Are You Piratebay? thepiratebay.org Resolving to Various Hosts
Thanks to our reader David for sending us this detect (anonymized):
GET announce?info_hash=....&peer_id=....&ip=....&port=....&uploaded=....&downloaded=....*left=....&numwant=.... HTTP/1.0
Host: a.tracker.thepriatebay.org
User-Agent: Bittorrent
Accept: */*
Connection: closed
David's web server was hit with a sufficient number of requests like the one above to cause a denial of service. The requests originated from thousands of different IP addresses, all appear to be located in China. A quick Google search revealed that he wasn't alone, but other web servers experienced similar attacks.
Given the host header (and David observed various "thepriatebay.org" host names), it looks like some DNS servers responded with David's IP address if queried for "thepiratebay.org".
I did a quick check of passive DNS systems, and didn't find David's IP. But when I queried Chinese DNS servers for the host name, I recieved numerous answers. Each answer was only repeated a couple times, if at all. It sort of looked like they all returned different IP addresses. US based DNS servers on the other hand usually don't resolve the host name, or respond with 127.0.0.1, a typical blocklisting technique. Only a handful responded with a routable IP address.
Overall, I am not sure what is happening. Looks like a "Chinese firewall" issue to me. But if you have any ideas or packets, please let me know.
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
I ended up fixing it by blocking China *AND* Australian IPs.
The traffic died off this weekend so I unblocked the ranges but am still getting requests, although the servers can now handle it.
The load was so high and the requests were so fast, that even though I 403'd (forbidden) the requests, they still took me offline.
Still haven't been able to figure out what the root cause is but I suspected either a DNS misconfiguration or a posting in a forum somewhere.
Lots of requests for pornographic material also.
Anonymous
Jan 13th 2015
9 years ago
Anonymous
Jan 13th 2015
9 years ago
To protect our webserver from this traffic we started of with a black list in our webfilter, but after it keeps getting to use new hostnames we now implemented a whitelist of our own domains hosted on the webserver. For now that works at blocking this packets at our perimeter, however didn't find the cause of this traffic or how to get it blocked at the source.
--
Arjan
Anonymous
Jan 13th 2015
9 years ago
The logs are about 0.5Gb in size. Let me know by email if you want them; I'd love to know what's going on.
Anonymous
Jan 13th 2015
9 years ago
Traffic has had piratebay host names, but also a wide variety of other sources. Those include Bloomberg and several sites with .xxx URLs, so there's no clear rhyme or reason on that end. We hypothesized that something had gone screwy with the great firewall's blackholing mechanisms, since all of the sources could have been "problematic".
Anonymous
Jan 13th 2015
9 years ago
Usually I configure any webserver's first/default vhost as a static page returning only "403 Forbidden"; so that many scans/attacks/noise get handled with almost no resources. That way the real hosted websites require a valid Host: header to access them, like the whitelist Arjan described above. The same is possible if a reverse proxy is being used.
Anonymous
Jan 14th 2015
9 years ago
When I blocked AU and CN addresses, I used the LOG then DROP for later analysis and almost took my head end router offline with a skyrocketing load due to the enormous logging. I finally had to simply DROP the packets and slowly back away.....
Anonymous
Jan 14th 2015
9 years ago
For me, I did see logs of possible SYN flooding at the same time as the torrent tracker traffic and the server was for a company in banking.
Anonymous
Jan 15th 2015
9 years ago
also FireStorm9: I wonder why you both were hit so hard by this, and myself not at all. Did the targetted machine have many IPs?
-m limit is advisable whenever you -j LOG. But if you just want to collect a list of IPs matching a rule, ipt_recent should be more efficient (storing them in a hashtable rather than as text via printk+syslog), you can read the list from a file somewhere under /proc, or you can easily match on the collected IPs with other rules.
Anonymous
Jan 16th 2015
9 years ago
also FireStorm9: I wonder why you both were hit so hard by this, and myself not at all. Did the targetted machine have many IPs?
[/quote]
No. I only have a small subset of my /24 on the HA cluster and they're only hitting one IP. I got hammered again Sunday night and needed to re-lock out China.
I'm starting to be more selective and take out the majority of the abusers, but it sure is a lot of traffic to block -- it's not all bittorrent attempts either -- lot's of pornography referrals and wordpress referrals. I understand the referrer can be spoofed so I don't place too much credibility on it, but the actual requests are targeting wordpress as well as the announce/announce.php requests.
[quote=comment#33037]Anonymous:
-m limit is advisable whenever you -j LOG. But if you just want to collect a list of IPs matching a rule, ipt_recent should be more efficient (storing them in a hashtable rather than as text via printk+syslog), you can read the list from a file somewhere under /proc, or you can easily match on the collected IPs with other rules.
[/quote]
That's a great suggestion. Too late for me, as I figured out a work around. I'll utilize that next time.
The 'net sure is getting to be an extraordinarily hostile environment. :(
Thanks for the replies.
Anonymous
Jan 20th 2015
9 years ago