You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by el kalin <ka...@el.net> on 2015/03/12 04:13:31 UTC
[users@httpd] deny announce.php torrent requests
hi all…
i have a bit of an issue with torrent announce.php?info_hash= requests. it
sure feels like some sort of dos or ddos. i have tried different ways to
configure apache to drop those request using mod_security, mod_rewrite, etc
but never the less i still see a lot of ESTABLISHED states that just hang
there and the machine eventually gives up..
so far i have tried this:
with mod_security (within modsecurity.conf):
SecRule REQUEST_URI "\?info_hash\="
"phase:2,id:'10000002',t:none,rev:1,severity:2,log,deny,msg:'Torrent
Announce Hit Detected'"
here i can see in the audit log that "Connection: closed" but i can still
see all the request in the virtual domain's log (vs the mod sec_audit log).
and still see the http ESTABLISHED connections (via netstat) just
lingering.
with mod_rewrite (in global context):
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^/announce$ - [F]
RewriteRule ^/announce\.php$ - [F]
</IfModule>
also
<Directory /path/to/affected/virtual/domain/document/root>
RewriteEngine On
RewriteRule ^/announce$ - [F]
RewriteRule ^/announce\.php$ - [F]
</Directory>
and within the virtual domain context:
<FilesMatch announce>
Order deny,allow
Deny from all
</FilesMatch>
monitoring via server-status i can still see hits to
http://mydomain.com/announce.php and netstat keeps growing
with ESTABLISHED states.
is all of this above wrong?! since this domain appears to be the only one
affected i can eventually change that - it's for internal company use - but
before i do that - why none of the methods described above can get rid of
the torrent flood?
thanks…
Re: [users@httpd] deny announce.php torrent requests
Posted by Frederik Nosi <fr...@postecom.it>.
Hi, not replying to your question but probably useful,
On 03/12/2015 04:13 AM, el kalin wrote:
>
> hi all…
>
> i have a bit of an issue with torrent announce.php?info_hash=
> requests. it sure feels like some sort of dos or ddos. i have tried
> different ways to configure apache to drop those request using
> mod_security, mod_rewrite, etc but never the less i still see a lot
> of ESTABLISHED states that just hang there and the machine eventually
> gives up..
Interesting, the same happened to me two days ago. This is a really good
explanation:
http://blog.devops.co.il/post/108740168304/torrent-ddos-attack
>
> so far i have tried this:
>
> with mod_security (within modsecurity.conf):
>
> SecRule REQUEST_URI "\?info_hash\="
> "phase:2,id:'10000002',t:none,rev:1,severity:2,log,deny,msg:'Torrent
> Announce Hit Detected'"
>
> here i can see in the audit log that "Connection: closed" but i can
> still see all the request in the virtual domain's log (vs the mod
> sec_audit log). and still see the http ESTABLISHED connections (via
> netstat) just lingering.
>
> with mod_rewrite (in global context):
>
> <IfModule mod_rewrite.c>
> RewriteEngine on
> RewriteRule ^/announce$ - [F]
> RewriteRule ^/announce\.php$ - [F]
> </IfModule>
>
> also
>
> <Directory /path/to/affected/virtual/domain/document/root>
> RewriteEngine On
> RewriteRule ^/announce$ - [F]
> RewriteRule ^/announce\.php$ - [F]
> </Directory>
>
>
> and within the virtual domain context:
>
> <FilesMatch announce>
> Order deny,allow
> Deny from all
> </FilesMatch>
>
>
> monitoring via server-status i can still see hits to
> http://mydomain.com/announce.php and netstat keeps growing
> with ESTABLISHED states.
>
> is all of this above wrong?! since this domain appears to be the only
> one affected i can eventually change that - it's for internal company
> use - but before i do that - why none of the methods described above
> can get rid of the torrent flood?
>
> thanks…
>
>
>
>
>
>
Re: [users@httpd] deny announce.php torrent requests
Posted by Yann Ylavic <yl...@gmail.com>.
On Thu, Mar 12, 2015 at 9:59 AM, Yann Ylavic <yl...@gmail.com> wrote:
> I think you need either an action that drops the connection (deny =>
> drop, without any response!), or a status code that implies
> "Connection: close" (deny,status=503 for example, whereas the default
> 403 keeps the connection alive).
Maybe status 400 or 501 would be more suitable since they would not
allow fail over by proxy frontend (if any).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] deny announce.php torrent requests
Posted by Yann Ylavic <yl...@gmail.com>.
Hi,
On Thu, Mar 12, 2015 at 4:13 AM, el kalin <ka...@el.net> wrote:
>
> so far i have tried this:
>
> with mod_security (within modsecurity.conf):
>
> SecRule REQUEST_URI "\?info_hash\=" "phase:2,id:'10000002',t:none,rev:1,severity:2,log,deny,msg:'Torrent Announce Hit Detected'"
>
> here i can see in the audit log that "Connection: closed" but i can still
> see all the request in the virtual domain's log (vs the mod sec_audit log).
> and still see the http ESTABLISHED connections (via netstat) just
> lingering.
I think you need either an action that drops the connection (deny =>
drop, without any response!), or a status code that implies
"Connection: close" (deny,status=503 for example, whereas the default
403 keeps the connection alive).
>
> with mod_rewrite (in global context):
>
> <IfModule mod_rewrite.c>
> RewriteEngine on
> RewriteRule ^/announce$ - [F]
> RewriteRule ^/announce\.php$ - [F]
> </IfModule>
>
> also
>
> <Directory /path/to/affected/virtual/domain/document/root>
> RewriteEngine On
> RewriteRule ^/announce$ - [F]
> RewriteRule ^/announce\.php$ - [F]
> </Directory>
Same here with [R=503] (and prossibly the L flag too).
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org