Unusually large torrent traffic directed to our server

webstyler

Well-Known Member
Nov 20, 2003
445
0
166
Hi

In the last 24 hours server received a lot of bad traffic

The same issue is explain here:

/http://www.webhostingtalk.com/showthread.php?t=1443734
/http://serverfault.com/questions/656093/mod-security-block-requests-by-http-host-header

So ModSecurty work fine and nder ModSecurity Tools we see blocked

Code:
----------------------------------------
2015-03-07 09:38:49 	eztv.tracker.thepiratebay.org 	111.161.77.198 	WARNING 	406 	
Request:
GET /announce.php?info_hash=%14%9m%E9%89%FA%DF%D5%E5i95%2C%ABU%AC%93ut%12%D9&peer_id=%2DSD100%2D%3EX%7CD2%5F%93%E2%C3%2D%DE%5D%BF&ip=223.20.6.237&port=18447&uploaded=16130235144&downloaded=16130235144&left=1686119672&numwant=200&key=31538&compact=1
Action Description:
Access denied with code 406 (phase 2).
Justification:
Invalid UTF-8 encoding: invalid byte value in character at ARGS:info_hash.
----------------------------------------
But:

1. ok, chinese dns point to this server but there isn't domain configurated, so why reply ??
2. may be better create rule for block ALL request where host "contain" word thepiratebay .. not ??

Thanks
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I created a WHT thread on this, it's discussed in detail here:

Anyone else seeing Pirate Bay traffic directed to their sites? - Hosting Security and Technology - Web Hosting Talk

The traffic has to do with Chinese DNS servers returning seemingly random (and incorrect) IPs for popular domains like piratebay and facebook.

I find this modsec rule to be extremely effective:

Code:
SecRule REQUEST_URI "announce(.php)?\?info_hash=" "t:urldecode,t:lowercase,deny,status:411,id:378575"
If you are getting hit exceptionally hard, you can change the rule above from "deny" to "drop" which will drop the TCP connection instead of returning the 411 page.
 

webstyler

Well-Known Member
Nov 20, 2003
445
0
166
Thanks, but this rules stop before yours

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'"

How to give priority to your ?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
You should just need to make sure the new rule appears in the configuration files above/before the old rule. ModSecurity will process the rules in the order they're included.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello,

For anyone else viewing this thread and new to creating custom Mod_Security rules, note that you can modify/add custom rules via through Web Host Manager:

"WHM Home »Security Center » Mod_Security Tools » Edit Rules"
"WHM Home »Security Center » Mod_Security Tools » Add Rule"

Thank you.