Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7D64417D2D for ; Thu, 12 Mar 2015 15:04:34 +0000 (UTC) Received: (qmail 42128 invoked by uid 500); 12 Mar 2015 15:04:30 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 42095 invoked by uid 500); 12 Mar 2015 15:04:30 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 42084 invoked by uid 99); 12 Mar 2015 15:04:30 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Mar 2015 15:04:30 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of Frederik.Nosi@postecom.it designates 62.241.5.183 as permitted sender) Received: from [62.241.5.183] (HELO smtp02.postecom.it) (62.241.5.183) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Mar 2015 15:04:04 +0000 Received: from VM-EXFE02.Postecom.local (192.168.98.85) by vm-exsmtp02.postecom.local (192.168.78.92) with Microsoft SMTP Server (TLS) id 14.3.210.2; Thu, 12 Mar 2015 16:03:07 +0100 Received: from [192.168.96.38] (192.168.82.1) by VM-EXFE02.Postecom.local (192.168.98.34) with Microsoft SMTP Server (TLS) id 14.3.158.1; Thu, 12 Mar 2015 16:03:20 +0100 Message-ID: <5501AAB7.20702@postecom.it> Date: Thu, 12 Mar 2015 16:03:19 +0100 From: Frederik Nosi Organization: Postecom s.r.l. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: References: In-Reply-To: Content-Type: multipart/alternative; boundary="------------050000080009080605030800" X-Originating-IP: [192.168.82.1] X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] deny announce.php torrent requests --------------050000080009080605030800 Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 8bit Hi, not replying to your question but probably useful, On 03/12/2015 04:13 AM, el kalin wrote: > > hi all… > > i have a bit of an issue with torrent announce.php?info_hash= > requests. it sure feels like some sort of dos or ddos. i have tried > different ways to configure apache to drop those request using > mod_security, mod_rewrite, etc but never the less i still see a lot > of ESTABLISHED states that just hang there and the machine eventually > gives up.. Interesting, the same happened to me two days ago. This is a really good explanation: http://blog.devops.co.il/post/108740168304/torrent-ddos-attack > > so far i have tried this: > > with mod_security (within modsecurity.conf): > > SecRule REQUEST_URI "\?info_hash\=" > "phase:2,id:'10000002',t:none,rev:1,severity:2,log,deny,msg:'Torrent > Announce Hit Detected'" > > here i can see in the audit log that "Connection: closed" but i can > still see all the request in the virtual domain's log (vs the mod > sec_audit log). and still see the http ESTABLISHED connections (via > netstat) just lingering. > > with mod_rewrite (in global context): > > > RewriteEngine on > RewriteRule ^/announce$ - [F] > RewriteRule ^/announce\.php$ - [F] > > > also > > > RewriteEngine On > RewriteRule ^/announce$ - [F] > RewriteRule ^/announce\.php$ - [F] > > > > and within the virtual domain context: > > > Order deny,allow > Deny from all > > > > monitoring via server-status i can still see hits to > http://mydomain.com/announce.php and netstat keeps growing > with ESTABLISHED states. > > is all of this above wrong?! since this domain appears to be the only > one affected i can eventually change that - it's for internal company > use - but before i do that - why none of the methods described above > can get rid of the torrent flood? > > thanks… > > > > > > --------------050000080009080605030800 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: 8bit

Hi, not replying to your question but probably useful,
On 03/12/2015 04:13 AM, el kalin wrote:

hi all…

i have a bit of an issue with torrent announce.php?info_hash= requests. it sure feels like some sort of dos or ddos. i have tried different ways to configure apache to drop those request using mod_security, mod_rewrite, etc but never the less i still see a lot of ESTABLISHED states that just hang there and the machine eventually gives up..

Interesting, the same happened to me two days ago. This is a really good explanation:

http://blog.devops.co.il/post/108740168304/torrent-ddos-attack

so far i have tried this:

with mod_security (within modsecurity.conf):

SecRule REQUEST_URI "\?info_hash\=" "phase:2,id:'10000002',t:none,rev:1,severity:2,log,deny,msg:'Torrent Announce Hit Detected'"

here i can see in the audit log that "Connection: closed" but i can still see all the request in the virtual domain's log (vs the mod sec_audit log). and still see the http ESTABLISHED connections (via netstat) just lingering.

with mod_rewrite (in global context):

<IfModule mod_rewrite.c>

RewriteEngine on

RewriteRule ^/announce$ - [F]

RewriteRule ^/announce\.php$ - [F]

</IfModule>

also

<Directory /path/to/affected/virtual/domain/document/root>

RewriteEngine On

RewriteRule ^/announce$ - [F]

RewriteRule ^/announce\.php$ - [F]

</Directory>

and within the virtual domain context:

<FilesMatch announce>

Order deny,allow

Deny from all

</FilesMatch>

monitoring via server-status i can still see hits to http://mydomain.com/announce.php and netstat keeps growing with ESTABLISHED states.

is all of this above wrong?! since this domain appears to be the only one affected i can eventually change that - it's for internal company use - but before i do that - why none of the methods described above can get rid of the torrent flood?

thanks…

--------------050000080009080605030800--