Forum Moderators: phranque
Im on a WinXP SP2 PC with Apache 2.2.6 + PHP5 + MySQL5 installed. I dont have any bitTorent s/w installed.
For the last couple of days Im continuously getting weird requests as seen in my apache's access.log file.
217.***.144.127 - - [08/Jan/2008:18:58:49 +0530] "\x13BitTorrent protocol" 400 226
212.**.160.242 - - [08/Jan/2008:18:59:11 +0530] "\x13BitTorrent protocolexproto" 400 226
219.**.214.60 - - [08/Jan/2008:18:59:50 +0530] "\x13BitTorrent protocol" 400 226
201.**.81.250 - - [08/Jan/2008:19:00:07 +0530] "1\xfb\xee\xf6h\xe8\xbf\x05\xe3\xe8^:\x9d\x9a)N\xab\xd3\xec^(\x03\x13\xad\x81B\xcf\xa1\xb4\xb3
\xd0W\x9b\xb1\x9b\xd6=\xfcx\x07\x02\xdbt\\\xea\xb5\xb6B\xf0\x1a\x7f\xf3\xce\xa4\xa3\xea1\xccg
\xbe\xbb\x14\xaaf\x18*M\x01\xd2\xd0{J\x8a\xe8\x1f\x9b9\x80\x89\xb3\x82\x15\x83\xb6*" 200 -
88.***.102.8 - - [08/Jan/2008:19:00:11 +0530] "\x13BitTorrent protocol" 400 226
81.***.227.160 - - [08/Jan/2008:19:00:28 +0530] "\x13BitTorrent protocol" 400 226
83.***.172.6 - - [08/Jan/2008:19:00:28 +0530] "\x13BitTorrent protocol" 400 226
219.**.168.110 - - [08/Jan/2008:19:00:29 +0530] "\x13BitTorrent protocol" 400 226
82.***.200.225 - - [08/Jan/2008:19:00:39 +0530] "\x13BitTorrent protocol" 400 226Obviously (somehow!)my PC's IP has been flagged as one for file-sharing.
Is there any way to get prevent this on Apache level?
Thanks
[edited by: jdMorgan at 1:40 am (utc) on Jan. 9, 2008]
[edit reason] Obscured/snipped IPs, fixed side-scroll [/edit]
Practically spoken it is already prevented, as you can see your apache replies a bad request error (400), which means that the request did not succeeded, there's no better way to prevent this.
If you have a dynamic ip address, it is likely that someone before you got the ip address were using torrent, and this is a kind of heritage, which will go away with time.
If you have a dynamic ip address, it is likely that someone before you got the ip address were using torrent, and this is a kind of heritage, which will go away with time.1. But ... my LAN IP is static (obviously) and I was thinking if its possible for someone to sent a request to 10.12.xx.xx? Im a home user - not in a network.
Changes are less - but such a thing possible in sockets?
On a 256kbps, these are like DoS attacks - my speed has gone down.
2. Some of the requests are getting 200 from my Apache!
64.**.57.129 - - [08/Jan/2008:18:01:24 +0530] "Z" 200 -
201.**.54.97 - - [08/Jan/2008:18:02:53 +0530] "v\xca\x82\x1ea\x83\xbd\xf5p\xd7\xf3\x8c\xab\xbe\xa7\xf0\xd2\x12" 200 -How on earth are these 2 being sent 200!
I dont have folders named v or Z.
[edited by: jdMorgan at 7:50 pm (utc) on Jan. 8, 2008]
[edit reason] Obscured IP addresses [/edit]
Not sure why those two requests received a 200 status code, but in my opinion, you can safely ignore such a request, mainly because they are not standard http request1, so there's no harm they can do. A good place to look for more details about similar problems/requests is the error log of apache, which ususaly created in the same folder as the access log.
(1) A valid http request is always like this:
<method> <URL> <http_version>(CRLF)
<header 1>(CRLF)
<header 2>(CRLF)
<header n>(CRLF)
(CRLF)
The first line is the request itself, it describes the method used (GET, POST, HEAD,...), followed by the URL (/your_path/your_file), closed by the http protocol version, which is always like this (in the case of the 1.1 version which is the latest sine long years): HTTP/1.1. The first line (request) is mandatory, it must always be included using this syntax, but the headers are optional (except the "Host" header which is also mandatory in http 1.1). The last CRLF is also mandatory, that indicates the end of the headers (or the request if there's no content).
So the "GET /asd/asd HTTP/1.1" is a valid http request, but the "/asd/asd" or the "\x13BitTorrent protocol" is not.
What I wanted to say is, when you see lines in your apache access log which does not start with GET POST or any of the other allowed methods, then you can safely ignore that line, in a way or another, but it was refused by your apache.
If you want to read more about the http protocol, I'd suggest to check the corresponding RFC [rfc-editor.org].
10.12.#*$!.133 - - [09/Jan/2008:11:28:37 +0530] "OPTIONS / HTTP/1.1" 200 -And most of the time its from the same IP.
Is it possible that, that IP's PC is having a bitTorrent s/w which gets a 200 response after requesting and OPTIONS and therefore flags my internet IP as a bitTorrent IP?
I suspect that you're not clear on the difference between your WAN address (assigned by your ISP) and your LAN addresses, assigned by you (or by your router if you use DHCP). You might want to consider doing a bit of network configuration research to get comfortable with how this works.
Jim
