diff --git a/content/posts/2021-07.md b/content/posts/2021-07.md
index beb047ec7..b4d3fa889 100644
--- a/content/posts/2021-07.md
+++ b/content/posts/2021-07.md
@@ -427,7 +427,7 @@ $ cat roles/dspace/templates/nginx/abusive-networks.conf.j2 /tmp/abusive-network
2298
```
-- [According to Scamlytics all these are high risk ISPs](https://scamalytics.com/ip/isp) (as recently as 2021-06) so I will just keep blocking them
+- [According to Scamalytics all these are high risk ISPs](https://scamalytics.com/ip/isp/2021-06) (as recently as 2021-06) so I will just keep blocking them
- I deployed the block list on CGSpace (linode18) and the load is down to 1.0 but I see there are still some DDoS IPs getting through... sigh
- The next thing I need to do is purge all the IPs from Solr using grepcidr...
@@ -455,7 +455,7 @@ $ grep deny roles/dspace/templates/nginx/abusive-networks.conf.j2 | sort | uniq
```
- Combined with the previous networks this brings about 200 more for a total of 2,354 networks
- - I think I need to re-work the ipset stuff in my common Ansible role so that I can add such abusive networks as an iptables ipset / nftables set, and have a cron job to update them daily (from [Spamhaus's DROP and EDROP lists](https://www.spamhaus.org/drop/), for example
+ - I think I need to re-work the ipset stuff in my common Ansible role so that I can add such abusive networks as an iptables ipset / nftables set, and have a cron job to update them daily (from [Spamhaus's DROP and EDROP lists](https://www.spamhaus.org/drop/), for example)
- Then I got a list of all the 5,095 IPs from above and used `check-spider-ip-hits.sh` to purge them from Solr:
```console
@@ -514,3 +514,37 @@ $ cat /tmp/ips-june23.txt /tmp/ips-jul16.txt | sort | uniq | wc -l
```
- I purged all the (26,000) hits from these new IP addresses from Solr as well
+- Looking back at my notes for the 2019-05 attack I see that I had already identified most of these network providers (!)...
+ - Also, I took a closer look at QuadraNet (AS8100) and found some association with ATOMOHOST LLC and finegroupservers.com and traffictransitsolution.us, so now I need to block/purge that ASN too!
+ - I saw it on the [Scamalytics 2021-06](https://scamalytics.com/ip/isp/2021-06) list anyways, so at this point I have no doubt
+- Adding QuadraNet brings the total networks seen during these two attacks to 262, and the number of unique IPs to 10900:
+
+```console
+# zcat --force /var/log/nginx/access.log /var/log/nginx/access.log.1 /var/log/nginx/access.log.2 /var/log/nginx/access.log.3 /var/log/nginx/access.log.4 /var/log/nginx/access.log.5 /var/log/nginx/access.log.27.gz /var/log/nginx/access.log.28.gz | grep -E " (200|499) " | grep -v -E "(mahider|Googlebot|Turnitin|Grammarly|Unpaywall|UptimeRobot|bot)" | awk '{print $1}' | sort | uniq > /tmp/ddos-ips.txt
+# wc -l /tmp/ddos-ips.txt
+54002 /tmp/ddos-ips.txt
+$ ./ilri/resolve-addresses-geoip2.py -i /tmp/ddos-ips.txt -o /tmp/ddos-ips.csv
+$ csvgrep -c asn -r '^(49453|46844|206485|62282|36352|35913|35624|8100)$' /tmp/ddos-ips.csv | csvcut -c ip | sed 1d | sort | uniq > /tmp/ddos-ips-to-purge.txt
+$ wc -l /tmp/ddos-ips-to-purge.txt
