Old 6th January 2016, 19:22   #1
webflashing
Junior Member
 
Join Date: Oct 2015
Posts: 5
Getting hammered from hundreds of IPs.

Last night I received an alert that my server was generating more than 20mb/s of outgoing traffic.

After careful research I found that Shoutcast was the service behind this stupid amount of data. I often get 4 or 5 listeners at the same time, but the logs said otherwise. I had a total of 1857 connections in a 6 hour period, originating from 234 different IP addresses. This connections last only a couple of seconds, and some of them had extremely long User Agents. For example:

code:

2016-01-06 16:10:14 INFO [DST 177.177.60.241 sid=1] SHOUTcast 1 client connection accepted. User-Agent: `U2FsdGVkX191tWl/fAcf52fUjieJpdvDKmQIJ862z9Z7yUCLjKlx+QlOW/jbUcelYNiqZOE7PBeJcOiKd7q18jGRuoXygbUL2/fB9FlldWmrHn4qSOQorXAux2V3SgQdgnWDrHSGj5wKr8SLgVr78EvbUZ4CYZRFL6ZZyvdNZ4eutODuXwpR7Vb/H2iWUAHexaw9mw2wa4DxrzR5iwXQMgS1uSYj2qXwHNCFjWNP176w9fruHt24gAVq3KpFeUJi9C1rSpCb4FSgGOFbKwVFcA==', UID: 23192, GRID: 0
2016-01-06 16:10:19 INFO [DST 177.177.60.241 sid=1] SHOUTcast 1 client connection closed (5 seconds) [Bytes: 143360] Agent: `U2FsdGVkX191tWl/fAcf52fUjieJpdvDKmQIJ862z9Z7yUCLjKlx+QlOW/jbUcelYNiqZOE7PBeJcOiKd7q18jGRuoXygbUL2/fB9FlldWmrHn4qSOQorXAux2V3SgQdgnWDrHSGj5wKr8SLgVr78EvbUZ4CYZRFL6ZZyvdNZ4eutODuXwpR7Vb/H2iWUAHexaw9mw2wa4DxrzR5iwXQMgS1uSYj2qXwHNCFjWNP176w9fruHt24gAVq3KpFeUJi9C1rSpCb4FSgGOFbKwVFcA==', UID: 23192, GRID: 0



As you can see this connections didn't last long but they are still there, generating heap and what not.

Lots of other connections had this user agent:
code:

2016-01-06 16:14:49 INFO [DST 95.222.26.218 sid=1] SHOUTcast 1 client connection accepted. User-Agent: `Lavf/55.12.100', UID: 23196, GRID: 0
2016-01-06 16:14:51 INFO [DST 95.222.26.218 sid=1] SHOUTcast 1 client connection closed (2 seconds) [Bytes: 90029] Agent: `Lavf/55.12.100', UID: 23196, GRID: 0



After further research I discovered that this has been happening for a few days, but not all day. It's like the attacks last 3 to 4 hours per day.

What can I do to prevent this? Would banning 'Lavf/55.12.100' user-agent for example get rid of this? As far as I understand, Shoutcast is sending data to those connections, so maybe if I ban that user-agent the connection gets terminated or it's automatically rejected? And what happens when they change the user-agent?

Thank you everyone for your time.
webflashing is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Shoutcast > Shoutcast Technical Support

Tags
ddos, dnas, server, user

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump