mirror of
https://github.com/alanorth/cgspace-notes.git
synced 2024-12-23 21:44:30 +01:00
Add notes for 2019-05-10
This commit is contained in:
parent
a34c071939
commit
c4cec66b4b
@ -292,4 +292,36 @@ UPDATE metadatavalue SET text_lang='es_ES' WHERE resource_type_id=2 AND metadata
|
||||
- Send Francesca Giampieri from Bioversity a CSV export of all their items issued in 2018
|
||||
- They will be doing a migration of 1500 items from their TYPO3 database into CGSpace soon and want an example CSV with all required metadata columns
|
||||
|
||||
## 2019-05-10
|
||||
|
||||
- I finally had time to analyze the 7,000 IPs from the major traffic spike on 2019-05-06 after several runs of my `resolve-addresses.py` script (ipapi.co has a limit of 1,000 requests per day)
|
||||
- Resolving the unique IP addresses to organization and AS names reveals some pretty big abusers:
|
||||
- 1213 from Region40 LLC (AS200557)
|
||||
- 697 from Trusov Ilya Igorevych (AS50896)
|
||||
- 687 from UGB Hosting OU (AS206485)
|
||||
- 620 from UAB Rakrejus (AS62282)
|
||||
- 491 from Dedipath (AS35913)
|
||||
- 476 from Global Layer B.V. (AS49453)
|
||||
- 333 from QuadraNet Enterprises LLC (AS8100)
|
||||
- 278 from GigeNET (AS32181)
|
||||
- 261 from Psychz Networks (AS40676)
|
||||
- 196 from Cogent Communications (AS174)
|
||||
- 125 from Blockchain Network Solutions Ltd (AS43444)
|
||||
- 118 from Silverstar Invest Limited (AS35624)
|
||||
- All of the IPs from these networks are using generic user agents like this, but MANY more, and they change many times:
|
||||
|
||||
```
|
||||
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2703.0 Safari/537.36"
|
||||
```
|
||||
|
||||
- I found a [blog post from 2018 detailing an attack from a DDoS service](https://www.qurium.org/alerts/azerbaijan/azerbaijan-and-the-region40-ddos-service/) that matches our pattern exactly
|
||||
- They specifically mention:
|
||||
|
||||
<pre>The attack that targeted the “Search” functionality of the website, aimed to bypass our mitigation by performing slow but simultaneous searches from 5500 IP addresses.</pre>
|
||||
|
||||
- So this was definitely an attack of some sort... only God knows why
|
||||
|
||||
- I noticed a few new bots that don't use the word "bot" in their user agent and therefore don't match Tomcat's Crawler Session Manager Valve:
|
||||
- `Blackboard Safeassign`
|
||||
|
||||
<!-- vim: set sw=2 ts=2: -->
|
||||
|
@ -28,7 +28,7 @@ But after this I tried to delete the item from the XMLUI and it is still present
|
||||
<meta property="og:type" content="article" />
|
||||
<meta property="og:url" content="https://alanorth.github.io/cgspace-notes/2019-05/" />
|
||||
<meta property="article:published_time" content="2019-05-01T07:37:43+03:00"/>
|
||||
<meta property="article:modified_time" content="2019-05-07T16:51:55+03:00"/>
|
||||
<meta property="article:modified_time" content="2019-05-08T15:33:15+03:00"/>
|
||||
|
||||
<meta name="twitter:card" content="summary"/>
|
||||
<meta name="twitter:title" content="May, 2019"/>
|
||||
@ -61,9 +61,9 @@ But after this I tried to delete the item from the XMLUI and it is still present
|
||||
"@type": "BlogPosting",
|
||||
"headline": "May, 2019",
|
||||
"url": "https:\/\/alanorth.github.io\/cgspace-notes\/2019-05\/",
|
||||
"wordCount": "1973",
|
||||
"wordCount": "2205",
|
||||
"datePublished": "2019-05-01T07:37:43\x2b03:00",
|
||||
"dateModified": "2019-05-07T16:51:55\x2b03:00",
|
||||
"dateModified": "2019-05-08T15:33:15\x2b03:00",
|
||||
"author": {
|
||||
"@type": "Person",
|
||||
"name": "Alan Orth"
|
||||
