Recently, several sites have noticed DDoS attacks from torrent clients in China. These attacks are not originating in the torrent ecosystem, but are caused by DNS servers returning incorrect IP addresses for well-known BitTorrent trackers.
While the identity of the perpetrators and the motivation remain unclear, we here at BitTorrent would like to share some of our expertise that may help website operators mitigate these attacks.
Torrent Trackers work similarly to a normal HTTP server, but in a more limited fashion. Torrent clients contact the server, and ask it information about the torrent and the swarm.
Because of this, the misdirected torrent clients will contact the victim HTTP server, and see what looks like a valid HTTP response (although not a valid “scrape reply”).
If you follow the link to Jamie’s blog, you will notice that that he suggests a configuration change for Apache similar to the one below:
<Location ~ "^/announc">
ErrorDocument 410 "d14:failure reason13:not a tracker8:retry in5:nevere"
[Credit Jamie Zawinski]
In our example above, we’ve changed the response code from 404 to 410. uTorrent, Bittorrent, and torrent clients based on the excellent libtorrent library will interpret this HTTP response code as “do not attempt to contact this tracker again”. That will cause the request traffic to fall off much faster.