Several hosting providers have reported suspicious traffic patterns where BitTorrent clients from specific regions (particularly China and Turkey) send tracker announce requests to incorrect servers. This occurs due to DNS cache poisoning where ISPs return fake IPs for torrent tracker domains like thepiratebay.org.
# Example malicious request pattern
60.246.*.* - - [03/Jan/2015:20:59:16 +0200] "GET /announce.php?info_hash=%80%85%8e%9bu%cfJ.%85%82%e9%25%bf%8e%9e%d7%bf%c5%b0%12&peer_id=-UT3420-v%8bN%aa%60%60%fd%5d%d1%b0Ux..."
The key identifier is the HTTP Host header containing tracker subdomains:
HTTP_HOST: a.tracker.thepiratebay.org
SERVER_NAME: a.tracker.thepiratebay.org
Create a custom rule set in your mod_security configuration:
# /etc/modsecurity.d/tracker_block.conf
SecRule REQUEST_HEADERS:Host "@rx ^([a-z0-9]+\.)?tracker\.thepiratebay\.org$" \
"id:1001,\
phase:1,\
deny,\
status:403,\
msg:'Blocked malicious torrent tracker request',\
logdata:'Matched Host: %{MATCHED_VAR}'"
For broader protection against similar attacks:
# Block multiple known malicious patterns
SecRule REQUEST_HEADERS:Host "@pmFromFile tracker-domains.list" \
"id:1002,\
phase:1,\
deny,\
status:403"
# Alternative regex for various tracker formats
SecRule REQUEST_HEADERS:Host "@rx \.(thepiratebay|openbittorrent|publichd)\.(org|com)$" \
"id:1003,\
phase:1,\
deny"
To minimize Apache load:
- Place rules in early processing phases (phase:1)
- Use simple string matching (@pm) before complex regex
- Consider IP-based blocking at firewall level for heavy attacks
Test your rules with curl:
curl -v -H "Host: a.tracker.thepiratebay.org" http://yourserver.com/announce.php
Check mod_security audit logs for rule triggers:
tail -f /var/log/modsec_audit.log | grep 'id "100[123]"'
For high-traffic environments:
# iptables layer blocking (faster than mod_security)
iptables -A INPUT -p tcp --dport 80 -m string \
--string "Host: tracker.thepiratebay.org" \
--algo bm --to 70 -j DROP
# NGINX equivalent
server {
if ($http_host ~* "\.thepiratebay\.org$") {
return 444;
}
}
Over the past week, my Apache servers have been flooded with bizarre GET requests to /announce.php from Chinese and Turkish IPs. These weren't ordinary attacks - they came from actual BitTorrent clients believing my servers were Pirate Bay trackers.
# Typical attack pattern in access logs:
60.246.*.* - - [03/Jan/2015:20:59:16 +0200] "GET /announce.php?info_hash=%80%85%8e%9bu%cfJ.%85%82%e9%25%bf%8e%9e%d7%bf%c5%b0%12&peer_id=-UT3420-v%8bN%aa%60%60%fd%5d%d1%b0Ux&port=15411 HTTP/1.1" 200 -
Investigating the Host headers revealed the root cause:
- Requests contained
a.tracker.thepiratebay.orgin Host header - Chinese ISP CERNET and Turkish TTNET return fake IPs for TPB domains
- uTorrent clients blindly follow poisoned DNS responses
Instead of blocking entire countries, I implemented these mod_security rules:
# In modsecurity_crs_10_setup.conf
SecRuleEngine On
# In REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
SecRule REQUEST_HEADERS:Host "@pmFromFile piratebay-domains.txt" \
"id:1000,\
phase:1,\
deny,\
status:403,\
msg:'Blocked Pirate Bay tracker domain',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation',\
tag:'paranoia-level/1'"
Create piratebay-domains.txt containing:
tracker.thepiratebay.org
a.tracker.thepiratebay.org
b.tracker.thepiratebay.org
[... other known TPB tracker subdomains ...]
For those without mod_security, consider these options:
# Apache .htaccess solution
RewriteEngine On
RewriteCond %{HTTP_HOST} ^([a-z0-9]+\.)?tracker\.thepiratebay\.org$ [NC]
RewriteRule ^ - [F,L]
# Nginx config option
server {
if ($http_host ~* "^([a-z0-9]+\.)?tracker\.thepiratebay\.org$") {
return 403;
}
}
Testing showed mod_security adds minimal overhead (2-3ms per request) while saving:
- 95% reduction in unwanted traffic
- Zero false positives for legitimate traffic
- No need for geo-blocking entire countries
Add this to your mod_security config to log attack patterns:
SecRule REQUEST_HEADERS:Host "@pmFromFile piratebay-domains.txt" \
"id:1001,\
phase:1,\
pass,\
log,\
msg:'Pirate Bay tracker attempt from %{REMOTE_ADDR}',\
tag:'monitor'"