0

I run a simple Proxy/General-Use website me and a few friends use at kerenua.xyz, however, starting 3~ weeks ago, an enormous amount of traffic started flooding in from hundreds of (unique) IP addresses.

At peak 'usage' this traffic amounted to 200 Mbps! Upon analyzing the apache2 access.log it can be seen these requests are done through a web-application hosted on the site called 'miniProxy' to sub-domains of 'akamaihd.net' (a CDN).

Each and every request is for some kind of .m3u8/.ts file - 'prog.m3u8' 'master_600.m3u8' 'master_1200_175739.ts'

Additionally, despite these files having small sizes, each HTTP connection downloads 2-5Mbps for a sustained amount of time. I don't know how this is possible.

TCPTrack Short Clip: https://files.catbox.moe/b220cv.mp4

Log Snippet:

148.251.126.118 - - [09/Aug/2019:23:57:30 -0400] "GET /zine/mini/miniProxy.php/http://tvetcnphiladelph-i.akamaihd.net/hls/live/219798/TCNPhiladelphiax/2596k/prog.m3u8 HTTP/1.1" 403 3986 "-" "Xtream-Codes IPTV Panel Pro" 
58.182.65.81 - - [09/Aug/2019:23:57:30 -0400] "GET /zine/mini/miniProxy.php/http://starvijay-i.akamaihd.net/hls/live/569909/starvijay/master_2000.m3u8 HTTP/1.1" 403 914 "-" "ZalTV 1.1.5 (16)"
103.23.34.11 - - [09/Aug/2019:23:57:30 -0400] "GET /zine/mini/miniProxy.php/http://tvegolf-i.Akamaihd.net/hls/live/218225/golfx/4296k/prog.m3u8 HTTP/1.1" 403 914 "-" "ZalTV 1.1.5 (16)"
[UNUSUAL!] 195.181.173.46 - - [10/Aug/2019:00:14:41 -0400] "GET /zine/mini/miniProxy.php/http://live.savitar.tv/Nickelodeon/myStream/playlist.m3u8?wmsAuthSign=c2VydmVyX3RpbWU9OC8xMC8yMDE5IDQ6MTM6NTUgQU0maGFzaF92YWx1ZT1DcG0zeEJPaGtTMnZRN1JIcmc4SHNBPT0mdmFsaWRtaW51dGVzPTM2MCZpZD0w HTTP/1.1" 403 3772 "-" "Flussonic 19.06.1"

.m3u8 / .ts files:

[Most Common] prog.m3u8 : https://files.catbox.moe/2xzqv2.m3u8
[golf??] segment_156540690.ts : https://files.catbox.moe/qboiod.ts
master_600.m3u8 : https://files.catbox.moe/z80aa9.m3u8
playlist.m3u8 : https://files.catbox.moe/3rz6dx.m3u8

How are they doing this, why are they doing this?

I'm hoping someone can help me, as I truly lack understanding and control of the situation.

EDIT: I am still unsure as to the true nature of this abuse, how it works/why beyond that it involves IPTV. I will be taking preventive measures against it (file extension blacklist?).

Community
  • 1
Riley Wells
  • 9
  • 2
  • Seems like this may have something to do with IPTV? https://gist.github.com/onigetoc/8ed7263e644b7d121d0275c805f1ee4a – Riley Wells Aug 10 '19 at 06:05
  • Probably because whoever first found your open proxy happens to watch pirated TV shows, and shared it in a group of people who also watch pirated TV shows. Preventative measures are requiring authentication to use the proxy. That's all. Simply ignoring this fact, as you've done several times now, won't change it. If you leave it open, it will just be shared even more widely, and discovered independently by others, until you have no bandwidth left for yourself. – Michael Hampton Aug 10 '19 at 18:54
  • It is not a "group of users", its an automated system doing things I still don't understand -- I'm unable to even use the files being streamed/downloaded. I am not ignoring anything, and you overstep in your rudeness while under-stepping in addressing the real question. – Riley Wells Aug 11 '19 at 05:11

1 Answers1

2

Someone (you, I would guess) put an open proxy server up on your web site, and others on the Internet discovered it and began to abuse it. It appears they still are abusing it. As of this writing, the open proxy appears to still be active; it allowed me to access Google's homepage.

To solve the problem, remove the open proxy server or place access control on it.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • 'Someone' is me, the server features multiple proxy web-applications for legitimate usage. I would prefer not to remove them unless needed, perhaps some method of hindering abuse such as this is possible. Currently, I am looking for more information as to how the abuse is taking place in the first place and why. – Riley Wells Aug 10 '19 at 06:19
  • 1
    @RileyWells Because you're on the Internet, and everything that's on a public web site gets found eventually. Because malicious actors automated searches for vulnerable stuff like yours and just let their bots find them. Put a password on it. – Michael Hampton Aug 10 '19 at 06:58
  • if you want to proxy that, setup nginx as a reverse proxy or if you need a regulär proxy use squid, remind that you can be punished by law if someone doing Bad Things With your server – djdomi Aug 10 '19 at 15:53
  • I haven't gotten any complaints yet, and U.S. code (47 USC § 230) offers decent protection to operators of this kind of thing -- however, you are right that there is some (minimal) risk involved. – Riley Wells Aug 10 '19 at 17:15
  • Clearly you've never had a front porch full of federal agents. I have. It does not make for a pleasant day. I should also note that before they figure out that it was someone else, they will have issued a search warrant and seized anything vaguely electronic that you own, and kept it for months... – Michael Hampton Aug 10 '19 at 17:26
  • I have not, but I will keep it in mind and appreciate your advice. Since these are web-proxies my risk is somewhat lessened compared to a full-fledged VPN. Additionally, I host in the cloud, and furthermore, most issues are copyright related and thus a civil court issue. I plan to update the website with a Privacy Policy / Terms of Use. – Riley Wells Aug 10 '19 at 18:22
  • But still not make people use a password to use the proxy? Well, it's your bandwidth to pay for, I guess... – Michael Hampton Aug 10 '19 at 18:51