Skip to content

mimas: block alibaba and tencent from scraping hydra #811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

mimas: block alibaba and tencent from scraping hydra #811

wants to merge 1 commit into from

Conversation

mweinelt
Copy link
Member

@mweinelt mweinelt commented Aug 25, 2025
edited
Loading

Testing right now on mimas. Will probably pull the python package out into a dedicated repo.

table inet abuse {
	set blocked4 {
		type ipv4_addr
		flags interval,timeout
		auto-merge
		timeout 6h
		elements = { 1.12.0.0/20 expires 5h54m44s6ms,
			    1.12.34.0/23 expires 5h54m40s720ms,
			    1.201.184.0-1.201.189.255 expires 5h54m34s578ms,
			    5.181.224.0/23 expires 5h54m41s699ms,
			    8.208.0.0-8.209.31.255 expires 5h54m34s86ms,
			    8.209.36.0-8.213.167.255 expires 5h54m47s603ms,
			    8.213.176.0-8.219.255.255 expires 5h54m41s878ms,
			    8.220.64.0-8.223.255.255 expires 5h54m46s333ms,
			    14.1.112.0/22 expires 5h54m30s317ms,
			    43.91.0.0/16 expires 5h54m26s923ms,
			    43.96.1.0-43.96.11.255 expires 5h54m44s717ms,
			    43.96.17.0/24 expires 5h54m24s481ms,
			    43.96.19.0-43.96.21.255 expires 5h54m41s196ms,
			    43.96.23.0-43.96.25.255 expires 5h54m45s840ms,
			    43.96.27.0-43.96.29.255 expires 5h54m42s463ms,
			    43.96.32.0/22 expires 5h54m48s956ms,
			    43.96.40.0/24 expires 5h54m30s521ms,
			    43.96.52.0/24 expires 5h54m47s914ms,
			    43.96.56.0/24 expires 5h54m31s262ms,
			    43.96.58.0/23 expires 5h54m46s20ms,
			    43.96.66.0-43.96.75.255 expires 5h54m49s202ms,
			    43.96.78.0/24 expires 5h54m34s529ms,
			    43.96.80.0/23 expires 5h54m47s720ms,
			    43.96.84.0-43.96.86.255 expires 5h54m48s651ms,
			    43.96.88.0/24 expires 5h54m25s423ms,
			    43.96.96.0/23 expires 5h54m34s625ms,
			    43.96.100.0-43.96.102.255 expires 5h54m48s592ms,
			    43.96.104.0/24 expires 5h54m30s305ms,
			    43.96.106.0/24 expires 5h54m34s246ms,
			    43.98.0.0-43.102.127.255 expires 5h54m45s476ms,
			    43.103.0.0/17 expires 5h54m46s517ms,
			    43.104.0.0/15 expires 5h54m39s865ms,
			    43.108.0.0/17 expires 5h54m47s304ms,
			    43.128.0.0-43.128.159.255 expires 5h54m45s144ms,
			    43.128.192.0-43.130.191.255 expires 5h54m48s409ms,
			    43.130.224.0-43.131.63.255 expires 5h54m40s941ms,
			    43.131.224.0-43.132.63.255 expires 5h54m47s277ms,
			    43.132.68.0/24 expires 5h54m33s477ms,
			    43.132.96.0-43.135.223.255 expires 5h54m49s238ms,
			    43.152.64.0-43.152.87.255 expires 5h54m48s503ms,
			    43.152.90.0-43.152.117.255 expires 5h54m42s850ms,
			    43.152.224.0-43.158.127.255 expires 5h54m48s767ms,
			    43.159.0.0/18 expires 5h54m43s173ms,
			    43.159.128.0-43.160.175.255 expires 5h54m49s39ms,
			    43.160.192.0-43.161.63.255 expires 5h54m35s464ms,
			    43.161.128.0-43.164.95.255 expires 5h54m45s245ms,
			    43.164.128.0-43.166.191.255 expires 5h54m44s403ms,
			    43.166.224.0-43.167.255.255 expires 5h54m44s219ms,
			    43.173.0.0/16 expires 5h54m46s431ms,
			    45.40.216.0/21 expires 5h54m43s734ms,
			    45.146.112.0/23 expires 5h54m30s579ms,
