+ Reply to Thread
Results 1 to 7 of 7

Thread: PSA: public torrents possibly being used for DDoS attacks

  1. #1
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    37,623
    Activity Longevity
    10/20 19/20
    Today Posts
    0/5 ssss37623

    PSA: public torrents possibly being used for DDoS attacks

    Hello everyone,

    I did a packet capture recently, and noticed some evidence of public torrents used to DDoS servers and perhaps individual users through fake peers. Those connections have destination ports 1, 80 and 443 and occur several times a second. The affected servers mostly discard the traffic, but sometimes respond with a HTTP 400 error.

    Therefore, I recommend adding those to your client's port blacklist (bt.no_connect_to_services_list in uTorrent, "ignore peers with these data ports" in BiglyBT); even better, add all ports between 1 and 1024 if possible, since few if any legitimate peers use them. This setting does not affect tracker communication, so there should be no drawbacks. Furthermore, if you don't require Local Peer Discovery or UPnP, adding all private and reserved ranges to your IP filter is also a good idea.

    If you notice any strange tracker URLs, look them up at the following lists and decide for yourself whether they're trustworthy or not.

    https://github.com/ngosang/trackersl.../blacklist.txt
    https://newtrackon.com/
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  2. Who Said Thanks:

    Renk (19.12.20) , vanperkiwer (19.12.20) , Lucius (18.12.20) , moonlite (15.12.20) , sashiagustina (13.12.20) , mmmmm (11.12.20) , AxiomaticDirection (11.12.20) , sigduwksnsksis9283 (10.12.20) , cirulilu (10.12.20)

  3. #2
    whyme's Avatar
    Join Date
    07.07.09
    Location
    sb-innovation
    P2P Client
    sb-innovation
    Posts
    91
    Activity Longevity
    1/20 17/20
    Today Posts
    0/5 sssssss91
    Thanks for the great post, can you please tell me that how to add blacklist in BiglyBT or where is ignore peers with these data ports in BiglyBtT?
    Reply With QuoteReply With Quote
    Thanks

  4. #3
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    37,623
    Activity Longevity
    10/20 19/20
    Today Posts
    0/5 ssss37623
    Quote Originally Posted by whyme View Post
    where is ignore peers with these data ports in BiglyBtT?
    Tools -> Options -> Transfer -> look at the bottom. The default value is 0. Unlike uTorrent, BiglyBT accepts port ranges, so you can set it to 0;1;80;443 to block only the ports I've seen, or 0-1024 for extra caution.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  5. #4
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    563
    Activity Longevity
    3/20 18/20
    Today Posts
    0/5 ssssss563
    Quote Originally Posted by anon View Post
    Hello everyone,

    I did a packet capture recently, and noticed some evidence of public torrents used to DDoS servers and perhaps individual users through fake peers. Those connections have destination ports 1, 80 and 443 and occur several times a second. The affected servers mostly discard the traffic, but sometimes respond with a HTTP 400 error.

    Therefore, I recommend adding those to your client's port blacklist (bt.no_connect_to_services_list in uTorrent, "ignore peers with these data ports" in BiglyBT); even better, add all ports between 1 and 1024 if possible, since few if any legitimate peers use them.
    And on qBittorrent, I presume "disallow connection to peer on privileged ports" has to be ticked?


    If you notice any strange tracker URLs, look them up at the following lists and decide for yourself whether they're trustworthy or not.

    https://github.com/ngosang/trackersl.../blacklist.txt

    But how do you blacklist trackers URLs ?
    Last edited by Renk; 19.12.20 at 19:53.
    Primo Avulso Non Deficit Alter
    Reply With QuoteReply With Quote
    Thanks

  6. #5
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    37,623
    Activity Longevity
    10/20 19/20
    Today Posts
    0/5 ssss37623
    Quote Originally Posted by Renk View Post
    And on qBittorrent, I presume "disallow connection to peer on privileged ports" has to be ticked?
    Yes, that blocks all ports below 1024.

    But how do you blacklist trackers URLs ?
    I just add torrents as stopped and remove the "bad" ones (if any) manually before starting. Hosts file blocking is also always an option.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  7. #6
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    37,623
    Activity Longevity
    10/20 19/20
    Today Posts
    0/5 ssss37623
    A few updates.
    • I removed my recommended public trackers, since turnover on those seems relatively quick. See the first post for a hint on how to avoid bad ones.
    • uTorrent's IP filter does not affect UPnP functionality, so you can block LAN IPs without worrying about this (although manual port forwarding is recommended).
    • Unfortunately, it doesn't affect tracker communication either, so you can't rely on it to block bad trackers.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  8. #7
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    37,623
    Activity Longevity
    10/20 19/20
    Today Posts
    0/5 ssss37623
    Other worthy entries for your port blacklist include: 3128, 6666, 6667, 8080.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  9. Who Said Thanks:

    moonlite (09.09.21)

+ Reply to Thread

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •