Re: [users@httpd] deny announce.php torrent requests
Hi, not replying to your question but probably useful, On 03/12/2015 04:13 AM, el kalin wrote: hi all… i have a bit of an issue with torrent announce.php?info_hash= requests. it sure feels like some sort of dos or ddos. i have tried different ways to configure apache to drop those request using mod_security, mod_rewrite, etc but never the less i still see a lot of ESTABLISHED states that just hang there and the machine eventually gives up.. Interesting, the same happened to me two days ago. This is a really good explanation: http://blog.devops.co.il/post/108740168304/torrent-ddos-attack so far i have tried this: with mod_security (within modsecurity.conf): SecRule REQUEST_URI "\?info_hash\=" "phase:2,id:'1002',t:none,rev:1,severity:2,log,deny,msg:'Torrent Announce Hit Detected'" here i can see in the audit log that "Connection: closed" but i can still see all the request in the virtual domain's log (vs the mod sec_audit log). and still see the http ESTABLISHED connections (via netstat) just lingering. with mod_rewrite (in global context): RewriteEngine on RewriteRule ^/announce$ - [F] RewriteRule ^/announce\.php$ - [F] also RewriteEngine On RewriteRule ^/announce$ - [F] RewriteRule ^/announce\.php$ - [F] and within the virtual domain context: Order deny,allow Deny from all monitoring via server-status i can still see hits to http://mydomain.com/announce.php and netstat keeps growing with ESTABLISHED states. is all of this above wrong?! since this domain appears to be the only one affected i can eventually change that - it's for internal company use - but before i do that - why none of the methods described above can get rid of the torrent flood? thanks…
Re: [users@httpd] deny announce.php torrent requests
On Thu, Mar 12, 2015 at 9:59 AM, Yann Ylavic wrote: > I think you need either an action that drops the connection (deny => > drop, without any response!), or a status code that implies > "Connection: close" (deny,status=503 for example, whereas the default > 403 keeps the connection alive). Maybe status 400 or 501 would be more suitable since they would not allow fail over by proxy frontend (if any). - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] deny announce.php torrent requests
Hi, On Thu, Mar 12, 2015 at 4:13 AM, el kalin wrote: > > so far i have tried this: > > with mod_security (within modsecurity.conf): > > SecRule REQUEST_URI "\?info_hash\=" > "phase:2,id:'1002',t:none,rev:1,severity:2,log,deny,msg:'Torrent Announce > Hit Detected'" > > here i can see in the audit log that "Connection: closed" but i can still > see all the request in the virtual domain's log (vs the mod sec_audit log). > and still see the http ESTABLISHED connections (via netstat) just > lingering. I think you need either an action that drops the connection (deny => drop, without any response!), or a status code that implies "Connection: close" (deny,status=503 for example, whereas the default 403 keeps the connection alive). > > with mod_rewrite (in global context): > > > RewriteEngine on > RewriteRule ^/announce$ - [F] > RewriteRule ^/announce\.php$ - [F] > > > also > > > RewriteEngine On > RewriteRule ^/announce$ - [F] > RewriteRule ^/announce\.php$ - [F] > Same here with [R=503] (and prossibly the L flag too). Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] deny announce.php torrent requests
hi all… i have a bit of an issue with torrent announce.php?info_hash= requests. it sure feels like some sort of dos or ddos. i have tried different ways to configure apache to drop those request using mod_security, mod_rewrite, etc but never the less i still see a lot of ESTABLISHED states that just hang there and the machine eventually gives up.. so far i have tried this: with mod_security (within modsecurity.conf): SecRule REQUEST_URI "\?info_hash\=" "phase:2,id:'1002',t:none,rev:1,severity:2,log,deny,msg:'Torrent Announce Hit Detected'" here i can see in the audit log that "Connection: closed" but i can still see all the request in the virtual domain's log (vs the mod sec_audit log). and still see the http ESTABLISHED connections (via netstat) just lingering. with mod_rewrite (in global context): RewriteEngine on RewriteRule ^/announce$ - [F] RewriteRule ^/announce\.php$ - [F] also RewriteEngine On RewriteRule ^/announce$ - [F] RewriteRule ^/announce\.php$ - [F] and within the virtual domain context: Order deny,allow Deny from all monitoring via server-status i can still see hits to http://mydomain.com/announce.php and netstat keeps growing with ESTABLISHED states. is all of this above wrong?! since this domain appears to be the only one affected i can eventually change that - it's for internal company use - but before i do that - why none of the methods described above can get rid of the torrent flood? thanks…