+10900 /tmp/ddos-ips-to-purge.txt
+$ csvgrep -c asn -r '^(49453|46844|206485|62282|36352|35913|35624|8100)$' /tmp/ddos-ips.csv | csvcut -c network | sed 1d | sort | uniq > /tmp/ddos-networks-to-block.txt
+$ wc -l /tmp/ddos-networks-to-block.txt
+262 /tmp/ddos-networks-to-block.txt
+```
+
+- The new total number of networks to block, including the network prefixes for these ASNs downloaded from asn.ipinfo.app, is 4,007:
+
+```console
+$ wget https://asn.ipinfo.app/api/text/nginx/AS49453 \
+https://asn.ipinfo.app/api/text/nginx/AS46844 \
+https://asn.ipinfo.app/api/text/nginx/AS206485 \
+https://asn.ipinfo.app/api/text/nginx/AS62282 \
+https://asn.ipinfo.app/api/text/nginx/AS36352 \
+https://asn.ipinfo.app/api/text/nginx/AS35913 \
+https://asn.ipinfo.app/api/text/nginx/AS35624 \
+https://asn.ipinfo.app/api/text/nginx/AS8100
+$ cat AS* /tmp/ddos-networks-to-block.txt | sed -e '/^$/d' -e '/^#/d' -e '/^{/d' -e 's/deny //' -e 's/;//' | sort | uniq | wc -l
+4007
+```
+
+- I re-applied these networks to nginx on CGSpace (linode18) and DSpace Test (linode26), and purged 14,000 more Solr statistics hits from these IPs
diff --git a/docs/2021-07/index.html b/docs/2021-07/index.html
index 550920ef7..129ebd3a4 100644
--- a/docs/2021-07/index.html
+++ b/docs/2021-07/index.html
@@ -17,7 +17,7 @@ COPY 20994
-
+
@@ -40,9 +40,9 @@ COPY 20994
"@type": "BlogPosting",
"headline": "July, 2021",
"url": "https://alanorth.github.io/cgspace-notes/2021-07/",
- "wordCount": "3039",
+ "wordCount": "3309",
"datePublished": "2021-07-01T08:53:07+03:00",
- "dateModified": "2021-07-20T11:04:51+03:00",
+ "dateModified": "2021-07-20T14:54:25+03:00",
"author": {
"@type": "Person",
"name": "Alan Orth"
@@ -546,7 +546,7 @@ $ wc -l /tmp/abusive-networks.txt
$ cat roles/dspace/templates/nginx/abusive-networks.conf.j2 /tmp/abusive-networks.txt | grep deny | sort | uniq | wc -l
2298
@@ -577,7 +577,7 @@ $ grep deny roles/dspace/templates/nginx/abusive-networks.conf.j2 | sort | uniq
- Combined with the previous networks this brings about 200 more for a total of 2,354 networks
-- I think I need to re-work the ipset stuff in my common Ansible role so that I can add such abusive networks as an iptables ipset / nftables set, and have a cron job to update them daily (from Spamhaus’s DROP and EDROP lists, for example
+- I think I need to re-work the ipset stuff in my common Ansible role so that I can add such abusive networks as an iptables ipset / nftables set, and have a cron job to update them daily (from Spamhaus’s DROP and EDROP lists, for example)
- Then I got a list of all the 5,095 IPs from above and used
check-spider-ip-hits.sh
to purge them from Solr:
@@ -628,6 +628,39 @@ $ csvcut -c 2,4 /tmp/out.csv | sed 1d | sort | uniq -c | sort -n | tail -n 15
10458
- I purged all the (26,000) hits from these new IP addresses from Solr as well
+- Looking back at my notes for the 2019-05 attack I see that I had already identified most of these network providers (!)…
+
+- Also, I took a closer look at QuadraNet (AS8100) and found some association with ATOMOHOST LLC and finegroupservers.com and traffictransitsolution.us, so now I need to block/purge that ASN too!
