httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frederik Nosi <frederik.n...@postecom.it>
Subject Re: [users@httpd] deny announce.php torrent requests
Date Thu, 12 Mar 2015 15:03:19 GMT
Hi, not replying to your question but probably useful,
On 03/12/2015 04:13 AM, el kalin wrote:
>
> hi all…
>
> i have a bit of an issue with torrent announce.php?info_hash= 
> requests. it sure feels like some sort of dos or ddos. i have tried 
> different ways to configure apache to drop those request using 
> mod_security, mod_rewrite, etc but never the less i still see a lot 
> of ESTABLISHED states that just hang there and the machine eventually 
> gives up..

Interesting, the same happened to me two days ago. This is a really good 
explanation:

http://blog.devops.co.il/post/108740168304/torrent-ddos-attack

>
> so far i have tried this:
>
> with mod_security (within modsecurity.conf):
>
> SecRule REQUEST_URI "\?info_hash\=" 
> "phase:2,id:'10000002',t:none,rev:1,severity:2,log,deny,msg:'Torrent 
> Announce Hit Detected'"
>
> here i can see in the audit log that "Connection: closed" but i can 
> still see all the request in the virtual domain's log (vs the mod 
> sec_audit log). and still see the http ESTABLISHED connections  (via 
> netstat) just lingering.
>
> with mod_rewrite (in global context):
>
> <IfModule mod_rewrite.c>
>     RewriteEngine on
>     RewriteRule ^/announce$ - [F]
>     RewriteRule ^/announce\.php$ - [F]
> </IfModule>
>
> also
>
> <Directory /path/to/affected/virtual/domain/document/root>
>     RewriteEngine On
>     RewriteRule ^/announce$ - [F]
>     RewriteRule ^/announce\.php$ - [F]
> </Directory>
>
>
> and within the virtual domain context:
>
>         <FilesMatch announce>
>                 Order deny,allow
>                 Deny from all
>         </FilesMatch>
>
>
> monitoring via server-status i can still see hits to 
> http://mydomain.com/announce.php and netstat  keeps growing 
> with ESTABLISHED states.
>
> is all of this above wrong?! since this domain appears to be the only 
> one affected i can eventually change that - it's for internal company 
> use - but before i do that - why none of the methods described above 
> can get rid of the torrent flood?
>
> thanks…
>
>
>
>
>
>


Mime
View raw message