View Single Post
Old 6th January 2016, 18:22   #1
webflashing
Junior Member
 
Join Date: Oct 2015
Posts: 5
Getting hammered from hundreds of IPs.

Last night I received an alert that my server was generating more than 20mb/s of outgoing traffic.

After careful research I found that Shoutcast was the service behind this stupid amount of data. I often get 4 or 5 listeners at the same time, but the logs said otherwise. I had a total of 1857 connections in a 6 hour period, originating from 234 different IP addresses. This connections last only a couple of seconds, and some of them had extremely long User Agents. For example:

code:

2016-01-06 16:10:14 INFO [DST 177.177.60.241 sid=1] SHOUTcast 1 client connection accepted. User-Agent: `U2FsdGVkX191tWl/fAcf52fUjieJpdvDKmQIJ862z9Z7yUCLjKlx+QlOW/jbUcelYNiqZOE7PBeJcOiKd7q18jGRuoXygbUL2/fB9FlldWmrHn4qSOQorXAux2V3SgQdgnWDrHSGj5wKr8SLgVr78EvbUZ4CYZRFL6ZZyvdNZ4eutODuXwpR7Vb/H2iWUAHexaw9mw2wa4DxrzR5iwXQMgS1uSYj2qXwHNCFjWNP176w9fruHt24gAVq3KpFeUJi9C1rSpCb4FSgGOFbKwVFcA==', UID: 23192, GRID: 0
2016-01-06 16:10:19 INFO [DST 177.177.60.241 sid=1] SHOUTcast 1 client connection closed (5 seconds) [Bytes: 143360] Agent: `U2FsdGVkX191tWl/fAcf52fUjieJpdvDKmQIJ862z9Z7yUCLjKlx+QlOW/jbUcelYNiqZOE7PBeJcOiKd7q18jGRuoXygbUL2/fB9FlldWmrHn4qSOQorXAux2V3SgQdgnWDrHSGj5wKr8SLgVr78EvbUZ4CYZRFL6ZZyvdNZ4eutODuXwpR7Vb/H2iWUAHexaw9mw2wa4DxrzR5iwXQMgS1uSYj2qXwHNCFjWNP176w9fruHt24gAVq3KpFeUJi9C1rSpCb4FSgGOFbKwVFcA==', UID: 23192, GRID: 0



As you can see this connections didn't last long but they are still there, generating heap and what not.

Lots of other connections had this user agent:
code:

2016-01-06 16:14:49 INFO [DST 95.222.26.218 sid=1] SHOUTcast 1 client connection accepted. User-Agent: `Lavf/55.12.100', UID: 23196, GRID: 0
2016-01-06 16:14:51 INFO [DST 95.222.26.218 sid=1] SHOUTcast 1 client connection closed (2 seconds) [Bytes: 90029] Agent: `Lavf/55.12.100', UID: 23196, GRID: 0



After further research I discovered that this has been happening for a few days, but not all day. It's like the attacks last 3 to 4 hours per day.

What can I do to prevent this? Would banning 'Lavf/55.12.100' user-agent for example get rid of this? As far as I understand, Shoutcast is sending data to those connections, so maybe if I ban that user-agent the connection gets terminated or it's automatically rejected? And what happens when they change the user-agent?

Thank you everyone for your time.
webflashing is offline   Reply With Quote