+- I saw it on the Scamalytics 2021-06 list anyways, so at this point I have no doubt
+
+
+- Adding QuadraNet brings the total networks seen during these two attacks to 262, and the number of unique IPs to 10900:
+
+
# zcat --force /var/log/nginx/access.log /var/log/nginx/access.log.1 /var/log/nginx/access.log.2 /var/log/nginx/access.log.3 /var/log/nginx/access.log.4 /var/log/nginx/access.log.5 /var/log/nginx/access.log.27.gz /var/log/nginx/access.log.28.gz | grep -E " (200|499) " | grep -v -E "(mahider|Googlebot|Turnitin|Grammarly|Unpaywall|UptimeRobot|bot)" | awk '{print $1}' | sort | uniq > /tmp/ddos-ips.txt
+# wc -l /tmp/ddos-ips.txt
+54002 /tmp/ddos-ips.txt
+$ ./ilri/resolve-addresses-geoip2.py -i /tmp/ddos-ips.txt -o /tmp/ddos-ips.csv
+$ csvgrep -c asn -r '^(49453|46844|206485|62282|36352|35913|35624|8100)$' /tmp/ddos-ips.csv | csvcut -c ip | sed 1d | sort | uniq > /tmp/ddos-ips-to-purge.txt
+$ wc -l /tmp/ddos-ips-to-purge.txt
+10900 /tmp/ddos-ips-to-purge.txt
+$ csvgrep -c asn -r '^(49453|46844|206485|62282|36352|35913|35624|8100)$' /tmp/ddos-ips.csv | csvcut -c network | sed 1d | sort | uniq > /tmp/ddos-networks-to-block.txt
+$ wc -l /tmp/ddos-networks-to-block.txt
+262 /tmp/ddos-networks-to-block.txt
+
+- The new total number of networks to block, including the network prefixes for these ASNs downloaded from asn.ipinfo.app, is 4,007:
+
+$ wget https://asn.ipinfo.app/api/text/nginx/AS49453 \
+https://asn.ipinfo.app/api/text/nginx/AS46844 \
+https://asn.ipinfo.app/api/text/nginx/AS206485 \
+https://asn.ipinfo.app/api/text/nginx/AS62282 \
+https://asn.ipinfo.app/api/text/nginx/AS36352 \
+https://asn.ipinfo.app/api/text/nginx/AS35913 \
+https://asn.ipinfo.app/api/text/nginx/AS35624 \
+https://asn.ipinfo.app/api/text/nginx/AS8100
+$ cat AS* /tmp/ddos-networks-to-block.txt | sed -e '/^$/d' -e '/^#/d' -e '/^{/d' -e 's/deny //' -e 's/;//' | sort | uniq | wc -l
+4007
+
+- I re-applied these networks to nginx on CGSpace (linode18) and DSpace Test (linode26), and purged 14,000 more Solr statistics hits from these IPs
diff --git a/docs/categories/index.html b/docs/categories/index.html
index f54902dbd..231567768 100644
--- a/docs/categories/index.html
+++ b/docs/categories/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/categories/notes/index.html b/docs/categories/notes/index.html
index 41b90b1f9..bf0adbb7a 100644
--- a/docs/categories/notes/index.html
+++ b/docs/categories/notes/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/categories/notes/page/2/index.html b/docs/categories/notes/page/2/index.html
index 3563e08ef..b8ca6e976 100644
--- a/docs/categories/notes/page/2/index.html
+++ b/docs/categories/notes/page/2/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/categories/notes/page/3/index.html b/docs/categories/notes/page/3/index.html
index e2aae71c2..2f4b5e1eb 100644
--- a/docs/categories/notes/page/3/index.html
+++ b/docs/categories/notes/page/3/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/categories/notes/page/4/index.html b/docs/categories/notes/page/4/index.html
index bd2f70c3e..ddf616fcf 100644
--- a/docs/categories/notes/page/4/index.html
+++ b/docs/categories/notes/page/4/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/categories/notes/page/5/index.html b/docs/categories/notes/page/5/index.html
index 58bf5eef2..4a4d15c20 100644
--- a/docs/categories/notes/page/5/index.html
+++ b/docs/categories/notes/page/5/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/index.html b/docs/index.html
index 777579edb..992ef154e 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/page/2/index.html b/docs/page/2/index.html
