ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

How to block stagefright DOS attack based on agent type

https://mail.forum.configserver.com/viewtopic.php?t=11363

Page 1 of 1

How to block stagefright DOS attack based on agent type

Posted: 26 Jun 2019, 06:13
by kmp
The server is receiving repeated connections which are like DOS attempts which seem to be generated from some exploit, possibly Android Stagefright, blocking IP addresses does not seem to help as new IPs appear everyday, this is resulting in heavy use of bandwidth. See sample logs below. Please advise how such connections can be blocked based on user agent or any other way. (i have disabled the access to the audio folder and hence the connections are now returning 404, else my bandwidth was being utilised)
115.186.117.36 - - [25/Jun/2019:16:15:05 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:05 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:06 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:07 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:07 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:08 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:09 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:09 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:10 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:11 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"

Re: How to block stagefright DOS attack based on agent type

Posted: 26 Jun 2019, 13:28
by kmp
Used the following mod_security rule to block, successful

SecRule REQUEST_HEADERS:User-Agent "@rx (?:stagefright)" "msg:'stagefright blocked',phase:1,log,id:7777771,t:none,block,status:403"

I use Cpanel so it was easy to do it in WHM-Security Center - ModSecurity™ Tools - Add Rule.

Also added .htaccess rule
# BLOCK USER AGENTS
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} stagefright [NC]
RewriteRule !^robots\.txt$ - [F]
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited