Results 1 to 16 of 16
-
01-05-2015, 08:52 PM #1Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 57
Anyone else seeing Pirate Bay traffic directed to their sites?
I was working on a site today that was receiving unusually large amounts of traffic. The site is not (nor has it ever been) affiliated with any torrenting.
We noticed in the domlogs lots of requests like this:
Code:113.x.x.x - - [05/Jan/2015:19:36:24 -0500] "GET /announce?info_hash=%92%DA%9E%99%26%0B%00%5E%E2%93%1A%B1%5F%EB%17%0EH%06%FB%90&peer_id=%2DSD0100%2D%B3%96%B1%9A%E3%B0s%2Fow%A9%C2&ip=117.x.x.x&port=10135&uploaded=380633088&downloaded=380633088&left=3035627520&numwant=200&key=19853&compact=1 HTTP/1.0" 404 329 "-" "Bittorrent"
So, I made a quick modsec rule to block it (feel free to steal it):
Code:SecRule REQUEST_URI "announce(.php)?\?info_hash=" "t:urldecode,t:lowercase,deny,status:411,id:378575"
Code:[Mon Jan 05 19:29:33.468142 2015] [:error] [pid 665532:tid 140627564033792] [client 101.x.x.x] ModSecurity: Access denied with code 411 (phase 2). Pattern match "announce\\\\?info_hash=" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "200"] [id "378575"] [hostname "tracker.thepiratebay.org"] [uri "/announce"] [unique_id "VKssbUWnp5QACie84zsAAAAC"]
Anyone else seeing anything like this? Any ideas why BT clients would be checking someones random blog site for torrent tracking? tracker.thepiratebay.org doesn't even resolve, and it certanly doesn't resolve to my customers serverLast edited by bear; 01-06-2015 at 01:05 PM. Reason: formatting
-
01-06-2015, 08:56 AM #2Newbie
- Join Date
- May 2012
- Posts
- 19
Yesterday, and the day before I too saw bursts of traffic with host headers of thepiratebay, gavatar , edgcastcdn , appspot.com etc (many hostnames) at the peak there was around 4000 http requests a second which is a reasonable l7 http flood...
Could you share what the blog contents was, and if it was the only site on that ip address that was flooded ?
-
01-06-2015, 09:15 AM #3Managed VPS Experts
- Join Date
- Nov 2007
- Location
- New Jersey, USA
- Posts
- 4,740
I've noticed this from users posting on other forums, it's fairly interesting. I wonder what is causing this.
- Daniel
-
01-06-2015, 09:41 AM #4New Member
- Join Date
- Jan 2012
- Posts
- 2
Same here on multiple servers.
I ended up blocking all those requests with mod_security
Here's the solution at serverfault (I cannot post the full url...)
/questions/656093/mod-security-block-requests-by-http-host-header
It seems that there's some kind of DNS Cache Poisoning in China (what a surprise ) causing thousands of Bittorrent clients to send announce requests to completely unrelated servers.
I wonder why they did this...
-
01-06-2015, 01:00 PM #5Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 57
There are several ways to block this with modsec. Host header works, user agent works, request uri (like I used) works just fine.
FWIW this customers site was on thier own dedicated IP, no other domains on that IP.
-
01-06-2015, 03:10 PM #6Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 57
This has tailed off a little bit. About 11,000 requests have been blocked by ModSecurity since last night.
CSF/LFD have been blocking repeat offenders; every single IP blocked for repeat offenses (about 1000 IPs) has indeed been from China, so the DNS Cache poisoning in that region is certainly a plausible explanation.
-
01-10-2015, 01:55 PM #7Registered User
- Join Date
- Jan 2015
- Location
- Chicago
- Posts
- 37
csf tactic
Had to battle this on a cpanel server with csf and no mod_security:
Code:root@vm [/usr/local/apache/domlogs]# > /etc/csf/csf.deny; killall httpd; grep "announce?info_hash" domain.com | awk '{print$1}' | sort | uniq -c | sort -rn | awk '{print$2}' >> /etc/csf/csf.deny; csf -r; service httpd start
-
01-12-2015, 01:44 PM #8Newbie
- Join Date
- Oct 2006
- Posts
- 10
Yes. I got crushed Friday, Saturday and Sunday on one IP. Brought server down continuously. Softlayer was responsive but ultimately had no solution that worked. I finally just ditched that IP address.