			    45.196.28.0/24 expires 5h54m24s226ms,
			    45.199.179.0/24 expires 5h54m45s890ms,
			    47.52.0.0/16 expires 5h54m47s229ms,
			    47.56.0.0/15 expires 5h54m32s761ms,
			    47.74.0.0-47.77.27.255 expires 5h54m44s174ms,
			    47.77.32.0-47.77.111.255 expires 5h54m45s229ms,
			    47.77.128.0-47.79.159.255 expires 5h54m47s936ms,
			    47.79.192.0-47.87.243.255 expires 5h54m46s224ms,
			    47.88.0.0-47.89.63.255 expires 5h54m40s577ms,
			    47.89.72.0-47.89.84.255 expires 5h54m49s215ms,
			    47.89.88.0-47.89.111.255 expires 5h54m44s912ms,
			    47.89.122.0-47.89.125.255 expires 5h54m45s652ms,
			    47.89.128.0-47.91.255.255 expires 5h54m44s62ms,
			    47.235.0.0-47.235.13.255 expires 5h54m47s136ms,
			    47.235.16.0/20 expires 5h54m48s318ms,
			    47.236.0.0-47.245.255.255 expires 5h54m47s174ms,
			    47.246.32.0/22 expires 5h54m30s167ms,
			    47.246.66.0-47.246.69.255 expires 5h54m45s414ms,
			    47.246.72.0-47.246.80.255 expires 5h54m30s253ms,
			    47.246.82.0-47.246.93.255 expires 5h54m32s328ms,
			    47.246.96.0/20 expires 5h54m40s745ms,
			    47.246.120.0/24 expires 5h54m41s999ms,
			    47.246.122.0-47.246.125.255 expires 5h54m47s888ms,
			    47.246.128.0-47.246.147.255 expires 5h54m45s928ms,
			    47.246.150.0-47.246.199.255 expires 5h54m36s990ms,
			    47.250.0.0-47.254.255.255 expires 5h54m42s597ms,
			    49.51.32.0-49.51.53.255 expires 5h54m41s544ms,
			    49.51.64.0-49.51.87.255 expires 5h54m42s100ms,
			    49.51.128.0-49.51.225.255 expires 5h54m48s976ms,
			    49.51.228.0-49.51.255.255 expires 5h54m45s393ms,
			    59.82.136.0/23 expires 5h54m29s196ms,
			    101.32.0.0-101.32.79.255 expires 5h54m46s449ms,
			    101.32.94.0-101.32.227.255 expires 5h54m49s181ms,
			    101.32.238.0-101.32.255.255 expires 5h54m41s167ms,
			    101.33.4.0/23 expires 5h54m41s614ms,
			    101.33.17.0/24 expires 5h54m35s989ms,
			    101.33.30.0-101.33.39.255 expires 5h54m44s606ms,
			    101.33.41.0-101.33.59.255 expires 5h54m46s155ms,
			    101.33.64.0-101.33.191.255 expires 5h54m48s818ms,
			    103.7.28.0/22 expires 5h54m45s561ms,
			    103.81.186.0/23 expires 5h54m44s329ms,
			    103.205.121.0-103.205.123.255 expires 5h54m37s726ms,
			    103.238.16.0/23 expires 5h54m45s774ms,
			    103.242.0.0/23 expires 5h54m34s607ms,
			    110.76.21.0/24 expires 5h54m46s476ms,
			    110.76.23.0/24 expires 5h54m47s846ms,
			    116.251.64.0/18 expires 5h54m24s662ms,
			    119.28.0.0-119.28.239.255 expires 5h54m49s21ms,
			    119.29.29.0/24 expires 5h54m45s994ms,
			    120.53.52.0/23 expires 5h54m34s669ms,
			    120.88.56.0/23 expires 5h54m45s623ms,
			    121.4.4.0/22 expires 5h54m39s945ms,
			    124.156.96.0-124.156.255.255 expires 5h54m45s727ms,
			    129.226.0.0/20 expires 5h54m30s994ms,
			    129.226.48.0-129.226.255.255 expires 5h54m45s526ms,
			    139.95.0.0-139.95.19.255 expires 5h54m44s783ms,
			    139.95.64.0/24 expires 5h54m26s942ms,
			    140.205.1.0/24 expires 5h54m45s859ms,
			    140.205.122.0/24 expires 5h54m25s912ms,
			    147.139.0.0/16 expires 5h54m36s16ms,
