My next class:

Are You Piratebay? thepiratebay.org Resolving to Various Hosts

Published: 2015-01-12. Last Updated: 2015-01-12 23:24:28 UTC
by Johannes Ullrich (Version: 1)
17 comment(s)

Thanks to our reader David for sending us this detect (anonymized):

GET announce?info_hash=....&peer_id=....&ip=....&port=....&uploaded=....&downloaded=....*left=....&numwant=.... HTTP/1.0
Host: a.tracker.thepriatebay.org
User-Agent: Bittorrent
Accept: */*
Connection: closed

David's web server was hit with a sufficient number of requests like the one above to cause a denial of service. The requests originated from thousands of different IP addresses, all appear to be located in China. A quick Google search revealed that he wasn't alone, but other web servers experienced similar attacks.

Given the host header (and David observed various "thepriatebay.org" host names), it looks like some DNS servers responded with David's IP address if queried for "thepiratebay.org". 

I did a quick check of passive DNS systems, and didn't find David's IP. But when I queried Chinese DNS servers for the host name, I recieved numerous answers. Each answer was only repeated a couple times, if at all. It sort of looked like they all returned different IP addresses. US based DNS servers on the other hand usually don't resolve the host name, or respond with 127.0.0.1, a typical blocklisting technique. Only a handful responded with a routable IP address.

Overall, I am not sure what is happening. Looks like a "Chinese firewall" issue to me. But if you have any ideas or packets, please let me know.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
17 comment(s)
My next class:

Comments

I had the same problem starting last Friday, the 2nd. Took out a full load balanced cluster of servers.

I ended up fixing it by blocking China *AND* Australian IPs.

The traffic died off this weekend so I unblocked the ranges but am still getting requests, although the servers can now handle it.

The load was so high and the requests were so fast, that even though I 403'd (forbidden) the requests, they still took me offline.

Still haven't been able to figure out what the root cause is but I suspected either a DNS misconfiguration or a posting in a forum somewhere.

Lots of requests for pornographic material also.
Is it piratebay.org or priatebay.org now? If this is not a typo in the diary, it might be something malicious faking lookalike domain names..
We also get a lot of this type of traffic for the last 2 weeks. At moments it causes a total DoS for our webserver. Most of the traffic has thepiratebay as hostname in the http request, but we also see akamai, edgecdn and some more obscure and explicit sites passing in our logs.

To protect our webserver from this traffic we started of with a black list in our webfilter, but after it keeps getting to use new hostnames we now implemented a whitelist of our own domains hosted on the webserver. For now that works at blocking this packets at our perimeter, however didn't find the cause of this traffic or how to get it blocked at the source.

--
Arjan
I don't have packets, but I have a lot of logs. From Dec 28 to Jan 5, 7700+ referrers from "tv.cntv.cn" among others; I was trying to figure this out (without much SIEM) when I saw this diary entry. I count 102 instances of the string "tracker.thepiratebay" in the text.

The logs are about 0.5Gb in size. Let me know by email if you want them; I'd love to know what's going on.
We are also seeing this. It first started two weeks ago, and then stuck around for us for two days. Second appearance was for around 10 hours starting at 22:00 US Central Monday Jan 12, and again at 15:30 US Central Jan 13.

Traffic has had piratebay host names, but also a wide variety of other sources. Those include Bloomberg and several sites with .xxx URLs, so there's no clear rhyme or reason on that end. We hypothesized that something had gone screwy with the great firewall's blackholing mechanisms, since all of the sources could have been "problematic".
I'm really annoyed I haven't seen any traffic like this on my hosts in Europe. Maybe the IPs are not completely random? But If I did see this, I'd kindly proxy the requests to where they wanted to go ;)

Usually I configure any webserver's first/default vhost as a static page returning only "403 Forbidden"; so that many scans/attacks/noise get handled with almost no resources. That way the real hosted websites require a valid Host: header to access them, like the whitelist Arjan described above. The same is possible if a reverse proxy is being used.
403 Forbidden on the default vhost is exactly how I had it set up, and the traffic still overwhelmed my entire HA cluster.

When I blocked AU and CN addresses, I used the LOG then DROP for later analysis and almost took my head end router offline with a skyrocketing load due to the enormous logging. I finally had to simply DROP the packets and slowly back away.....
Did anybody that saw the torrent tracker logs also see alerts or logs suggesting a SYN flood attack? Out of curiosity, were the servers you saw the traffic on business or personal web servers? If business, what industry?

For me, I did see logs of possible SYN flooding at the same time as the torrent tracker traffic and the server was for a company in banking.
Anonymous: yes it would look like a SYN flood; the Linux kernel would write a log message about it and may begin to use syncookies or something.

also FireStorm9: I wonder why you both were hit so hard by this, and myself not at all. Did the targetted machine have many IPs?

-m limit is advisable whenever you -j LOG. But if you just want to collect a list of IPs matching a rule, ipt_recent should be more efficient (storing them in a hashtable rather than as text via printk+syslog), you can read the list from a file somewhere under /proc, or you can easily match on the collected IPs with other rules.
[quote=comment#33037]Anonymous:

also FireStorm9: I wonder why you both were hit so hard by this, and myself not at all. Did the targetted machine have many IPs?

[/quote]

No. I only have a small subset of my /24 on the HA cluster and they're only hitting one IP. I got hammered again Sunday night and needed to re-lock out China.

I'm starting to be more selective and take out the majority of the abusers, but it sure is a lot of traffic to block -- it's not all bittorrent attempts either -- lot's of pornography referrals and wordpress referrals. I understand the referrer can be spoofed so I don't place too much credibility on it, but the actual requests are targeting wordpress as well as the announce/announce.php requests.

[quote=comment#33037]Anonymous:

-m limit is advisable whenever you -j LOG. But if you just want to collect a list of IPs matching a rule, ipt_recent should be more efficient (storing them in a hashtable rather than as text via printk+syslog), you can read the list from a file somewhere under /proc, or you can easily match on the collected IPs with other rules.

[/quote]

That's a great suggestion. Too late for me, as I figured out a work around. I'll utilize that next time.

The 'net sure is getting to be an extraordinarily hostile environment. :(

Thanks for the replies.

Diary Archives