12日开始，Linux镜像服务器维护者Adrian Reber开始在服务器上封锁部分中国IP。他在blog里面说明了此事发生的因果，翻译如下：
0 K; d3 i  H8 d3 e/ [, V最近，服务器出现了太多来自中国的连接，我不得不开始封一些子网。服务器上经常出现10个客户端，每个发起超过50个的HTTP连接。他们主要是下载 ISO 镜像文件以及其它比较大的文件。我能看到每个客户端都开始下载很多不同的东西。从Fedora 3到 Fedora 7 、Ubuntu的ISO镜像、openSUSE的ISO镜像，以及其它一些大个头的老文件。4 s2 f/ ~. P( x& u
( \0 I* c& k* ]
刚开始我试图封一些单个的IP地址，但实在太多了，所以我不得不开始封整个子网。我使用如下命令来观察哪些客户端同时开启了很多连接：2 O& j) j! u* `! y. w

5 \- o) Q( T  l0 s2 [lynx -dump -width=2000 http://localhost/server-status | awk -F '{ print
6 f, n$ o; r5 Z# s$11} ' | sort -n | uniq -c | sort -n.
) ]3 K, h; I) v
+ ]3 f. z3 N1 r输出大概是这样：! `/ }6 J& n$ k& j9 p+ }# H1 `

( L7 {: h) b+ B21 122.48.129.75& u8 l) ?+ W0 S
23 210.21.106.229' E+ E3 M- G: S/ S$ P* j2 r
24 218.17.228.216$ K: S7 g4 z( x, P! l9 Z8 ~- j
26 220.175.101.252; N) k$ L, ~9 z+ z- _( D. B
27 222.67.18.2273 x2 I# w7 m/ q1 M
30 222.27.89.136  R4 y: v/ D% a" V. C: _" N
39 123.116.101.186
. L* Z2 l0 i3 o# f; i' |  ?/ `52 121.231.17.153
0 E' n- g6 P& I& \- {2 ~, G. M63
. s/ S: M7 l4 ^3 f' [63 ::1, z) ~$ b3 z* B! _: K: j* i1 I6 c

5 d* Q4 l' Y- I! R2 t然后我用如下命令计算大概要封哪些子网：- t9 J7 L7 i( ~: x4 ?  D. {

1 r( O5 Z% B0 F% G0 P( m& r$ whois 121.231.17.153 | grep inetn | sed -e "s, - ,:,g" | awk ' { print
. T/ d/ n& i9 b! [1 F4 G, a& O"netmask "$2 }' | sh7 y" m0 ]- u$ \2 N5 i$ q

1 @( H: j0 v2 i) ^8 i9 q, q121.224.0.0/12
/ P# @& k! ~( `6 M  D' K6 H
' C2 t  O7 y& P, I然后用iptable规则进行了封锁
+ @- t! H, }  U8 C1 L, h( Q
0 P6 V- ~; x6 M2 Q* Piptables -A INETIN -s 121.224.0.0/12 -j DROP
/ ]! M7 p4 y. a  {* V# \' z: J( ~) u# a; f- h6 b% G
现在，我实在没别的办法来对付这种同时发起500个连接的互联网的滥用行为了。4 A5 ~7 _- ~+ h2 {- j
$ l8 z% e7 W5 H& d6 S$ O
原文： "The last few days there are so many connections to our mirror server from China that I started to block certain subnets. There are usually around 10 clients connecting via HTTP and each is opening over 50 connections to our server. They are downloading mainly ISO images and other big files. I can see that each client is starting to download lots of different things. From Fedora 3 to Fedora 7 ISO images, Ubuntu ISO images, openSUSE ISO images and other old and large files.
  d$ l7 z+ x' c5 [- `2 @4 u% w
3 o( ]! X/ R; AI started to block individual IP addresses but there are just too many so* Q/ ^5 i( l) T
that I started to block whole subnets. I am using the following command to* x4 Y( g3 x* @. z" k: |5 P: t+ f# `
get an overview about which clients are opening many connections at once:- [) s6 n1 [8 ?6 t) j: G  l
/ X  D, A9 F/ \9 ^$ v; [
lynx -dump -width=2000 http://localhost/server-status | awk -F\ '{ print
2 ~( D( |7 H: v# b- K3 e9 g1 z- \9 Z$11} ' | sort -n | uniq -c | sort -n.+ l4 E) n. D9 L. ]
& u1 G# z+ L0 d
The output looks something like this:
4 S8 U: p4 i, A4 o& U& U+ [7 x; b$ g
21 122.48.129.75- Z( c7 m- B- ^
23 210.21.106.229
" R9 S) A/ y9 t) Z8 C) e- U0 ~5 K24 218.17.228.216$ F! o* I  }* _5 \& i* R, ]
26 220.175.101.252
( S0 p5 n7 o! Q27 222.67.18.227
" s* y- S; Y# d& k; V30 222.27.89.136& B) ]! p  ]0 u- `7 i8 e, V; M
39 123.116.101.186
: ?7 \$ x; v1 z( f0 I1 E52 121.231.17.153
0 B& G* M% Z& g* Z* |' v63! o1 ~2 Q+ ~% z: U0 a' {5 F6 ^
63 ::1' o8 V$ X: E" w; w5 l
4 |# \0 j8 T& P: O  V% W' p0 |- y
With the following command I am calculating the netmask which will be
9 K' X- g9 d# f+ b, kblocked:
3 g0 S- |) E8 o; C/ ^2 K9 @
3 y1 P4 R4 q: f, ^$ whois 121.231.17.153 | grep inetn | sed -e "s, - ,:,g" | awk ' { print" k* v, B* A/ H+ c2 o
"netmask "$2 }' | sh6 {: v8 n2 ~( M2 b9 X( }0 w

9 i4 T+ X. X% Y/ U* ~  @6 c" P- k121.224.0.0/126 @2 y2 G9 \2 ?, s* r

8 S9 {. `8 g8 X& d3 }! a& V" EAnd then I am using a simple iptables rule to drop any traffic coming from
  g" k( |" w8 c- x- sthat network:
5 H9 U0 v' Y9 L( o- x; G6 F" v8 [3 |1 `6 f
iptables -A INETIN -s 121.224.0.0/12 -j DROP; w% C  o2 e4 I6 ~
# Y1 E4 L/ K6 ~
Currently this is the only idea I have how to get rid of those ~500; B5 g7 q( L, [3 ]
connections which seem to be some kind of abuse."
7 W$ l# Z7 u' g% m3 m) \: X5 n( V2 q' M3 r4 B+ ~
Best8 q# c. [. U1 i$ U
Regards!; Z9 s) Q! R) h, \2 D

9 o5 V0 y0 n) x0 k& o8 \- _Allen Chen
+ ?; q7 H) s, \  iA3Linux.NET
. D% v  Y* |3 S8 q+ {. ?, Z- c/ K. g
Andran Reber的Blog：
3 y, u( ^6 O- \/ Ahttp://lisas.de/blog/adrian/2008/Mar/12/
+ y) o  ^" t* p+ H8 w# ]* v  L消息来源：cnBeta

谁在干吗？？？