Sign in Subscribe
linux

Chinese BitTorrent DDoS Mitigation

Derek Morton

2 min read

Here lately there's been lots of talk about the Great Firewall of China DNS posioning and inadvertently (?) DDoS'ing a servers all over..

The typical requests look similar to this:

125.77.141.10 - - [17/Jan/2015:04:51:21 +0000] "GET /announce.php?info_hash=%D6%BA%3E%2B%BC%86%5D%16%EED%D7%ADSFi%A5%13b%14%82&peer_id=%2DSD0100%2D%C6%D5%87%2F%0C%C1y%3E%F6%F5%14%1E&ip=192.168.1.104&port=13423&uploaded=820039352&downloaded=820039352&left=712758596&numwant=200&key=2204&compact=1 HTTP/1.0" 403 214 "tracker.thepiratebay.org"
211.100.51.150 - - [17/Jan/2015:04:51:21 +0000] "GET /474x/0c/3c/1a/0c3c1ab61ea01f0ed7ddcab06daf4cd9.jpg HTTP/1.1" 403 252 "media-cache-ec0.pinimg.com"
182.38.2.198 - - [17/Jan/2015:04:51:21 +0000] "GET /announce?info_hash=%BD%F4%CC%EC%A2%21L%B7X%E9%99%CA%22%DCE%7D%C1%92%2D%C9&peer_id=%2DSD0100%2D%EB%A4%D5%40%0C%FE%E1%9571%0F%CC&ip=192.168.1.101&port=8571&uploaded=776994816&downloaded=776994816&left=1800404992&numwant=200&key=3921&compact=1 HTTP/1.0" 403 210 "a.tracker.thepiratebay.org"
183.12.184.251 - - [17/Jan/2015:04:51:21 +0000] "GET /announce?info_hash=%D8%21Vd%B5%B8d%D4%17%D4%D7g%F6i%3B%B6%2D%E7lN&peer_id=%2DSD0100%2Da%20%91l%F2B%EF%BD%8C%D3%7B%B1&ip=192.168.0.112&port=10141&uploaded=3291119737&downloaded=3291119737&left=235912704&numwant=200&key=32232&compact=1 HTTP/1.0" 403 210 "vip.tracker.thepiratebay.org"
223.104.5.155 - - [17/Jan/2015:04:51:21 +0000] "GET /searchbox/alba.js HTTP/1.1" 403 219 "api.popin.cc"
183.224.92.81 - - [17/Jan/2015:04:51:21 +0000] "GET /crossdomain.xml HTTP/1.1" 403 217 "livepassdl.conviva.com"
113.57.186.42 - - [17/Jan/2015:04:51:21 +0000] "GET /announce.php?info_hash=%7F6%E9%12%E3%13%AEk%3C%03%15I%9A%028%E1%81%88%1D%11&peer_id=%2DSD0100%2DX%23%CFW%A7%9A%FF%14%91%F7%15%3E&ip=182.83.160.218&port=28388&uploaded=883389509&downloaded=883389509&left=330836393&numwant=200&key=15941&compact=1 HTTP/1.0" 403 214 "vip.tracker.thepiratebay.org"
122.90.95.227 - - [17/Jan/2015:04:51:21 +0000] "GET /banners/108499/livedealer_ca_sc_300x250%20short.gif HTTP/1.1" 403 251 "static.exoclick.com"
183.252.230.114 - - [17/Jan/2015:04:51:21 +0000] "GET /announce?info_hash=z%21%1A%89%DAn%BFU2%81%23O%A5%00cf%3Fw%9BY&peer_id=%2DSD0100%2D%0DH%1F%87%EB%D7%9F%E5%10%0C%A70&ip=183.252.230.114&port=12021&uploaded=319029248&downloaded=319029248&left=524288&numwant=200&key=13387&compact=1 HTTP/1.0" 403 210 "vip.tracker.thepiratebay.org"
106.112.224.119 - - [17/Jan/2015:04:51:21 +0000] "GET /crossdomain.xml HTTP/1.1" 403 217 "livepassdl.conviva.com"

I whipped up the following IPtables rules to drop the BitTorrent announce traffic so it never hits Apache/nginix/etc...

iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /announce.php?info_hash=' -j DROP
iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /announce?info_hash=' -j DROP
iptables -I INPUT -m state --state INVALID -j DROP

Sign up for more like this.

Enter your email
Subscribe