1

I get these following requests from useragent "stagefright" for some mp3 files in the webfolder, the IPs happen to be unique but the file names are always repeated (around 15 files are being requested), also these mostly come from older Android version devices but now i notice Android 10 as well.

I have blocked the access to user agent "stagefright" using.htaccess but by the time it caught my attention it had consumed a huge amount of bandwidth, I am not bothered by it as it returns 403 but can someone throw some light on these type of requests? This has been ongoing for more than a year now and is unique to only MP3 file requests.

Also, there is a burst of requests in a second for the same file/s multiple times. See log extract below.

84.65.126.81 - - [23/Apr/2020:15:53:37 +0400] "GET /xxx.mp3 HTTP/1.1" 403 221 "-" "stagefright/1.2 (Linux;Android 10)"
47.184.9.3 - - [23/Apr/2020:15:53:37 +0400] "GET /xxx.mp3 HTTP/1.1" 403 227 "-" "stagefright/1.2 (Linux;Android 8.1.0)"
73.90.23.108 - - [23/Apr/2020:15:53:37 +0400] "GET /SS007.mp3 HTTP/1.1" 403 227 "-" "Samsung SM-T350 stagefright/Beyonce/1.1.9 (Linux;Android 7.1.1)"
47.184.9.3 - - [23/Apr/2020:15:53:37 +0400] "GET /SS043.mp3 HTTP/1.1" 403 227 "-" "stagefright/1.2 (Linux;Android 8.1.0)"
84.65.126.81 - - [23/Apr/2020:15:53:37 +0400] "GET /yyy.mp3 HTTP/1.1" 403 221 "-" "stagefright/1.2 (Linux;Android 10)"
84.65.126.81 - - [23/Apr/2020:15:53:37 +0400] "GET /yyy.mp3 HTTP/1.1" 403 221 "-" "stagefright/1.2 (Linux;Android 10)"
47.184.9.3 - - [23/Apr/2020:15:53:37 +0400] "GET /SS043.mp3 HTTP/1.1" 403 227 "-" "stagefright/1.2 (Linux;Android 8.1.0)"
73.90.23.108 - - [23/Apr/2020:15:53:38 +0400] "GET /SS007.mp3 HTTP/1.1" 403 227 "-" "Samsung SM-T350 stagefright/Beyonce/1.1.9 (Linux;Android 7.1.1)"
84.65.126.81 - - [23/Apr/2020:15:53:38 +0400] "GET /yyy.mp3 HTTP/1.1" 403 221 "-" "stagefright/1.2 (Linux;Android 10)"
47.184.9.3 - - [23/Apr/2020:15:53:38 +0400] "GET /SS043.mp3 HTTP/1.1" 403 227 "-" "stagefright/1.2 (Linux;Android 8.1.0)"
84.65.126.81 - - [23/Apr/2020:15:53:38 +0400] "GET /yyy.mp3 HTTP/1.1" 403 221 "-" "stagefright/1.2 (Linux;Android 10)"
47.184.9.3 - - [23/Apr/2020:15:53:38 +0400] "GET /SS043.mp3 HTTP/1.1" 403 227 "-" "stagefright/1.2 (Linux;Android 8.1.0)"
84.65.126.81 - - [23/Apr/2020:15:53:38 +0400] "GET /yyy.mp3 HTTP/1.1" 403 221 "-" "stagefright/1.2 (Linux;Android 10)"
84.65.126.81 - - [23/Apr/2020:15:53:38 +0400] "GET /yyy.mp3 HTTP/1.1" 403 221 "-" "stagefright/1.2 (Linux;Android 10)"
73.90.23.108 - - [23/Apr/2020:15:53:38 +0400] "GET /SS007.mp3 HTTP/1.1" 403 227 "-" "Samsung SM-T350 stagefright/Beyonce/1.1.9 (Linux;Android 7.1.1)"
47.184.9.3 - - [23/Apr/2020:15:53:38 +0400] "GET /SS043.mp3 HTTP/1.1" 403 227 "-" "stagefright/1.2 (Linux;Android 8.1.0)"
47.184.9.3 - - [23/Apr/2020:15:53:39 +0400] "GET /SS043.mp3 HTTP/1.1" 403 227 "-" "stagefright/1.2 (Linux;Android 8.1.0)"
84.65.126.81 - - [23/Apr/2020:15:53:39 +0400] "GET /yyy.mp3 HTTP/1.1" 403 221 "-" "stagefright/1.2 (Linux;Android 10)"
84.65.126.81 - - [23/Apr/2020:15:53:39 +0400] "GET /yyy.mp3 HTTP/1.1" 403 221 "-" "stagefright/1.2 (Linux;Android 10)"
73.90.23.108 - - [23/Apr/2020:15:53:39 +0400] "GET /SS007.mp3 HTTP/1.1" 403 227 "-" "Samsung SM-T350 stagefright/Beyonce/1.1.9 (Linux;Android 7.1.1)"
2
  • this is a security question, it has nothing to do with coding
    – a_local_nobody
    Commented Apr 23, 2020 at 12:07
  • @a_local_nobody I disagree. This relates to Google Chrome's default and natural behaviour regarding the load and playback of embedded MP3 files. It does look like a DDOS attack, however, and I'll give you that.
    – andreszs
    Commented Jan 9, 2021 at 3:52

2 Answers 2

Reset to default
5

I bumped in this stagefright requests when debugging the serving of audios to the HTML5 player element. This is not an attack, it is an intentional request created by Chrome for Android. Also, this is not to be confused with the Stagefright bug.

According to this site and other sources:

This user agent belongs to stagefright. This Multimedia Player run on Android and it renders web contents with WebKit on general Mobile Phone.

I can confirm that whenever the Chrome-Android browser tries to preload, read meta data or play audio from embedded HTML5 tags, the browser will make a secondary request to the file using this obscure stagefright/1.2 user agent. The request does not include your session cookies, so you can't check if the user is logged using traditional cookie credentials.

If your server blocks the requests (by sending a non-HTTP 200 response code), Chrome persists and resends the stagefright/1.2 requests several dozen times every few seconds, until it finally gives up. This malware-like behaviour is from Google Chrome for Android, the de-facto universal browser preloaded and shipped in zillions of Android devices every day.

This whole stagefright requests are quite obscure and documentation about it equals NULL. If someone can provide a link to an official documentation from Google/Android Developers, that would be great.

Questions that need answering:

  • Why sending this forged user agent instead of the real one?
  • What exactly does it expect to receive?
  • Why it doesn't even include the session cookies?
  • Why is the request hidden from the Developer Tools Network tab? You simply won't find if there.

I can only conclude that in your case, someone is simply trying to serve your MP3 files from other websites using an embedded HTML5 audio tag. This fails for Chrome users due to your blocking policy, but it (surely) succeeds on the rest of the browsers.

-2

Could not find the root cause of this incoming traffic but used ModSecurity to block all traffic with stagefright in user-agent

1
  • 1
    Kindy check my answer because this seems to be a symptom of external usage of your hosted MP3 files.
    – andreszs
    Commented Jan 9, 2021 at 3:53

Not the answer you're looking for? Browse other questions tagged or ask your own question.