index b1eb576b0..7f548fca1 100644
--- a/docs/page/2/index.html
+++ b/docs/page/2/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/page/3/index.html b/docs/page/3/index.html
index 7ee5fb76d..dadea667b 100644
--- a/docs/page/3/index.html
+++ b/docs/page/3/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/page/4/index.html b/docs/page/4/index.html
index 5575abee1..40d66102c 100644
--- a/docs/page/4/index.html
+++ b/docs/page/4/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/page/5/index.html b/docs/page/5/index.html
index 2390ea505..688ffd7b8 100644
--- a/docs/page/5/index.html
+++ b/docs/page/5/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/page/6/index.html b/docs/page/6/index.html
index 49a8c5984..ad3fc2063 100644
--- a/docs/page/6/index.html
+++ b/docs/page/6/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/page/7/index.html b/docs/page/7/index.html
index 944409687..65ee65f98 100644
--- a/docs/page/7/index.html
+++ b/docs/page/7/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/page/8/index.html b/docs/page/8/index.html
index 4351a6f06..80b325276 100644
--- a/docs/page/8/index.html
+++ b/docs/page/8/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/posts/index.html b/docs/posts/index.html
index 6d95befcf..60ba5f42c 100644
--- a/docs/posts/index.html
+++ b/docs/posts/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/posts/page/2/index.html b/docs/posts/page/2/index.html
index 053b53a74..0f3a3c882 100644
--- a/docs/posts/page/2/index.html
+++ b/docs/posts/page/2/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/posts/page/3/index.html b/docs/posts/page/3/index.html
index 35ede3e7c..c348e378b 100644
--- a/docs/posts/page/3/index.html
+++ b/docs/posts/page/3/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/posts/page/4/index.html b/docs/posts/page/4/index.html
index 75a21f6e2..a13ba9342 100644
--- a/docs/posts/page/4/index.html
+++ b/docs/posts/page/4/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/posts/page/5/index.html b/docs/posts/page/5/index.html
index 9f94da2a9..fb96834ee 100644
--- a/docs/posts/page/5/index.html
+++ b/docs/posts/page/5/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/posts/page/6/index.html b/docs/posts/page/6/index.html
index b75c863c4..ece6616b2 100644
--- a/docs/posts/page/6/index.html
+++ b/docs/posts/page/6/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/posts/page/7/index.html b/docs/posts/page/7/index.html
index e2cd3d449..c0ca40b66 100644
--- a/docs/posts/page/7/index.html
+++ b/docs/posts/page/7/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/posts/page/8/index.html b/docs/posts/page/8/index.html
index 71e41dd49..20cbd2da8 100644
--- a/docs/posts/page/8/index.html
+++ b/docs/posts/page/8/index.html
@@ -10,7 +10,7 @@
-
+
diff --git a/docs/sitemap.xml b/docs/sitemap.xml
index 5c936a033..ae2cdbf57 100644
--- a/docs/sitemap.xml
+++ b/docs/sitemap.xml
@@ -3,19 +3,19 @@
xmlns:xhtml="http://www.w3.org/1999/xhtml">
https://alanorth.github.io/cgspace-notes/categories/
- 2021-07-20T11:04:51+03:00
+ 2021-07-20T14:54:25+03:00
https://alanorth.github.io/cgspace-notes/
- 2021-07-20T11:04:51+03:00
+ 2021-07-20T14:54:25+03:00
https://alanorth.github.io/cgspace-notes/2021-07/
- 2021-07-20T11:04:51+03:00
+ 2021-07-20T14:54:25+03:00
https://alanorth.github.io/cgspace-notes/categories/notes/
- 2021-07-20T11:04:51+03:00
+ 2021-07-20T14:54:25+03:00
https://alanorth.github.io/cgspace-notes/posts/
- 2021-07-20T11:04:51+03:00
+ 2021-07-20T14:54:25+03:00
https://alanorth.github.io/cgspace-notes/2021-06/
2021-07-01T08:53:21+03:00