Hi, not replying to your question but probably useful,
On 03/12/2015 04:13 AM, el kalin wrote:
hi all…
i have a bit of an issue with torrent announce.php?info_hash=
requests. it sure feels like some sort of dos or ddos. i have tried
different ways to configure apache to drop those request using
mod_security, mod_rewrite, etc but never the less i still see a lot
of ESTABLISHED states that just hang there and the machine eventually
gives up..
Interesting, the same happened to me two days ago. This is a really good
explanation:
http://blog.devops.co.il/post/108740168304/torrent-ddos-attack
so far i have tried this:
with mod_security (within modsecurity.conf):
SecRule REQUEST_URI "\?info_hash\="
"phase:2,id:'10000002',t:none,rev:1,severity:2,log,deny,msg:'Torrent
Announce Hit Detected'"
here i can see in the audit log that "Connection: closed" but i can
still see all the request in the virtual domain's log (vs the mod
sec_audit log). and still see the http ESTABLISHED connections (via
netstat) just lingering.
with mod_rewrite (in global context):
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^/announce$ - [F]
RewriteRule ^/announce\.php$ - [F]
</IfModule>
also
<Directory /path/to/affected/virtual/domain/document/root>
RewriteEngine On
RewriteRule ^/announce$ - [F]
RewriteRule ^/announce\.php$ - [F]
</Directory>
and within the virtual domain context:
<FilesMatch announce>
Order deny,allow
Deny from all
</FilesMatch>
monitoring via server-status i can still see hits to
http://mydomain.com/announce.php and netstat keeps growing
with ESTABLISHED states.
is all of this above wrong?! since this domain appears to be the only
one affected i can eventually change that - it's for internal company
use - but before i do that - why none of the methods described above
can get rid of the torrent flood?
thanks…
