Puzzling Download Attack on my Celestia Server

[maxim]

Hi to all,

Yesterday between 6:00 UTC and 8:00 UTC someone caused about 10 GBytes of traffic on my Celestia Download Server. This is a bit weird, because the biggest Addon Collection I host is about 35 MBytes, and all hosted files together sum up to about 180 MBytes. I've set a monthly traffic limit of 5 GBytes to this server which is fairly enough, because the usual monthly traffic for Celestia downloads is about 2-4 GBytes. Due to the limit my server complained and thus brought the whole thing to my attention.

My investigation hat the following results:

- All traffic was caused by one adress: 203.156.213.126
- All traffic was caused on 2007-05-24 6:05 UTC - 7:45 UTC
- This adress could not be resolved to a domain name.
- whois listet the following owner for the adress:

ShangHai Global Network Co.Ltd
F4, No.1465, West Beijing Road,
Shanghai, 200040, China

- Most of my hosted files had been downloaded up to 50 times from that adress.
- Download start times where within seconds for one single filename.
- The used OS and webclient were identified as: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98 )


I wouldn't post this, if a similar incident hadn't took place last month, when about 7 GBytes of traffic where requested from a single adress in Shanghai. So my questions are:

Has anyone of you observed similar events on his server traffic, or am I the only one? Is this a peak caused by a certain publication about Celestia, are these dumb kids or is this a real attack?

Thanks in advance for your answers.

maxim

[selden]

The Web server at the lab where I work has had similar things happen. As best we can tell it's often a side effect of some types of network problems causing problems for some download accelerators. When it happens, the easiest solution seems to be to block access for the IP address causing the problem.

Apparently the file transfers never complete properly so they just keep retrying and opening more and more network connections until the server is saturated. It happened quite frequently when there was a cut in one of the trans-Pacific communications cables a few months ago.

[maxim]

Thanks for the answer Selden,

I'll try to apply your solution.

maxim

[LordFerret]

inetnum: 203.156.192.0 - 203.156.255.255
netname: GLOBAL
descr: ShangHai Global Network Co.Ltd
descr: F4, No.1465, West Beijing Road,
descr: Shanghai, 200040, China
country: CN
admin-c: YJ99-AP
tech-c: GY179-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-CNNIC-AP
changed: hm-changed@apnic.net 20040805
source: APNIC

mntner: MAINT-CNNIC-AP
upd-to: ipas@cnnic.net.cn
descr: China Internet Network Information Center.
descr: Computer Network Information Center,Chinese Academy of Science
admin-c: IPAS1-AP
tech-c: IPAS1-AP
referral-by: APNIC-HM
auth: CRYPT-PW apRkcX7BxhkDk
changed: chentao@cnnic.cn 20040706
mnt-by: MAINT-CNNIC-AP
source: APNIC


Student(s)?

[StarSeeker]

It's been my observation that unexplained connections from certain countries are best off blocked and avoided like the plague. China is one of them. If you're a web admin, it's Russia--I've had to block everything from *.ru on forums before to deal with the spam.

[scaddenp]

The VTP (Virtual Terrain Project) had the same problem. Massive repeated
downloads from China costing the donor a fortune. IP changed and end he
had to move thee site to different location with better protection. Its hard
to understand a motive for malicious attacks so suspect its incompetence.