@ -479,6 +479,49 @@ UPDATE metadatavalue SET text_lang='es_ES' WHERE resource_type_id=2 AND metadata
|
||||
</ul></li>
|
||||
</ul>
|
||||
|
||||
<h2 id="2019-05-10">2019-05-10</h2>
|
||||
|
||||
<ul>
|
||||
<li>I finally had time to analyze the 7,000 IPs from the major traffic spike on 2019-05-06 after several runs of my <code>resolve-addresses.py</code> script (ipapi.co has a limit of 1,000 requests per day)</li>
|
||||
<li>Resolving the unique IP addresses to organization and AS names reveals some pretty big abusers:
|
||||
|
||||
<ul>
|
||||
<li>1213 from Region40 LLC (AS200557)</li>
|
||||
<li>697 from Trusov Ilya Igorevych (AS50896)</li>
|
||||
<li>687 from UGB Hosting OU (AS206485)</li>
|
||||
<li>620 from UAB Rakrejus (AS62282)</li>
|
||||
<li>491 from Dedipath (AS35913)</li>
|
||||
<li>476 from Global Layer B.V. (AS49453)</li>
|
||||
<li>333 from QuadraNet Enterprises LLC (AS8100)</li>
|
||||
<li>278 from GigeNET (AS32181)</li>
|
||||
<li>261 from Psychz Networks (AS40676)</li>
|
||||
<li>196 from Cogent Communications (AS174)</li>
|
||||
<li>125 from Blockchain Network Solutions Ltd (AS43444)</li>
|
||||
<li>118 from Silverstar Invest Limited (AS35624)</li>
|
||||
</ul></li>
|
||||
|
||||
<li><p>All of the IPs from these networks are using generic user agents like this, but MANY more, and they change many times:</p>
|
||||
|
||||
<pre><code>"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2703.0 Safari/537.36"
|
||||
</code></pre></li>
|
||||
|
||||
<li><p>I found a <a href="https://www.qurium.org/alerts/azerbaijan/azerbaijan-and-the-region40-ddos-service/">blog post from 2018 detailing an attack from a DDoS service</a> that matches our pattern exactly</p></li>
|
||||
|
||||
<li><p>They specifically mention:</p></li>
|
||||
</ul>
|
||||
|
||||
<pre>The attack that targeted the “Search” functionality of the website, aimed to bypass our mitigation by performing slow but simultaneous searches from 5500 IP addresses.</pre>
|
||||
|
||||
<ul>
|
||||
<li><p>So this was definitely an attack of some sort… only God knows why</p></li>
|
||||
|
||||
<li><p>I noticed a few new bots that don’t use the word “bot” in their user agent and therefore don’t match Tomcat’s Crawler Session Manager Valve:</p>
|
||||
|
||||
<ul>
|
||||
<li><code>Blackboard Safeassign</code></li>
|
||||
</ul></li>
|
||||
</ul>
|
||||
|
||||
<!-- vim: set sw=2 ts=2: -->
|
||||
|
||||
|
||||
|
@ -4,30 +4,30 @@
|
||||
|
||||
<url>
|
||||
<loc>https://alanorth.github.io/cgspace-notes/</loc>
|
||||
<lastmod>2019-05-07T16:51:55+03:00</lastmod>
|
||||
<lastmod>2019-05-08T15:33:15+03:00</lastmod>
|
||||
<priority>0</priority>
|
||||
</url>
|
||||
|
||||
<url>
|
||||
<loc>https://alanorth.github.io/cgspace-notes/2019-05/</loc>
|
||||
<lastmod>2019-05-07T16:51:55+03:00</lastmod>
|
||||
<lastmod>2019-05-08T15:33:15+03:00</lastmod>
|
||||
</url>
|
||||
|
||||
<url>
|
||||
<loc>https://alanorth.github.io/cgspace-notes/tags/notes/</loc>
|
||||
<lastmod>2019-05-07T16:51:55+03:00</lastmod>
|
||||
<lastmod>2019-05-08T15:33:15+03:00</lastmod>
|
||||
<priority>0</priority>
|
||||
</url>
|
||||
|
||||
<url>
|
||||
<loc>https://alanorth.github.io/cgspace-notes/posts/</loc>
|
||||
<lastmod>2019-05-07T16:51:55+03:00</lastmod>
|
||||
<lastmod>2019-05-08T15:33:15+03:00</lastmod>
|
||||
<priority>0</priority>
|
||||
</url>
|
||||
|
||||
<url>
|
||||
<loc>https://alanorth.github.io/cgspace-notes/tags/</loc>
|
||||
<lastmod>2019-05-07T16:51:55+03:00</lastmod>
|
||||
<lastmod>2019-05-08T15:33:15+03:00</lastmod>
|
||||
<priority>0</priority>
|
||||
</url>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user