Results 1 to 16 of 16
  1. #1
    Join Date
    Jun 2014
    Posts
    57

    Anyone else seeing Pirate Bay traffic directed to their sites?

    I was working on a site today that was receiving unusually large amounts of traffic. The site is not (nor has it ever been) affiliated with any torrenting.

    We noticed in the domlogs lots of requests like this:
    Code:
    113.x.x.x - - [05/Jan/2015:19:36:24 -0500] "GET /announce?info_hash=%92%DA%9E%99%26%0B%00%5E%E2%93%1A%B1%5F%EB%17%0EH%06%FB%90&peer_id=%2DSD0100%2D%B3%96%B1%9A%E3%B0s%2Fow%A9%C2&ip=117.x.x.x&port=10135&uploaded=380633088&downloaded=380633088&left=3035627520&numwant=200&key=19853&compact=1 HTTP/1.0" 404 329 "-" "Bittorrent"
    (I munged the IPs as none of the IPs in that entry are mine anyway)

    So, I made a quick modsec rule to block it (feel free to steal it):
    Code:
    SecRule REQUEST_URI "announce(.php)?\?info_hash=" "t:urldecode,t:lowercase,deny,status:411,id:378575"
    When I check the logs, I get stuff like this:
    Code:
    [Mon Jan 05 19:29:33.468142 2015] [:error] [pid 665532:tid 140627564033792] [client 101.x.x.x] ModSecurity: Access denied with code 411 (phase 2). Pattern match "announce\\\\?info_hash=" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "200"] [id "378575"] [hostname "tracker.thepiratebay.org"] [uri "/announce"] [unique_id "VKssbUWnp5QACie84zsAAAAC"]
    So it's coming in with a host header of tracker.thepiratebay.org. Other requests have that, as well as other hostnames like a.tracker.thepiratebay.org, btrs-atrack.appspot.com, and tpb.tracker.thepiratebay.org.

    Anyone else seeing anything like this? Any ideas why BT clients would be checking someones random blog site for torrent tracking? tracker.thepiratebay.org doesn't even resolve, and it certanly doesn't resolve to my customers server
    Last edited by bear; 01-06-2015 at 01:05 PM. Reason: formatting

  2. #2
    Yesterday, and the day before I too saw bursts of traffic with host headers of thepiratebay, gavatar , edgcastcdn , appspot.com etc (many hostnames) at the peak there was around 4000 http requests a second which is a reasonable l7 http flood...

    Could you share what the blog contents was, and if it was the only site on that ip address that was flooded ?

  3. #3
    Join Date
    Nov 2007
    Location
    New Jersey, USA
    Posts
    4,740
    I've noticed this from users posting on other forums, it's fairly interesting. I wonder what is causing this.

    - Daniel

  4. #4
    Same here on multiple servers.

    I ended up blocking all those requests with mod_security

    Here's the solution at serverfault (I cannot post the full url...)
    /questions/656093/mod-security-block-requests-by-http-host-header

    It seems that there's some kind of DNS Cache Poisoning in China (what a surprise ) causing thousands of Bittorrent clients to send announce requests to completely unrelated servers.

    I wonder why they did this...

  5. #5
    Join Date
    Jun 2014
    Posts
    57
    There are several ways to block this with modsec. Host header works, user agent works, request uri (like I used) works just fine.

    FWIW this customers site was on thier own dedicated IP, no other domains on that IP.

  6. #6
    Join Date
    Jun 2014
    Posts
    57
    This has tailed off a little bit. About 11,000 requests have been blocked by ModSecurity since last night.

    CSF/LFD have been blocking repeat offenders; every single IP blocked for repeat offenses (about 1000 IPs) has indeed been from China, so the DNS Cache poisoning in that region is certainly a plausible explanation.

  7. #7
    Join Date
    Jan 2015
    Location
    Chicago
    Posts
    37

    csf tactic

    Had to battle this on a cpanel server with csf and no mod_security:

    Code:
    root@vm [/usr/local/apache/domlogs]# > /etc/csf/csf.deny; killall httpd; grep "announce?info_hash" domain.com | awk '{print$1}' | sort | uniq -c | sort -rn | awk '{print$2}' >> /etc/csf/csf.deny; csf -r; service httpd start
    Came in at around 7K IPs.

