From c4cec66b4bdfa17aa661dd6645eb8525eccc38b1 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Fri, 10 May 2019 17:27:11 +0300
Subject: [PATCH] Add notes for 2019-05-10

---
 content/posts/2019-05.md | 32 ++++++++++++++++++++++++++
 docs/2019-05/index.html  | 49 +++++++++++++++++++++++++++++++++++++---
 docs/sitemap.xml         | 10 ++++----
 3 files changed, 83 insertions(+), 8 deletions(-)

diff --git a/content/posts/2019-05.md b/content/posts/2019-05.md
index f9ba328bd..18b48a4c8 100644
--- a/content/posts/2019-05.md
+++ b/content/posts/2019-05.md
@@ -292,4 +292,36 @@ UPDATE metadatavalue SET text_lang='es_ES' WHERE resource_type_id=2 AND metadata
 - Send Francesca Giampieri from Bioversity a CSV export of all their items issued in 2018
   - They will be doing a migration of 1500 items from their TYPO3 database into CGSpace soon and want an example CSV with all required metadata columns
 
+## 2019-05-10
+
+- I finally had time to analyze the 7,000 IPs from the major traffic spike on 2019-05-06 after several runs of my `resolve-addresses.py` script (ipapi.co has a limit of 1,000 requests per day)
+- Resolving the unique IP addresses to organization and AS names reveals some pretty big abusers:
+  - 1213 from Region40 LLC (AS200557)
+  - 697 from Trusov Ilya Igorevych (AS50896)
+  - 687 from UGB Hosting OU (AS206485)
+  - 620 from UAB Rakrejus (AS62282)
+  - 491 from Dedipath (AS35913)
+  - 476 from Global Layer B.V. (AS49453)
+  - 333 from QuadraNet Enterprises LLC (AS8100)
+  - 278 from GigeNET (AS32181)
+  - 261 from Psychz Networks (AS40676)
+  - 196 from Cogent Communications (AS174)
+  - 125 from Blockchain Network Solutions Ltd (AS43444)
+  - 118 from Silverstar Invest Limited (AS35624)
+- All of the IPs from these networks are using generic user agents like this, but MANY more, and they change many times:
+
+```
+"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2703.0 Safari/537.36"
+```
+
+- I found a [blog post from 2018 detailing an attack from a DDoS service](https://www.qurium.org/alerts/azerbaijan/azerbaijan-and-the-region40-ddos-service/) that matches our pattern exactly
+- They specifically mention:
+
+<pre>The attack that targeted the “Search” functionality of the website, aimed to bypass our mitigation by performing slow but simultaneous searches from 5500 IP addresses.</pre>
+
+- So this was definitely an attack of some sort... only God knows why
+
+- I noticed a few new bots that don't use the word "bot" in their user agent and therefore don't match Tomcat's Crawler Session Manager Valve:
+  - `Blackboard Safeassign`
+
 <!-- vim: set sw=2 ts=2: -->
diff --git a/docs/2019-05/index.html b/docs/2019-05/index.html
index e86fdf9a3..c626c241b 100644
--- a/docs/2019-05/index.html
+++ b/docs/2019-05/index.html
@@ -28,7 +28,7 @@ But after this I tried to delete the item from the XMLUI and it is still present
 <meta property="og:type" content="article" />
 <meta property="og:url" content="https://alanorth.github.io/cgspace-notes/2019-05/" />
 <meta property="article:published_time" content="2019-05-01T07:37:43&#43;03:00"/>
-<meta property="article:modified_time" content="2019-05-07T16:51:55&#43;03:00"/>
+<meta property="article:modified_time" content="2019-05-08T15:33:15&#43;03:00"/>
 
 <meta name="twitter:card" content="summary"/>
 <meta name="twitter:title" content="May, 2019"/>
@@ -61,9 +61,9 @@ But after this I tried to delete the item from the XMLUI and it is still present
   "@type": "BlogPosting",
   "headline": "May, 2019",
   "url": "https:\/\/alanorth.github.io\/cgspace-notes\/2019-05\/",
-  "wordCount": "1973",
+  "wordCount": "2205",
   "datePublished": "2019-05-01T07:37:43\x2b03:00",
-  "dateModified": "2019-05-07T16:51:55\x2b03:00",
+  "dateModified": "2019-05-08T15:33:15\x2b03:00",
   "author": {
     "@type": "Person",
     "name": "Alan Orth"
@@ -479,6 +479,49 @@ UPDATE metadatavalue SET text_lang='es_ES' WHERE resource_type_id=2 AND metadata
 </ul></li>
 </ul>
 
+<h2 id="2019-05-10">2019-05-10</h2>
+
+<ul>
+<li>I finally had time to analyze the 7,000 IPs from the major traffic spike on 2019-05-06 after several runs of my <code>resolve-addresses.py</code> script (ipapi.co has a limit of 1,000 requests per day)</li>
+<li>Resolving the unique IP addresses to organization and AS names reveals some pretty big abusers:
+
+<ul>
+<li>1213 from Region40 LLC (AS200557)</li>
+<li>697 from Trusov Ilya Igorevych (AS50896)</li>
+<li>687 from UGB Hosting OU (AS206485)</li>
+<li>620 from UAB Rakrejus (AS62282)</li>
+<li>491 from Dedipath (AS35913)</li>
+<li>476 from Global Layer B.V. (AS49453)</li>
+<li>333 from QuadraNet Enterprises LLC (AS8100)</li>
+<li>278 from GigeNET (AS32181)</li>
+<li>261 from Psychz Networks (AS40676)</li>
+<li>196 from Cogent Communications (AS174)</li>
+<li>125 from Blockchain Network Solutions Ltd (AS43444)</li>
+<li>118 from Silverstar Invest Limited (AS35624)</li>
+</ul></li>
+
+<li><p>All of the IPs from these networks are using generic user agents like this, but MANY more, and they change many times:</p>
+
+<pre><code>&quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2703.0 Safari/537.36&quot;
+</code></pre></li>
+
+<li><p>I found a <a href="https://www.qurium.org/alerts/azerbaijan/azerbaijan-and-the-region40-ddos-service/">blog post from 2018 detailing an attack from a DDoS service</a> that matches our pattern exactly</p></li>
+
+<li><p>They specifically mention:</p></li>
+</ul>
+
+<pre>The attack that targeted the “Search” functionality of the website, aimed to bypass our mitigation by performing slow but simultaneous searches from 5500 IP addresses.</pre>
+
+<ul>
+<li><p>So this was definitely an attack of some sort&hellip; only God knows why</p></li>
+
+<li><p>I noticed a few new bots that don&rsquo;t use the word &ldquo;bot&rdquo; in their user agent and therefore don&rsquo;t match Tomcat&rsquo;s Crawler Session Manager Valve:</p>
+
+<ul>
+<li><code>Blackboard Safeassign</code></li>
+</ul></li>
+</ul>
+
 <!-- vim: set sw=2 ts=2: -->
 
   
diff --git a/docs/sitemap.xml b/docs/sitemap.xml
index 0d75e3c7e..59eee4385 100644
--- a/docs/sitemap.xml
+++ b/docs/sitemap.xml
@@ -4,30 +4,30 @@
   
   <url>
     <loc>https://alanorth.github.io/cgspace-notes/</loc>
-    <lastmod>2019-05-07T16:51:55+03:00</lastmod>
+    <lastmod>2019-05-08T15:33:15+03:00</lastmod>
     <priority>0</priority>
   </url>
   
   <url>
     <loc>https://alanorth.github.io/cgspace-notes/2019-05/</loc>
-    <lastmod>2019-05-07T16:51:55+03:00</lastmod>
+    <lastmod>2019-05-08T15:33:15+03:00</lastmod>
   </url>
   
   <url>
     <loc>https://alanorth.github.io/cgspace-notes/tags/notes/</loc>
-    <lastmod>2019-05-07T16:51:55+03:00</lastmod>
+    <lastmod>2019-05-08T15:33:15+03:00</lastmod>
     <priority>0</priority>
   </url>
   
   <url>
     <loc>https://alanorth.github.io/cgspace-notes/posts/</loc>
-    <lastmod>2019-05-07T16:51:55+03:00</lastmod>
+    <lastmod>2019-05-08T15:33:15+03:00</lastmod>
     <priority>0</priority>
   </url>
   
   <url>
     <loc>https://alanorth.github.io/cgspace-notes/tags/</loc>
-    <lastmod>2019-05-07T16:51:55+03:00</lastmod>
+    <lastmod>2019-05-08T15:33:15+03:00</lastmod>
     <priority>0</priority>
   </url>