0

I'm getting a huge amount of traffic to web servers looking for bittorrent type queries:

110.152.78.14 - - [27/Jan/2015:01:45:22 +0000] "GET /announce.php?info_hash=%3E%F3%0B%907%7F%9D%E1%C1%CB%BAiF%D8C%DE%27vG%A9&peer_id=%2DSD0100%2DA%3EFp%DB%CB%8C%87%3F%B8%CEw&ip=192.168.10.104&port=12606&uploaded=4689970239&downloaded=4689970239&left=0&numwant=200&key=22692&compact=1 HTTP/1.0" 302 562 "-" "Bittorrent"`

36.36.12.121 - - [27/Jan/2015:01:45:22 +0000] "GET /announce.php?info_hash=%9c%7f%18%11hr%d0%5dN%ac%8b%d7%91%dbe%c8%93ttt&peer_id=-QD1900-0selUZY3.7Qj&port=4385&uploaded=0&downloaded=423012352&left=746990326&key=d20abe93&compact=1&numwant=200&no_peer_id=1 HTTP/1.0" 302 535 "-" "qqdownload/1.9.273.0"

140.206.125.62 - - [27/Jan/2015:02:15:17 +0000] "GET /banners/289288/289288_20150125123826_300_250.jpg HTTP/1.1" 302 335 "http://syndication.exoclick.com/ads-iframe-display.php?type=300x250&login=alexsemuel&cat=97&search=&ad_title_color=0000cc&bgcolor=FFFFFF&border=0&border_color=000000&font=&block_keywords=&ad_text_color=000000&ad_durl_color=008000&adult=0&sub=&text_only=0&show_thumb=&idzone=534211&idsite=193595&p=http%3A//privatehomeclips.com/tags/doutzen-kroes-leaked/2/&dt=1422324901966" "Mozilla/4.0 (compatible; MSIE 8.0; Wind

It's getting to the point where its taking down our small educational content provider. AFAIK, none of these are actually getting a 200, so it's extremely baffling why this is happening at all.

Edit: All of the IPs are from china. I recall our security guy warning about China DNS poisoning BT and porn sites. The responses are 302 because the vhost is configured to redirect anything not using the 'official' domain name. After reading http://furbo.org/2015/01/22/fear-china/, I set up a default vhost and see about more permanent solutions in the morning that don't involve blocking all of china.

jldugger
  • 14,122
  • 19
  • 73
  • 129

2 Answers2

0

Your IP used to host a torrent tracker. Systems out there still think they should be connecting to you, which is why you're seeing this.

The curious thing is: why are you replying to them with a 302 HTTP response? You should be sending them a 404.

I would recommend just adding a rule in your web server config to match requests like this and reply immediately with a 404. Perhaps you could match any request to /announce.php*.

The third log entry is not torrent-related. If you are getting many requests similar to that one, you can block them in a similar fashion.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • I promise you this site was never a torrent tracker. – jldugger Jan 27 '15 at 02:40
  • How do you know what your IP hosted before it was assigned to you? That's what I was getting at. If you've had the IP for a long time, then it's likely just a DNS misconfiguration somewhere, which unfortunately you can do nothing about. If blocking these requests doesn't work, then your only recourse may be to change your IP. – EEAA Jan 27 '15 at 02:42
  • Because I work for a university, and we've had the IP range since IP ranges were a thing. – jldugger Jan 27 '15 at 02:43
  • Well then you're just going to have to either try and mitigate it somehow by blocking the requests or just learn to live with it. Stuff like this *happens*. There's often no good rhyme or reason. It just comes along with life on the interwebs. – EEAA Jan 27 '15 at 02:45
  • @yagmoth555 And what does any of that have to do with anything? – EEAA Jan 27 '15 at 02:48
  • Badly wrote my point. Just that public IP usage is so-so in university, so I can imagine someone abused in the past to post a tracker – yagmoth555 Jan 27 '15 at 02:50
  • I highly doubt the network team at OSUOSL would be so incompetent as to allocate server subnets anywhere near user subnets. – EEAA Jan 27 '15 at 02:51
  • Indeed, we have our own separate IP allocation and VLANs. – jldugger Jan 27 '15 at 02:53
  • @EEAA - Good point. I doubth it too. It's not like you can find public IP missuse/error from a university in a simple google search. I didnt checked the OP sig at first, but OSUOSL really seem ok. – yagmoth555 Jan 27 '15 at 04:08
0

As EEAA's answer says, you probably used Torrents on that machine.

For "my" solution on dealing with this type of "attacks", you can take a look at this answer.

Community
  • 1
Florin Asăvoaie
  • 6,932
  • 22
  • 35