			    149.129.0.0-149.129.17.255 expires 5h54m36s241ms,
			    149.129.32.0-149.129.127.255 expires 5h54m36s704ms,
			    149.129.192.0/18 expires 5h54m28s308ms,
			    150.109.0.0-150.109.87.255 expires 5h54m43s768ms,
			    150.109.90.0-150.109.135.255 expires 5h54m48s749ms,
			    150.109.138.0-150.109.255.255 expires 5h54m47s334ms,
			    156.227.20.0/24 expires 5h54m48s536ms,
			    156.236.12.0/24 expires 5h54m27s663ms,
			    156.236.17.0/24 expires 5h54m23s860ms,
			    156.240.76.0/23 expires 5h54m39s624ms,
			    156.240.88.0/22 expires 5h54m46s62ms,
			    156.245.1.0/24 expires 5h54m40s858ms,
			    161.117.0.0/16 expires 5h54m45s184ms,
			    162.14.0.0-162.14.39.255 expires 5h54m48s381ms,
			    162.14.48.0/20 expires 5h54m48s834ms,
			    162.62.10.0/23 expires 5h54m25s136ms,
			    162.62.14.0/23 expires 5h54m34s620ms,
			    162.62.42.0/23 expires 5h54m24s70ms,
			    162.62.48.0-162.62.87.255 expires 5h54m43s666ms,
			    162.62.96.0-162.62.129.255 expires 5h54m48s854ms,
			    162.62.132.0-162.62.171.255 expires 5h54m48s918ms,
			    162.62.208.0-162.62.239.255 expires 5h54m37s927ms,
			    162.62.241.0/24 expires 5h54m42s747ms,
			    162.62.252.0/23 expires 5h54m35s349ms,
			    170.33.20.0-170.33.24.255 expires 5h54m40s601ms,
			    170.33.29.0-170.33.35.255 expires 5h54m49s3ms,
			    170.33.64.0-170.33.66.255 expires 5h54m46s839ms,
			    170.33.68.0/23 expires 5h54m48s666ms,
			    170.33.72.0/23 expires 5h54m38s182ms,
			    170.33.76.0-170.33.84.255 expires 5h54m47s961ms,
			    170.33.88.0/24 expires 5h54m35s387ms,
			    170.33.90.0/24 expires 5h54m30s205ms,
			    170.33.92.0/23 expires 5h54m47s202ms,
			    170.33.104.0/22 expires 5h54m40s83ms,
			    170.33.136.0-170.33.138.255 expires 5h54m40s274ms,
			    170.106.0.0/16 expires 5h54m41s495ms,
			    182.254.116.0/24 expires 5h54m29s566ms,
			    182.254.118.0/24 expires 5h54m47s29ms,
			    185.78.106.0/23 expires 5h54m29s521ms,
			    198.11.128.0/18 expires 5h54m42s270ms,
			    202.144.199.0/24 expires 5h54m30s893ms,
			    203.107.64.0-203.107.68.255 expires 5h54m47s788ms,
			    203.205.128.0/23 expires 5h54m41s704ms,
			    203.205.134.0-203.205.147.255 expires 5h54m48s566ms,
			    203.205.155.0/24 expires 5h54m40s865ms,
			    203.205.157.0/24 expires 5h54m24s398ms,
			    203.205.188.0/24 expires 5h54m29s37ms,
			    203.205.191.0-203.205.199.255 expires 5h54m28s980ms,
			    203.205.218.0-203.205.224.255 expires 5h54m32s498ms,
			    203.205.232.0/21 expires 5h54m45s90ms,
			    203.205.248.0/21 expires 5h54m44s364ms,
			    205.204.96.0/19 expires 5h54m49s62ms,
			    210.171.232.0/21 expires 5h54m31s238ms,
			    210.180.74.0/23 expires 5h54m24s613ms,
			    211.56.92.0/22 expires 5h54m42s844ms,
			    211.152.128.0/23 expires 5h54m25s303ms,
			    211.152.132.0/23 expires 5h54m35s344ms,
			    211.152.148.0/23 expires 5h54m34s373ms,
			    211.152.154.0/23 expires 5h54m36s483ms,
			    211.152.158.0/23 expires 5h54m45s129ms,
			    223.5.5.0/24 expires 5h54m29s154ms,
			    223.6.6.0/24 expires 5h54m36s488ms }
	}

	set blocked6 {
		type ipv6_addr
		flags interval,timeout
		auto-merge
		timeout 6h
		elements = { 2400:3200::/48 expires 5h54m29s50ms,
			    2400:3200:baba::/48 expires 5h54m32s990ms,
			    2400:b200:4100::/46 expires 5h54m49s144ms,
			    2401:8680:4100::/48 expires 5h54m40s871ms,
			    2401:b180:4100::/48 expires 5h54m36s342ms,
			    2404:2280:1000::-2404:2280:4fff:ffff:ffff:ffff:ffff:ffff expires 5h54m39s682ms,
			    2408:4000:1000::/48 expires 5h54m34s19ms,
			    2408:4009:500::/48 expires 5h54m40s901ms,
			    240b:4000::-240b:4002:ffff:ffff:ffff:ffff:ffff:ffff expires 5h54m34s495ms,
			    240b:4004::-240b:4006:0:ffff:ffff:ffff:ffff:ffff expires 5h54m46s770ms,
			    240b:4006:1000::-240b:4006:102f:ffff:ffff:ffff:ffff:ffff expires 5h54m31s733ms,
			    240b:4007::/32 expires 5h54m32s994ms,
			    240b:4009::/32 expires 5h54m41s982ms,
			    240b:400b::-240b:400f:ffff:ffff:ffff:ffff:ffff:ffff expires 5h54m41s945ms,
			    240b:4011::-240b:4012:0:ffff:ffff:ffff:ffff:ffff expires 5h54m48s520ms,
			    240b:4013::-240b:4014:ffff:ffff:ffff:ffff:ffff:ffff expires 5h54m31s985ms,
			    240d:c000:1000::-240d:c000:3fff:ffff:ffff:ffff:ffff:ffff expires 5h54m43s138ms,
			    240d:c000:6000::-240d:c000:700f:ffff:ffff:ffff:ffff:ffff expires 5h54m42s634ms,
			    240d:c000:f000::/44 expires 5h54m25s964ms,
			    240d:c000:f020::-240d:c000:f07f:ffff:ffff:ffff:ffff:ffff expires 5h54m48s793ms,
			    240d:c000:f0c0::/42 expires 5h54m49s163ms,
			    240d:c010:14::/48 expires 5h54m39s618ms,
			    240d:c010:16::/48 expires 5h54m47s131ms,
			    240d:c010:20::-240d:c010:31:ffff:ffff:ffff:ffff:ffff expires 5h54m46s282ms,
			    240d:c010:58::/48 expires 5h54m36s11ms,
			    240d:c010:5c::/48 expires 5h54m45s522ms,
			    240d:c010:68::/48 expires 5h54m41s212ms,
			    240d:c010:6f::/48 expires 5h54m48s170ms,
			    240d:c040::/43 expires 5h54m35s729ms }
	}

	chain input-abuse {
		type filter hook input priority filter - 5; policy accept;
		ip saddr @blocked4 counter packets 4794 bytes 290612 drop
		ip6 saddr @blocked6 counter packets 0 bytes 0 drop
	}
}

@mweinelt mweinelt changed the title mimas: migrate to nftable and configure whole as blocks mimas: migrate to nftables and configure whole as blocks Aug 25, 2025
@mweinelt mweinelt force-pushed the nft-asblock branch 5 times, most recently from ee196d0 to f8c0912 Compare August 26, 2025 14:54
jfly
jfly reviewed Aug 26, 2025
View reviewed changes
Copy link
Contributor

@jfly jfly left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Took a look through this and your new Python repo. Overall LGTM.

Some comments:

  1. I don't understand how old stuff get cleaned up when it should no longer exist. I see nft add element being called here. I honestly don't know exactly what it does, but it sounds additive.
  2. Sure would appreciate a comment here: https://github.com/mweinelt/nft-prefix-import/blob/6ef9ed3cc2bfd0d2498c03907b0ad87a8366d793/src/nft_prefix_import/__init__.py#L79.
  3. This looks kind of silly with the check=True right above it: https://github.com/mweinelt/nft-prefix-import/blob/6ef9ed3cc2bfd0d2498c03907b0ad87a8366d793/src/nft_prefix_import/__init__.py#L62. If the intent is to be explicit, I think a check=False would do that. Either way, could use a comment explaining why we're ok with failures. Is our intent to just accomplish as much as we can? If so, should we be tracking that a failure occurred and then go on to crash the process at the end, so our systemd unit alerting can tell us to take a look?

@vcunat
Copy link
Member

vcunat commented Aug 26, 2025

  1. The top comment shows expiration after 6 hours? (but no idea how that works really)

@mweinelt
Copy link
Member Author

mweinelt commented Aug 26, 2025
edited
Loading

I dropped the timeout completely, since adding the same item again does not seem to reset the timeout. The list now resets at boot and will only be appended to for the uptime of the box.

This looks kind of silly with the check=True right above it:

It prints the error to stdout/stderr and moves on. Not silly at all.

This is the effect we see in 90 minutes:

		ip saddr @ipv4blocks tcp dport 443 counter packets 11446 bytes 686782 drop
		ip6 saddr @ipv6blocks tcp dport 443 counter packets 0 bytes 0 drop

@jfly
Copy link
Contributor

jfly commented Aug 26, 2025

It prints the error to stdout/stderr and moves on. Not silly at all.

That's not because you're setting check=True, it's because the subprocess is inheriting the parent process's stdout/stderr. For example:

demo.py 
#!/usr/bin/env python

import subprocess

noisy_error = (
    "echo 'some info' >/dev/stdout && echo 'this is an error' >/dev/stderr && exit 42"
)

print("=== Experiment 1: Running `noisy_error` with `check=False`")
subprocess.run(noisy_error, shell=True, check=False)
print("=" * 30)

print(
    "=== Experiment 2: Running `noisy_error` with `check=True`, and catching and tossing the Python exception"
)
try:
    subprocess.run(noisy_error, shell=True, check=True)
except subprocess.SubprocessError:
    pass
print("=" * 30)

Note how both Experiment 1 and 2 output the exact same thing:

$ python demo.py
=== Experiment 1: Running `noisy_error` with `check=False`
some info
this is an error
==============================
=== Experiment 2: Running `noisy_error` with `check=True`, and catching and tossing the Python exception
some info
this is an error
==============================

Not that there's anything wrong with the code you've written, it just looks odd to me.

My other questions are more important.

@mweinelt
mimas: block alibaba and tencent
0809923 
These networks keep scraping hydra.nixos.org with a high request rate
across a wide range of IP addresses with bogus user-agents.

They did it, they made me develop a tool to lookup prefixes for an AS
and block them from accessing tcp/443 using an nftable set match.
@mweinelt mweinelt changed the title mimas: migrate to nftables and configure whole as blocks mimas: block alibaba and tencent from scraping hydra Sep 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jfly jfly jfly left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mweinelt @vcunat @jfly