Blocking China DDOS containing “GET /announce Bittorrent” from HAProxy with fail2ban

Banning China DDOS with HAProxy and fail2ban

I awoke this morning to alerts that the load on my application servers were skyrocketing. Checked the access logs and saw a bucket of GET requests with Bittorrent in the name. Here's some of the logs I saw.

/var/logs/apache2/access.log - - [23/Jan/2015:03:21:13 -0800] "GET /announce?info_hash=%05%06%2F%83%2F%8C%F6%0C%8C%26%17%C4%DF%8Fk%7E%17%06%C2%D0&peer_id=%2DSD0100%2D%3C%D0v%DF%04%0FR%88JE%85%EF&ip= HTTP/1.0" 403 507 "-" "Bittorrent" - - [23/Jan/2015:03:21:59 -0800] "GET /announce.php?info_hash=%EFyT%86%B5A%99%E5%5BH%F9U%A6%95%B7%F5r%27%CE%CE&peer_id=%2DSD0100%2D%22%CA%29%86%1D%82%E6%00%FC%7B%C9%F4&ip= HTTP/1.0" 403 511 "-" "Bittorrent" - - [23/Jan/2015:03:22:01 -0800] "GET /announce.php?info_hash=ROIFGKj%BE%DF%15%EA%BDG%E9%A508%11%BC%7E&peer_id=%2DSD0100%2D%90%29%02%13%01%E8P%AA%07%FB%CD%99&ip= HTTP/1.0" 403 512 "-" "Bittorrent"

Thank Zuul for HAPROXY keeping my site up. When one application server dropped out, another was still there and they just kept getting shot down. How I stopped it was the following.

1 . Enable local logging on HAProxy. /etc/haproxy/haproxy.cfg
In the Global section add:

log local5 info

Place the below under the Default section:

option httplog clf

In the /etc/rsyslog.conf add this line to the end of the file.

local5.* /var/log/haproxy.log

and un-comment or place following in rsyslog.conf:

$ModLoad imudp
$UDPServerRun 514

2. apt-get install fail2ban. Add the following to the bottom of /etc/fail2ban/jail.conf

enabled = true
port = http,https
protocol = all
filter = bittorrent-block
banaction = iptables-allports
logpath = /var/log/haproxy.log
maxretry = 1
bantime = 604800

3. Create filter.d file: /etc/fail2ban/filter.d/bittorrent-block.conf

failregex = .*]: <HOST> .*GET \/announce.*hash.*
ignoreregex =

4. reload
service haproxy reload
service fail2ban restart
services rsyslog restart

5. watch the banning begin:
tail -f /var/log/fail2ban.log


Leave a Reply

Your email address will not be published.