httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From el kalin <ka...@el.net>
Subject [users@httpd] deny announce.php torrent requests
Date Thu, 12 Mar 2015 03:13:31 GMT
hi all…

i have a bit of an issue with torrent announce.php?info_hash= requests. it
sure feels like some sort of dos or ddos. i have tried different ways to
configure apache to drop those request using mod_security, mod_rewrite, etc
but never the less i still see a lot of ESTABLISHED states that just hang
there and the machine eventually gives up..

so far i have tried this:

with mod_security (within modsecurity.conf):

SecRule REQUEST_URI "\?info_hash\="
"phase:2,id:'10000002',t:none,rev:1,severity:2,log,deny,msg:'Torrent
Announce Hit Detected'"

here i can see in the audit log that "Connection: closed" but i can still
see all the request in the virtual domain's log (vs the mod sec_audit log).
and still see the http ESTABLISHED connections  (via netstat) just
lingering.

with mod_rewrite (in global context):

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteRule ^/announce$ - [F]
    RewriteRule ^/announce\.php$ - [F]
</IfModule>

also

<Directory /path/to/affected/virtual/domain/document/root>
    RewriteEngine On
    RewriteRule ^/announce$ - [F]
    RewriteRule ^/announce\.php$ - [F]
</Directory>


and within the virtual domain context:

        <FilesMatch announce>
                Order deny,allow
                Deny from all
        </FilesMatch>


monitoring via server-status i can still see hits to
http://mydomain.com/announce.php and netstat  keeps growing
with ESTABLISHED states.

is all of this above wrong?! since this domain appears to be the only one
affected i can eventually change that - it's for internal company use - but
before i do that - why none of the methods described above can get rid of
the torrent flood?

thanks…

Mime
View raw message