Getting hammered from hundreds of IPs.

webflashing · 6th January 2016, 19:22

Last night I received an alert that my server was generating more than 20mb/s of outgoing traffic.

After careful research I found that Shoutcast was the service behind this stupid amount of data. I often get 4 or 5 listeners at the same time, but the logs said otherwise. I had a total of 1857 connections in a 6 hour period, originating from 234 different IP addresses. This connections last only a couple of seconds, and some of them had extremely long User Agents. For example:

code:


2016-01-06 16:10:14	INFO	[DST 177.177.60.241 sid=1] SHOUTcast 1 client connection accepted. User-Agent: `U2FsdGVkX191tWl/fAcf52fUjieJpdvDKmQIJ862z9Z7yUCLjKlx+QlOW/jbUcelYNiqZOE7PBeJcOiKd7q18jGRuoXygbUL2/fB9FlldWmrHn4qSOQorXAux2V3SgQdgnWDrHSGj5wKr8SLgVr78EvbUZ4CYZRFL6ZZyvdNZ4eutODuXwpR7Vb/H2iWUAHexaw9mw2wa4DxrzR5iwXQMgS1uSYj2qXwHNCFjWNP176w9fruHt24gAVq3KpFeUJi9C1rSpCb4FSgGOFbKwVFcA==', UID: 23192, GRID: 0

2016-01-06 16:10:19	INFO	[DST 177.177.60.241 sid=1] SHOUTcast 1 client connection closed (5 seconds) [Bytes: 143360] Agent: `U2FsdGVkX191tWl/fAcf52fUjieJpdvDKmQIJ862z9Z7yUCLjKlx+QlOW/jbUcelYNiqZOE7PBeJcOiKd7q18jGRuoXygbUL2/fB9FlldWmrHn4qSOQorXAux2V3SgQdgnWDrHSGj5wKr8SLgVr78EvbUZ4CYZRFL6ZZyvdNZ4eutODuXwpR7Vb/H2iWUAHexaw9mw2wa4DxrzR5iwXQMgS1uSYj2qXwHNCFjWNP176w9fruHt24gAVq3KpFeUJi9C1rSpCb4FSgGOFbKwVFcA==', UID: 23192, GRID: 0

As you can see this connections didn't last long but they are still there, generating heap and what not.

Lots of other connections had this user agent:

code:


2016-01-06 16:14:49	INFO	[DST 95.222.26.218 sid=1] SHOUTcast 1 client connection accepted. User-Agent: `Lavf/55.12.100', UID: 23196, GRID: 0

2016-01-06 16:14:51	INFO	[DST 95.222.26.218 sid=1] SHOUTcast 1 client connection closed (2 seconds) [Bytes: 90029] Agent: `Lavf/55.12.100', UID: 23196, GRID: 0

After further research I discovered that this has been happening for a few days, but not all day. It's like the attacks last 3 to 4 hours per day.

What can I do to prevent this? Would banning 'Lavf/55.12.100' user-agent for example get rid of this? As far as I understand, Shoutcast is sending data to those connections, so maybe if I ban that user-agent the connection gets terminated or it's automatically rejected? And what happens when they change the user-agent?

Thank you everyone for your time.

6th January 2016, 19:22	#1
webflashing Junior Member Join Date: Oct 2015 Posts: 5	Getting hammered from hundreds of IPs. Last night I received an alert that my server was generating more than 20mb/s of outgoing traffic. After careful research I found that Shoutcast was the service behind this stupid amount of data. I often get 4 or 5 listeners at the same time, but the logs said otherwise. I had a total of 1857 connections in a 6 hour period, originating from 234 different IP addresses. This connections last only a couple of seconds, and some of them had extremely long User Agents. For example: code: 2016-01-06 16:10:14 INFO [DST 177.177.60.241 sid=1] SHOUTcast 1 client connection accepted. User-Agent: `U2FsdGVkX191tWl/fAcf52fUjieJpdvDKmQIJ862z9Z7yUCLjKlx+QlOW/jbUcelYNiqZOE7PBeJcOiKd7q18jGRuoXygbUL2/fB9FlldWmrHn4qSOQorXAux2V3SgQdgnWDrHSGj5wKr8SLgVr78EvbUZ4CYZRFL6ZZyvdNZ4eutODuXwpR7Vb/H2iWUAHexaw9mw2wa4DxrzR5iwXQMgS1uSYj2qXwHNCFjWNP176w9fruHt24gAVq3KpFeUJi9C1rSpCb4FSgGOFbKwVFcA==', UID: 23192, GRID: 0 2016-01-06 16:10:19 INFO [DST 177.177.60.241 sid=1] SHOUTcast 1 client connection closed (5 seconds) [Bytes: 143360] Agent: `U2FsdGVkX191tWl/fAcf52fUjieJpdvDKmQIJ862z9Z7yUCLjKlx+QlOW/jbUcelYNiqZOE7PBeJcOiKd7q18jGRuoXygbUL2/fB9FlldWmrHn4qSOQorXAux2V3SgQdgnWDrHSGj5wKr8SLgVr78EvbUZ4CYZRFL6ZZyvdNZ4eutODuXwpR7Vb/H2iWUAHexaw9mw2wa4DxrzR5iwXQMgS1uSYj2qXwHNCFjWNP176w9fruHt24gAVq3KpFeUJi9C1rSpCb4FSgGOFbKwVFcA==', UID: 23192, GRID: 0 As you can see this connections didn't last long but they are still there, generating heap and what not. Lots of other connections had this user agent: code: 2016-01-06 16:14:49 INFO [DST 95.222.26.218 sid=1] SHOUTcast 1 client connection accepted. User-Agent: `Lavf/55.12.100', UID: 23196, GRID: 0 2016-01-06 16:14:51 INFO [DST 95.222.26.218 sid=1] SHOUTcast 1 client connection closed (2 seconds) [Bytes: 90029] Agent: `Lavf/55.12.100', UID: 23196, GRID: 0 After further research I discovered that this has been happening for a few days, but not all day. It's like the attacks last 3 to 4 hours per day. What can I do to prevent this? Would banning 'Lavf/55.12.100' user-agent for example get rid of this? As far as I understand, Shoutcast is sending data to those connections, so maybe if I ban that user-agent the connection gets terminated or it's automatically rejected? And what happens when they change the user-agent? Thank you everyone for your time.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode