alanorth/cgspace-notes
1
0
Fork 0
mirror of https://github.com/alanorth/cgspace-notes.git synced 2025-01-27 05:49:12 +01:00
Code Issues Projects Releases Wiki Activity

Add notes for 2019-05-10

Browse Source
This commit is contained in:
Alan Orth
2019-05-10 17:27:11 +03:00
parent a34c071939
commit c4cec66b4b
3 changed files with 83 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
content/posts/2019-05.md
View File

@ -292,4 +292,36 @@ UPDATE metadatavalue SET text_lang='es_ES' WHERE resource_type_id=2 AND metadata
- Send Francesca Giampieri from Bioversity a CSV export of all their items issued in 2018
- They will be doing a migration of 1500 items from their TYPO3 database into CGSpace soon and want an example CSV with all required metadata columns
## 2019-05-10
- I finally had time to analyze the 7,000 IPs from the major traffic spike on 2019-05-06 after several runs of my `resolve-addresses.py` script (ipapi.co has a limit of 1,000 requests per day)
- Resolving the unique IP addresses to organization and AS names reveals some pretty big abusers:
- 1213 from Region40 LLC (AS200557)
- 697 from Trusov Ilya Igorevych (AS50896)
- 687 from UGB Hosting OU (AS206485)
- 620 from UAB Rakrejus (AS62282)
- 491 from Dedipath (AS35913)
- 476 from Global Layer B.V. (AS49453)
- 333 from QuadraNet Enterprises LLC (AS8100)
- 278 from GigeNET (AS32181)
- 261 from Psychz Networks (AS40676)
- 196 from Cogent Communications (AS174)
- 125 from Blockchain Network Solutions Ltd (AS43444)
- 118 from Silverstar Invest Limited (AS35624)
- All of the IPs from these networks are using generic user agents like this, but MANY more, and they change many times:
```
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2703.0 Safari/537.36"
```
- I found a [blog post from 2018 detailing an attack from a DDoS service](https://www.qurium.org/alerts/azerbaijan/azerbaijan-and-the-region40-ddos-service/) that matches our pattern exactly
- They specifically mention:
<pre>The attack that targeted the “Search” functionality of the website, aimed to bypass our mitigation by performing slow but simultaneous searches from 5500 IP addresses.</pre>
- So this was definitely an attack of some sort... only God knows why
- I noticed a few new bots that don't use the word "bot" in their user agent and therefore don't match Tomcat's Crawler Session Manager Valve:
- `Blackboard Safeassign`
<!-- vim: set sw=2 ts=2: -->