The server is receiving repeated connections which are like DOS attempts which seem to be generated from some exploit, possibly Android Stagefright, blocking IP addresses does not seem to help as new IPs appear everyday, this is resulting in heavy use of bandwidth. See sample logs below. Please advise how such connections can be blocked based on user agent or any other way. (i have disabled the access to the audio folder and hence the connections are now returning 404, else my bandwidth was being utilised)
115.186.117.36 - - [25/Jun/2019:16:15:05 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:05 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:06 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:07 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:07 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:08 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:09 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:09 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:10 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
115.186.117.36 - - [25/Jun/2019:16:15:11 +0400] "GET /audio/file.mp3 HTTP/1.1" 404 - "-" "stagefright/1.2 (Linux;Android 9)"
How to block stagefright DOS attack based on agent type
Re: How to block stagefright DOS attack based on agent type
Used the following mod_security rule to block, successful
SecRule REQUEST_HEADERS:User-Agent "@rx (?:stagefright)" "msg:'stagefright blocked',phase:1,log,id:7777771,t:none,block,status:403"
I use Cpanel so it was easy to do it in WHM-Security Center - ModSecurity™ Tools - Add Rule.
Also added .htaccess rule
# BLOCK USER AGENTS
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} stagefright [NC]
RewriteRule !^robots\.txt$ - [F]
SecRule REQUEST_HEADERS:User-Agent "@rx (?:stagefright)" "msg:'stagefright blocked',phase:1,log,id:7777771,t:none,block,status:403"
I use Cpanel so it was easy to do it in WHM-Security Center - ModSecurity™ Tools - Add Rule.
Also added .htaccess rule
# BLOCK USER AGENTS
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} stagefright [NC]
RewriteRule !^robots\.txt$ - [F]