mod_security block requests by http-host header
Same issue here. I am using mod_security to block the user-agent
SecRule REQUEST_HEADERS:User-Agent "Bittorrent" "id:10000002,rev:1,severity:2,log,msg:'Bittorrent Hit Detected'"
I would change the log to nolog after you verify it is working to avoid filling up your log file
SecRule REQUEST_HEADERS:User-Agent "Bittorrent" "id:10000002,rev:1,severity:2,nolog,msg:'Bittorrent Hit Detected'"
We are experiencing exactly the same issue with one of our client's sites. I added the following near the top of their :
# Drop Bittorrent agent 2015-01-05 before redirect to https
<IfModule mod_rewrite.c>
RewriteEngine on
# RewriteCond %{HTTP_USER_AGENT} =Bittorrent
RewriteRule ^/announce$ - [F]
RewriteRule ^/announce\.php$ - [F]
</IfModule>
The commented-out RewriteCond can be uncommented to only block a specific user agent. But they have no content at announce or announce.php so we just blocked it all.
I'm having the same issue at the moment, having torrent trackers point at my server. I've experimented with iptables for the past couple of days and inspected headers and patterns of the requests and narrowed it down to a couple of iptables rules that filters pretty much all of the recent seemingly malicious traffic from Asia (China,Malaysia,Japan and Hong Kong).
Below are the rules. Hope it helps someone.
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "Bittorrent" --to 1000 -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "spider" --to 1000 -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "announce" --to 1000 -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "deviantart" --to 1000 -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "Bittorrent" --to 1000 -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "baidu" --to 1000 -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "Baiduspider" --to 1000 -j REJECT
I wrote a blog post about how to properly tell BitTorrent clients to go away and never come back, similar to what Dan did, but using nginx.
server {
location /announc {
access_log off;
error_log off;
default_type text/plain;
return 410 "d14:failure reason13:not a tracker8:retry in5:nevere";
}
}
Torrent trackers (usually) have a standard URL that begins with /announce
or /scrape
, so I wouldn't dismiss filtering by URL so quickly. It works.
The full post is at - http://dvps.me/ddos-attack-by-torrent