeassign`
<!-- vim: set sw=2 ts=2: -->

49
docs/2019-05/index.html
View File

@ -28,7 +28,7 @@ But after this I tried to delete the item from the XMLUI and it is still present
<meta property="og:type" content="article" />
<meta property="og:url" content="https://alanorth.github.io/cgspace-notes/2019-05/" />
<meta property="article:published_time" content="2019-05-01T07:37:43&#43;03:00"/>
<meta property="article:modified_time" content="2019-05-07T16:51:55&#43;03:00"/>
<meta property="article:modified_time" content="2019-05-08T15:33:15&#43;03:00"/>
<meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="May, 2019"/>
@ -61,9 +61,9 @@ But after this I tried to delete the item from the XMLUI and it is still present
"@type": "BlogPosting",
"headline": "May, 2019",
"url": "https:\/\/alanorth.github.io\/cgspace-notes\/2019-05\/",
"wordCount": "1973",
"wordCount": "2205",
"datePublished": "2019-05-01T07:37:43\x2b03:00",
"dateModified": "2019-05-07T16:51:55\x2b03:00",
"dateModified": "2019-05-08T15:33:15\x2b03:00",
"author": {
"@type": "Person",
"name": "Alan Orth"
@ -479,6 +479,49 @@ UPDATE metadatavalue SET text_lang='es_ES' WHERE resource_type_id=2 AND metadata
</ul></li>
</ul>
<h2 id="2019-05-10">2019-05-10</h2>
<ul>
<li>I finally had time to analyze the 7,000 IPs from the major traffic spike on 2019-05-06 after several runs of my <code>resolve-addresses.py</code> script (ipapi.co has a limit of 1,000 requests per day)</li>
<li>Resolving the unique IP addresses to organization and AS names reveals some pretty big abusers:
<ul>
<li>1213 from Region40 LLC (AS200557)</li>
<li>697 from Trusov Ilya Igorevych (AS50896)</li>
<li>687 from UGB Hosting OU (AS206485)</li>
<li>620 from UAB Rakrejus (AS62282)</li>
<li>491 from Dedipath (AS35913)</li>
<li>476 from Global Layer B.V. (AS49453)</li>
<li>333 from QuadraNet Enterprises LLC (AS8100)</li>
<li>278 from GigeNET (AS32181)</li>
<li>261 from Psychz Networks (AS40676)</li>
<li>196 from Cogent Communications (AS174)</li>
<li>125 from Blockchain Network Solutions Ltd (AS43444)</li>
<li>118 from Silverstar Invest Limited (AS35624)</li>
</ul></li>
<li><p>All of the IPs from these networks are using generic user agents like this, but MANY more, and they change many times:</p>
<pre><code>&quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2703.0 Safari/537.36&quot;
</code></pre></li>
<li><p>I found a <a href="https://www.qurium.org/alerts/azerbaijan/azerbaijan-and-the-region40-ddos-service/">blog post from 2018 detailing an attack from a DDoS service</a> that matches our pattern exactly</p></li>
<li><p>They specifically mention:</p></li>
</ul>
<pre>The attack that targeted the “Search” functionality of the website, aimed to bypass our mitigation by performing slow but simultaneous searches from 5500 IP addresses.</pre>
<ul>
<li><p>So this was definitely an attack of some sort&hellip; only God knows why</p></li>
<li><p>I noticed a few new bots that don&rsquo;t use the word &ldquo;bot&rdquo; in their user agent and therefore don&rsquo;t match Tomcat&rsquo;s Crawler Session Manager Valve:</p>
<ul>
<li><code>Blackboard Safeassign</code></li>
</ul></li>
</ul>
<!-- vim: set sw=2 ts=2: -->

10
docs/sitemap.xml
View File

@ -4,30 +4,30 @@
<url>
<loc>https://alanorth.github.io/cgspace-notes/</loc>
<lastmod>2019-05-07T16:51:55+03:00</lastmod>
<lastmod>2019-05-08T15:33:15+03:00</lastmod>
<priority>0</priority>
</url>
<url>
<loc>https://alanorth.github.io/cgspace-notes/2019-05/</loc>
<lastmod>2019-05-07T16:51:55+03:00</lastmod>
<lastmod>2019-05-08T15:33:15+03:00</lastmod>
</url>
<url>
<loc>https://alanorth.github.io/cgspace-notes/tags/notes/</loc>
<lastmod>2019-05-07T16:51:55+03:00</lastmod>
<lastmod>2019-05-08T15:33:15+03:00</lastmod>
<priority>0</priority>
</url>
<url>
<loc>https://alanorth.github.io/cgspace-notes/posts/</loc>
<lastmod>2019-05-07T16:51:55+03:00</lastmod>
<lastmod>2019-05-08T15:33:15+03:00</lastmod>
<priority>0</priority>
</url>
<url>
<loc>https://alanorth.github.io/cgspace-notes/tags/</loc>
<lastmod>2019-05-07T16:51:55+03:00</lastmod>
<lastmod>2019-05-08T15:33:15+03:00</lastmod>
<priority>0</priority>
</url>