The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unusually large torrent traffic directed to our server

Discussion in 'Security' started by webstyler, Mar 7, 2015.

  1. webstyler

    webstyler Well-Known Member

    Joined:
    Nov 20, 2003
    Messages:
    432
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    In the last 24 hours server received a lot of bad traffic

    The same issue is explain here:

    /http://www.webhostingtalk.com/showthread.php?t=1443734
    /http://serverfault.com/questions/656093/mod-security-block-requests-by-http-host-header

    So ModSecurty work fine and nder ModSecurity Tools we see blocked

    Code:
    ----------------------------------------
    2015-03-07 09:38:49 	eztv.tracker.thepiratebay.org 	111.161.77.198 	WARNING 	406 	
    Request:
    GET /announce.php?info_hash=%14%9m%E9%89%FA%DF%D5%E5i95%2C%ABU%AC%93ut%12%D9&peer_id=%2DSD100%2D%3EX%7CD2%5F%93%E2%C3%2D%DE%5D%BF&ip=223.20.6.237&port=18447&uploaded=16130235144&downloaded=16130235144&left=1686119672&numwant=200&key=31538&compact=1
    Action Description:
    Access denied with code 406 (phase 2).
    Justification:
    Invalid UTF-8 encoding: invalid byte value in character at ARGS:info_hash.
    ----------------------------------------
    But:

    1. ok, chinese dns point to this server but there isn't domain configurated, so why reply ??
    2. may be better create rule for block ALL request where host "contain" word thepiratebay .. not ??

    Thanks
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I created a WHT thread on this, it's discussed in detail here:

    Anyone else seeing Pirate Bay traffic directed to their sites? - Hosting Security and Technology - Web Hosting Talk

    The traffic has to do with Chinese DNS servers returning seemingly random (and incorrect) IPs for popular domains like piratebay and facebook.

    I find this modsec rule to be extremely effective:

    Code:
    SecRule REQUEST_URI "announce(.php)?\?info_hash=" "t:urldecode,t:lowercase,deny,status:411,id:378575"
    
    If you are getting hit exceptionally hard, you can change the rule above from "deny" to "drop" which will drop the TCP connection instead of returning the 411 page.
     
  3. webstyler

    webstyler Well-Known Member

    Joined:
    Nov 20, 2003
    Messages:
    432
    Likes Received:
    0
    Trophy Points:
    16
    Thanks, but this rules stop before yours

    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'"

    How to give priority to your ?
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You should just need to make sure the new rule appears in the configuration files above/before the old rule. ModSecurity will process the rules in the order they're included.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    For anyone else viewing this thread and new to creating custom Mod_Security rules, note that you can modify/add custom rules via through Web Host Manager:

    "WHM Home »Security Center » Mod_Security Tools » Edit Rules"
    "WHM Home »Security Center » Mod_Security Tools » Add Rule"

    Thank you.
     
Loading...

Share This Page