Unusually large torrent traffic directed to our server

webstyler

• March 07, 2015 02:42

Hi In the last 24 hours server received a lot of bad traffic The same issue is explain here: /http://www.webhostingtalk.com/showthread.php?t=1443734 /http://serverfault.com/questions/656093/mod-security-block-requests-by-http-host-header So ModSecurty work fine and nder ModSecurity Tools we see blocked
---------------------------------------- 2015-03-07 09:38:49 eztv.tracker.thepiratebay.org 111.161.77.198 WARNING 406 Request: GET /announce.php?info_hash=%14%9m%E9%89%FA%DF%D5%E5i95%2C%ABU%AC%93ut%12%D9&peer_id=%2DSD100%2D%3EX%7CD2%5F%93%E2%C3%2D%DE%5D%BF&ip=223.20.6.237&port=18447&uploaded=16130235144&downloaded=16130235144&left=1686119672&numwant=200&key=31538&compact=1 Action Description: Access denied with code 406 (phase 2). Justification: Invalid UTF-8 encoding: invalid byte value in character at ARGS:info_hash. ----------------------------------------
But: 1. ok, chinese dns point to this server but there isn't domain configurated, so why reply ?? 2. may be better create rule for block ALL request where host "contain" word thepiratebay .. not ?? Thanks

• 

  quizknows

  • March 07, 2015 17:40

  I created a WHT thread on this, it's discussed in detail here: [url=http://www.webhostingtalk.com/showthread.php?t=1443734]Anyone else seeing Pirate Bay traffic directed to their sites? - Hosting Security and Technology - Web Hosting Talk The traffic has to do with Chinese DNS servers returning seemingly random (and incorrect) IPs for popular domains like piratebay and facebook. I find this modsec rule to be extremely effective:
  SecRule REQUEST_URI "announce(.php)?\?info_hash=" "t:urldecode,t:lowercase,deny,status:411,id:378575"
  If you are getting hit exceptionally hard, you can change the rule above from "deny" to "drop" which will drop the TCP connection instead of returning the 411 page.

  0
• 

  webstyler

  • March 11, 2015 07:41

  Thanks, but this rules stop before yours SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'" How to give priority to your ?

  0
• 

  quizknows

  • March 11, 2015 19:19

  You should just need to make sure the new rule appears in the configuration files above/before the old rule. ModSecurity will process the rules in the order they're included.

  0
• 

  cPanelMichael

  • March 11, 2015 20:05

  Hello, For anyone else viewing this thread and new to creating custom Mod_Security rules, note that you can modify/add custom rules via through Web Host Manager: "WHM Home "Security Center " Mod_Security Tools " Edit Rules" "WHM Home "Security Center " Mod_Security Tools " Add Rule" Thank you.

  0

Please sign in to leave a comment.