hi all… i have a bit of an issue with torrent announce.php?info_hash= requests. it sure feels like some sort of dos or ddos. i have tried different ways to configure apache to drop those request using mod_security, mod_rewrite, etc but never the less i still see a lot of ESTABLISHED states that just hang there and the machine eventually gives up..
so far i have tried this: with mod_security (within modsecurity.conf): SecRule REQUEST_URI "\?info_hash\=" "phase:2,id:'10000002',t:none,rev:1,severity:2,log,deny,msg:'Torrent Announce Hit Detected'" here i can see in the audit log that "Connection: closed" but i can still see all the request in the virtual domain's log (vs the mod sec_audit log). and still see the http ESTABLISHED connections (via netstat) just lingering. with mod_rewrite (in global context): <IfModule mod_rewrite.c> RewriteEngine on RewriteRule ^/announce$ - [F] RewriteRule ^/announce\.php$ - [F] </IfModule> also <Directory /path/to/affected/virtual/domain/document/root> RewriteEngine On RewriteRule ^/announce$ - [F] RewriteRule ^/announce\.php$ - [F] </Directory> and within the virtual domain context: <FilesMatch announce> Order deny,allow Deny from all </FilesMatch> monitoring via server-status i can still see hits to http://mydomain.com/announce.php and netstat keeps growing with ESTABLISHED states. is all of this above wrong?! since this domain appears to be the only one affected i can eventually change that - it's for internal company use - but before i do that - why none of the methods described above can get rid of the torrent flood? thanks…