Resisting ddos attack from redirected Bittorrent hits
Posted: 24 Jan 2015, 19:20
Our server has been under repeated 'attacks' from overwhelming port flooding and syn flooding and http requests. Installed CSF last week and successfully blocked the syn attacks and was able to deny certain httpd IP addresses that caused most of the issues. All good.
This week - the attack resumed. This time it was more or less focused on httpd. And too many different IPs to effectively block. (Most from China - but blocking China didnt really help).
The most common http request was one of these:
GET /announce?info_hash=%A8rJW%5B9X%1F%D0%BD%BC%2F%D4%E8R%E5%C6
GET /announce.php?info_hash=lh%7F%0Ex%9A%08a%AAb%40S%AEi%E87%3D
I take it that these are bit torrent requests and that somehow the attacker has gotten client BT requests redirected to targets like ours. I can block these in mod_security2 I think - but can i also block them upstream (in CSF)? If so, I couldn't figure that out. (but very much a csf novice).
Any advice welcomed.
Cheers,
Bill
This week - the attack resumed. This time it was more or less focused on httpd. And too many different IPs to effectively block. (Most from China - but blocking China didnt really help).
The most common http request was one of these:
GET /announce?info_hash=%A8rJW%5B9X%1F%D0%BD%BC%2F%D4%E8R%E5%C6
GET /announce.php?info_hash=lh%7F%0Ex%9A%08a%AAb%40S%AEi%E87%3D
I take it that these are bit torrent requests and that somehow the attacker has gotten client BT requests redirected to targets like ours. I can block these in mod_security2 I think - but can i also block them upstream (in CSF)? If so, I couldn't figure that out. (but very much a csf novice).
Any advice welcomed.
Cheers,
Bill