Stopping China based DDOS containting “GET /announce? Bittorrent” with fail2ban

Banning China DDOS with just fail2ban

I awoke this morning to alerts that the load on my application servers were skyrocketing. Checked the access logs and saw a bucket of GET requests with Bittorrent in the name. Here’s some of the logs I saw.

/var/logs/apache2/access.log
111.192.44.32 - - [23/Jan/2015:03:21:13 -0800] "GET /announce?info_hash=%05%06%2F%83%2F%8C%F6%0C%8C%26%17%C4%DF%8Fk%7E%17%06%C2%D0&peer_id=%2DSD0100%2D%3C%D0v%DF%04%0FR%88JE%85%EF&ip=172.16.93.62&port=10426&uploaded=405633701&downloaded=405633701&left=349640112&numwant=200&key=23928&compact=1 HTTP/1.0" 403 507 "-" "Bittorrent"
101.22.73.220 - - [23/Jan/2015:03:21:59 -0800] "GET /announce.php?info_hash=%EFyT%86%B5A%99%E5%5BH%F9U%A6%95%B7%F5r%27%CE%CE&peer_id=%2DSD0100%2D%22%CA%29%86%1D%82%E6%00%FC%7B%C9%F4&ip=101.22.73.220&port=27399&uploaded=58982400&downloaded=58982400&left=138369872&numwant=200&key=7620&compact=1 HTTP/1.0" 403 511 "-" "Bittorrent"
118.114.177.119 - - [23/Jan/2015:03:22:01 -0800] "GET /announce.php?info_hash=ROIFGKj%BE%DF%15%EA%BDG%E9%A508%11%BC%7E&peer_id=%2DSD0100%2D%90%29%02%13%01%E8P%AA%07%FB%CD%99&ip=192.168.1.102&port=8263&uploaded=84324757&downloaded=84324757&left=1008939937&numwant=200&key=26946&compact=1 HTTP/1.0" 403 512 "-" "Bittorrent"

How I stopped it with just fail2ban was the following.

1. Install fail2ban.

sudo apt-get update
sudo apt-get install fail2ban

2. Add the following to the bottom of /etc/fail2ban/jail.conf

[bittorrent]
enabled = true
port = http,https
protocol = all
filter = bittorrent-block
banaction = iptables-allports
logpath = /var/log/apache2/access*.log
maxretry = 1
bantime = 604800

3. Create filter.d file: /etc/fail2ban/filter.d/bittorrent-block.conf

[Definition]
failregex = <HOST> .*GET \/announce.*hash.*
ignoreregex =

4. reload
service fail2ban restart

5. watch the banning begin:
tail -f /var/log/fail2ban.log

ban_hammer

9 thoughts on “Stopping China based DDOS containting “GET /announce? Bittorrent” with fail2ban

  1. I tried blocking just the User Agents in Apache that matched the “Bittorent” but the amount of requests still brought my cluster to its knees. Then I tried what someone suggested on Reddit but couldn’t do it because it blocked all traffic that contained the keywords Bittorent or announce and our site has plenty of pages that contain that word. Then I found this and It’s great to see exact blocking to the offenders then a blanket defense.

  2. There are some interesting characteristics in traffic patters:

    – list of affected IP addresses seem to be static
    – the traffic only comes in certain hours to the affected IPs
    – the affected IPs are typically hostings (i.e. no ADSL or otherwise home addresses)
    – different IPs get different shares of traffic
    – and many more!

    I’m a security researcher writing an extended article about this.

    I’d be interested to speak with people who are affected by this kind of “bittorrent DDoS”. The magazine I’m writing the article for is willing to cover some of the costs related to this DDoS (your hosting cost, compensate for your time) if you help us track this attack better – please contact me at tchm@virtall.com for details.

Leave a Reply

Your email address will not be published.