Server Abuse/Proxy Abuse — Automated Tunneling (Unique IP's = Hundreds, Thousands of Requests)

Riley Wells asked:

I run a simple Proxy/General-Use website me and a few friends use at kerenua.xyz, however, starting 3~ weeks ago, an enormous amount of traffic started flooding in from hundreds of (unique) IP addresses.

At peak ‘usage’ this traffic amounted to 200 Mbps! Upon analyzing the apache2 access.log it can be seen these requests are done through a web-application hosted on the site called ‘miniProxy’ to sub-domains of ‘akamaihd.net’ (a CDN).

Each and every request is for some kind of .m3u8/.ts file – ‘prog.m3u8’ ‘master_600.m3u8’ ‘master_1200_175739.ts’

Additionally, despite these files having small sizes, each HTTP connection downloads 2-5Mbps for a sustained amount of time. I don’t know how this is possible.

TCPTrack Short Clip: https://files.catbox.moe/b220cv.mp4

Log Snippet:

148.251.126.118 - - [09/Aug/2019:23:57:30 -0400] "GET /zine/mini/miniProxy.php/http://tvetcnphiladelph-i.akamaihd.net/hls/live/219798/TCNPhiladelphiax/2596k/prog.m3u8 HTTP/1.1" 403 3986 "-" "Xtream-Codes IPTV Panel Pro" 
58.182.65.81 - - [09/Aug/2019:23:57:30 -0400] "GET /zine/mini/miniProxy.php/http://starvijay-i.akamaihd.net/hls/live/569909/starvijay/master_2000.m3u8 HTTP/1.1" 403 914 "-" "ZalTV 1.1.5 (16)"
103.23.34.11 - - [09/Aug/2019:23:57:30 -0400] "GET /zine/mini/miniProxy.php/http://tvegolf-i.Akamaihd.net/hls/live/218225/golfx/4296k/prog.m3u8 HTTP/1.1" 403 914 "-" "ZalTV 1.1.5 (16)"
[UNUSUAL!] 195.181.173.46 - - [10/Aug/2019:00:14:41 -0400] "GET /zine/mini/miniProxy.php/http://live.savitar.tv/Nickelodeon/myStream/playlist.m3u8?wmsAuthSign=c2VydmVyX3RpbWU9OC8xMC8yMDE5IDQ6MTM6NTUgQU0maGFzaF92YWx1ZT1DcG0zeEJPaGtTMnZRN1JIcmc4SHNBPT0mdmFsaWRtaW51dGVzPTM2MCZpZD0w HTTP/1.1" 403 3772 "-" "Flussonic 19.06.1"

.m3u8 / .ts files:

[Most Common] prog.m3u8 : https://files.catbox.moe/2xzqv2.m3u8
[golf??] segment_156540690.ts : https://files.catbox.moe/qboiod.ts
master_600.m3u8 : https://files.catbox.moe/z80aa9.m3u8
playlist.m3u8 : https://files.catbox.moe/3rz6dx.m3u8

How are they doing this, why are they doing this?

I’m hoping someone can help me, as I truly lack understanding and control of the situation.

My answer:


Someone (you, I would guess) put an open proxy server up on your web site, and others on the Internet discovered it and began to abuse it. It appears they still are abusing it. As of this writing, the open proxy appears to still be active; it allowed me to access Google’s homepage.

To solve the problem, remove the open proxy server or place access control on it.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.