  8. #8
    Yes. I got crushed Friday, Saturday and Sunday on one IP. Brought server down continuously. Softlayer was responsive but ultimately had no solution that worked. I finally just ditched that IP address.

  9. #9
    Join Date
    Feb 2005
    Location
    localhost
    Posts
    5,473
    Maybe the IP's were used by the Pirate Bay in the past?
    Respectfully,
    Mr. Terrence

  10. #10
    Join Date
    Jun 2014
    Posts
    57
    Quote Originally Posted by Mr Terrence View Post
    Maybe the IP's were used by the Pirate Bay in the past?
    In our case, not a chance. We keep a log of every account that has ever had an IP address. I can look up any IP under our control and see every server its ever been assigned to.

    It was very easy and effective to defend it with ModSecurity, thankfully. I set the status of the rule to 411, and then made an .htaccess file with "errordocument 411 default". This way all the requests got a very small text response rather than the CMS doing its standard 404 handing that involves a php process. Once CSF/LFD kicked in, the IPs that were repeat offenders got blocked quickly.

  11. #11
    Seen this as well. Did not have any crashes or slowness on any of the sites or servers but did see all the hits.

  12. #12
    Join Date
    Jun 2014
    Posts
    57
    I find most server load caused by attacks like this is from custom 404 handling. If a site has a small static 404 page, it can ride these out pretty well without intervention for the most part. If the site is dynamic and uses php/mysql to render a big page for 404's, it's easy to cause a ton of load with misdirected requests.

  13. #13

    * torrents attacking our websites! :/

    Just had this happen to a customer of ours, we blocked it with a quick return in nginx and I even elaborated a bit and added anti-torrent code, but they still keep coming.

    nginx snippet -

    Code:
    server {
        location /announc {
            access_log off;
            error_log off;
            default_type text/plain;
            return 404 "d14:failure reason13:not a tracker8:retry in5:nevere";
        }
    }
    The blog post about this that we wrote is at dvps.me/ddos-attack-by-torrent

  14. #14
    Join Date
    Jun 2014
    Posts
    57
    Nice write-up

    You think that this is intentional then, that people are adding bad trackers/data to torrents/magnet links so they can DDoS people? To my network admins, and now to myself after testing, I think it's DNS cache poisoning. Our network admins queried some of the domain names we saw in the host headers at chinese DNS servers, i.e.

    Code:
    dig a.tracker.thepiratebay.org  @some.chinese.isp.nameserver
    He got back random differing records from the nameservers. His conclusion was that someone is poisoning DNS cache, not messing with the torrent files or magnet links themselves.

    I tested his theory, I took this list of CN nameservers: http://public-dns.tk/nameserver/cn.txt and put that as a file called "list," and ran this:

    Code:
     for each in `cat list` ; do dig +short a.tracker.thepiratebay.org @$each; done
    All the IP's returned as A records for a.tracker.thepiratebay.org were different.
    Last edited by quizknows; 01-22-2015 at 08:56 PM.

  15. #15
    You are right, I got that figured out as well.

    Quote Originally Posted by quizknows View Post
    All the IP's returned as A records for a.tracker.thepiratebay.org were different.
    According to viewdns.info/research/dns-cache-poisoning-in-the-peoples-republic-of-china you can also dig the same dns server multiple times, and there is a different result each time.

    also discussed on serverfault.com/questions/656093

  16. #16
    And mentioned at furbo.org/2015/01/22/fear-china/

    As well as infosecurity-magazine.com/news/great-firewall-upgrade-redirects/

Similar Threads

  1. Pirate Bay sale hits rough waters
    By JSCL in forum Web Hosting Lounge
    Replies: 0
    Last Post: 08-24-2009, 04:54 PM
  2. Pirate Bay founders found guilty
    By JSCL in forum Web Hosting Lounge
    Replies: 213
    Last Post: 05-06-2009, 02:56 PM
  3. Replies: 24
    Last Post: 09-30-2007, 04:35 PM
  4. The pirate bay shutting down leads to 20% less net traffic
    By David in forum Web Hosting Lounge
    Replies: 4
    Last Post: 06-02-2006, 12:52 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •