Unusually large torrent traffic directed to our server

W

webstyler

Well-Known Member
Nov 20, 2003
482
3
168
Hi

In the last 24 hours server received a lot of bad traffic

The same issue is explain here:

/http://www.webhostingtalk.com/showthread.php?t=1443734
/http://serverfault.com/questions/656093/mod-security-block-requests-by-http-host-header

So ModSecurty work fine and nder ModSecurity Tools we see blocked

Code: 
----------------------------------------
2015-03-07 09:38:49 	eztv.tracker.thepiratebay.org 	111.161.77.198 	WARNING 	406 	
Request:
GET /announce.php?info_hash=%14%9m%E9%89%FA%DF%D5%E5i95%2C%ABU%AC%93ut%12%D9&peer_id=%2DSD100%2D%3EX%7CD2%5F%93%E2%C3%2D%DE%5D%BF&ip=223.20.6.237&port=18447&uploaded=16130235144&downloaded=16130235144&left=1686119672&numwant=200&key=31538&compact=1
Action Description:
Access denied with code 406 (phase 2).
Justification:
Invalid UTF-8 encoding: invalid byte value in character at ARGS:info_hash.
----------------------------------------
But:

1. ok, chinese dns point to this server but there isn't domain configurated, so why reply ??
2. may be better create rule for block ALL request where host "contain" word thepiratebay .. not ??

Thanks
 
Q

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I created a WHT thread on this, it's discussed in detail here:

Anyone else seeing Pirate Bay traffic directed to their sites? - Hosting Security and Technology - Web Hosting Talk

The traffic has to do with Chinese DNS servers returning seemingly random (and incorrect) IPs for popular domains like piratebay and facebook.

I find this modsec rule to be extremely effective:

Code: 
SecRule REQUEST_URI "announce(.php)?\?info_hash=" "t:urldecode,t:lowercase,deny,status:411,id:378575"
If you are getting hit exceptionally hard, you can change the rule above from "deny" to "drop" which will drop the TCP connection instead of returning the 411 page.
 
W

webstyler

Well-Known Member
Nov 20, 2003
482
3
168
Thanks, but this rules stop before yours

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'"

How to give priority to your ?
 
Q

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
You should just need to make sure the new rule appears in the configuration files above/before the old rule. ModSecurity will process the rules in the order they're included.
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,258
463
Hello,

For anyone else viewing this thread and new to creating custom Mod_Security rules, note that you can modify/add custom rules via through Web Host Manager:

"WHM Home »Security Center » Mod_Security Tools » Edit Rules"
"WHM Home »Security Center » Mod_Security Tools » Add Rule"

Thank you.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
L Port 53 is constantly requested by a large number of IP addresses Security 4
weblinks Comodo WAF ModSecurity ruleset leading to large secdatadir cache files Security 20
C OpenSSL error: data too large for modulus Security 7
D Unable to stop large xmlrpc spam attack Security 6
N Large SSL Logs Issue Security 1
Similar threads
Port 53 is constantly requested by a large number of IP addresses
Comodo WAF ModSecurity ruleset leading to large secdatadir cache files
OpenSSL error: data too large for modulus
Unable to stop large xmlrpc spam attack
Large SSL Logs Issue
Top Bottom