You’ll know that you’re getting hit with a Bittorrent attack when the server slows down and you see log entries referencing:
1 |
GET /announce.php |
Here’s a good article about one sysadmin’s struggle with this type of attack:
http://blog.carlesmateo.com/2015/01/23/stopping-a-bittorrent-ddos-attack/
There are a number of possible strategies to mitigate this attack:
1. CloudFlare will block but it can take time to move DNS to CloudFlare and activate.
2. Create an announce.php file that returns an error like this:
1 2 |
http_response_code(406); exit(); |
This will use fewer resources then letting WordPress or other CMS return a 404.
3. Block in iptables with a rule like this:
1 |
iptables -A INPUT -p tcp --dport 80 -m string --string "GET /announce" --algo bm -j DROP |
Not sure how efficient this is on a high traffic web server.
4. Block in Apache config:
1 2 3 4 |
<LocationMatch "^/announce(\.php)?.*"> Order allow,deny deny from all </LocationMatch> |
5. Block with fail2ban as described here:
http://shazbert.com/blog/2015/01/24/fail2ban-china-ddos-announce-bittorent/
Note that Plesk 12 has fail2ban built-in so this fix is easy to implement.
6. If traffic is limited to a range of IP addresses then block that range in any available firewall. For example we’ve defeated this attack in one case by blocking a class B range from China.
Other suggestions on blocking this type of attack are welcomed. Comment below and let us know if you’ve seen this attack and how you handled it.