-
01-12-2015, 02:03 PM #9Web Hosting Guru
- Join Date
- Feb 2005
- Location
- localhost
- Posts
- 5,473
Maybe the IP's were used by the Pirate Bay in the past?
Respectfully,
Mr. Terrence
-
01-12-2015, 03:10 PM #10Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 57
In our case, not a chance. We keep a log of every account that has ever had an IP address. I can look up any IP under our control and see every server its ever been assigned to.
It was very easy and effective to defend it with ModSecurity, thankfully. I set the status of the rule to 411, and then made an .htaccess file with "errordocument 411 default". This way all the requests got a very small text response rather than the CMS doing its standard 404 handing that involves a php process. Once CSF/LFD kicked in, the IPs that were repeat offenders got blocked quickly.
-
01-12-2015, 03:14 PM #11Newbie
- Join Date
- Nov 2014
- Posts
- 25
Seen this as well. Did not have any crashes or slowness on any of the sites or servers but did see all the hits.
-
01-12-2015, 04:46 PM #12Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 57
I find most server load caused by attacks like this is from custom 404 handling. If a site has a small static 404 page, it can ride these out pretty well without intervention for the most part. If the site is dynamic and uses php/mysql to render a big page for 404's, it's easy to cause a ton of load with misdirected requests.
-
01-21-2015, 01:05 PM #13New Member
- Join Date
- Jan 2015
- Posts
- 3
torrents attacking our websites! :/
Just had this happen to a customer of ours, we blocked it with a quick return in nginx and I even elaborated a bit and added anti-torrent code, but they still keep coming.
nginx snippet -
Code:server { location /announc { access_log off; error_log off; default_type text/plain; return 404 "d14:failure reason13:not a tracker8:retry in5:nevere"; } }
-
01-22-2015, 08:43 PM #14Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 57
Nice write-up
You think that this is intentional then, that people are adding bad trackers/data to torrents/magnet links so they can DDoS people? To my network admins, and now to myself after testing, I think it's DNS cache poisoning. Our network admins queried some of the domain names we saw in the host headers at chinese DNS servers, i.e.
Code:dig a.tracker.thepiratebay.org @some.chinese.isp.nameserver
I tested his theory, I took this list of CN nameservers: http://public-dns.tk/nameserver/cn.txt and put that as a file called "list," and ran this:
Code:for each in `cat list` ; do dig +short a.tracker.thepiratebay.org @$each; done
Last edited by quizknows; 01-22-2015 at 08:56 PM.
-
01-23-2015, 03:50 AM #15New Member
- Join Date
- Jan 2015
- Posts
- 3
You are right, I got that figured out as well.
According to viewdns.info/research/dns-cache-poisoning-in-the-peoples-republic-of-china you can also dig the same dns server multiple times, and there is a different result each time.
also discussed on serverfault.com/questions/656093
-
01-23-2015, 05:01 AM #16New Member
- Join Date
- Jan 2015
- Posts
- 3
And mentioned at furbo.org/2015/01/22/fear-china/
As well as infosecurity-magazine.com/news/great-firewall-upgrade-redirects/
Similar Threads
-
Pirate Bay sale hits rough waters
By JSCL in forum Web Hosting LoungeReplies: 0Last Post: 08-24-2009, 04:54 PM -
Pirate Bay founders found guilty
By JSCL in forum Web Hosting LoungeReplies: 213Last Post: 05-06-2009, 02:56 PM -
The Pirate Bay plans on going to court against media companies
By IPv6 in forum Web Hosting LoungeReplies: 24Last Post: 09-30-2007, 04:35 PM -
The pirate bay shutting down leads to 20% less net traffic
By David in forum Web Hosting LoungeReplies: 4Last Post: 06-02-2006, 12:52 AM