For the past week I've been getting a huge stream of traffic from a wide range of Chinese IP addresses. This traffic appears to be from normal people and their HTTP requests indicate that they think I'm:
- The Pirate Bay
- various BitTorrent trackers,
- porn sites
All of which sounds like things people would use a VPN for. Or things that would make Great Wall of China angry.
User-agents include web browsers, Android, iOS, FBiOSSDK, Bittorrent. The IP addresses are normal commercial Chinese providers.
I have Nginx returning 444 if the host is incorrect or the user agent is obviously wrong:
## Deny illegal Host headers
if ($host !~* ^({{ www_domain }})$ ) {
return 444;
}
## block bad agents
if ($http_user_agent ~* FBiOSSDK|ExchangeWebServices|Bittorrent) {
return 444;
}
I can handle the load now, but there were some bursts of up to 2k/minute. I want to find out why they are coming to me and stop it. We also have legitimate CN traffic, so banning 1/6th of planet earth is not an option.
It is possible that its malicious and even personal, but it may just be a misconfigured DNS over there.
My theory is that its a misconfigured DNS server or possibly some VPN services that people are using to get around Great Fire Wall.
Given a client IP address:
183.36.131.137 - - [05/Jan/2015:04:44:12 -0500] "GET /announce?info_hash=%3E%F3%0B%907%7F%9D%E1%C1%CB%BAiF%D8C%DE%27vG%A9&peer_id=%2DSD0100%2D%96%8B%C0%3B%86n%8El%C5L%11%13&ip=183.36.131.137&port=11794&uploaded=4689970239&downloaded=4689970239&left=0&numwant=200&key=9085&compact=1 HTTP/1.0" 444 0 "-" "Bittorrent"
I can know:
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
- How can I find out what DNS server those customers are using ?
- Is there anyway to determine if an HTTP request is coming from a VPN ?
- What is really going on here ?
Best Answer
There is one theoretical way of determining the DNS resolver of your clients, but it's quite advanced and I don't know any off-the-shelf software that will do that for you. You'll for sure have to run a authoritative DNS server for that in addition to your nginx.
In case the HTTP Host header is incorrect, serve an error-document and include a request to a dynamically created, unique FQDN for each and every request which you log to a database. eg.
As long as Chinas great firewall doesn't fiddle with that request and the client requests the document from that unique FQDN+URI, each request will result a new DNS lookup to your authoritative DNS for example.com where you can log the IP of the DNS resolver and later correlate this with your dynamically generated URIs.