+ Reply to Thread
Results 1 to 8 of 8

Thread: PSA: public torrents possibly being used for DDoS attacks

  1. #1
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385

    PSA: public torrents possibly being used for DDoS attacks

    Hello everyone,

    I did a packet capture recently, and noticed some evidence of public torrents used to DDoS servers and perhaps individual users through fake peers. Those connections have destination ports 1, 80 and 443 and occur several times a second. The affected servers mostly discard the traffic, but sometimes respond with a HTTP 400 error.

    Therefore, I recommend adding those to your client's port blacklist (bt.no_connect_to_services_list in uTorrent, "ignore peers with these data ports" in BiglyBT); even better, add all ports between 1 and 1024 if possible, since few if any legitimate peers use them. This setting does not affect tracker communication, so there should be no drawbacks. Furthermore, if you don't require Local Peer Discovery or UPnP, adding all private and reserved ranges to your IP filter is also a good idea.

    If you notice any strange tracker URLs, look them up at the following lists and decide for yourself whether they're trustworthy or not.

    https://github.com/ngosang/trackersl.../blacklist.txt
    https://newtrackon.com/
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  2. Who Said Thanks:

    Renk (19.12.20) , vanperkiwer (19.12.20) , Lucius (18.12.20) , moonlite (15.12.20) , sashiagustina (13.12.20) , mmmmm (11.12.20) , AxiomaticDirection (11.12.20) , sigduwksnsksis9283 (10.12.20) , cirulilu (10.12.20)

  3. #2
    whyme's Avatar
    Join Date
    07.07.09
    Location
    sb-innovation
    P2P Client
    sb-innovation
    Posts
    92
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssssss92
    Thanks for the great post, can you please tell me that how to add blacklist in BiglyBT or where is ignore peers with these data ports in BiglyBtT?
    Reply With QuoteReply With Quote
    Thanks

  4. #3
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Quote Originally Posted by whyme View Post
    where is ignore peers with these data ports in BiglyBtT?
    Tools -> Options -> Transfer -> look at the bottom. The default value is 0. Unlike uTorrent, BiglyBT accepts port ranges, so you can set it to 0;1;80;443 to block only the ports I've seen, or 0-1024 for extra caution.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  5. #4
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    581
    Activity Longevity
    0/20 19/20
    Today Posts
    0/5 ssssss581
    Quote Originally Posted by anon View Post
    Hello everyone,

    I did a packet capture recently, and noticed some evidence of public torrents used to DDoS servers and perhaps individual users through fake peers. Those connections have destination ports 1, 80 and 443 and occur several times a second. The affected servers mostly discard the traffic, but sometimes respond with a HTTP 400 error.

    Therefore, I recommend adding those to your client's port blacklist (bt.no_connect_to_services_list in uTorrent, "ignore peers with these data ports" in BiglyBT); even better, add all ports between 1 and 1024 if possible, since few if any legitimate peers use them.
    And on qBittorrent, I presume "disallow connection to peer on privileged ports" has to be ticked?


    If you notice any strange tracker URLs, look them up at the following lists and decide for yourself whether they're trustworthy or not.

    https://github.com/ngosang/trackersl.../blacklist.txt

    But how do you blacklist trackers URLs ?
    Last edited by Renk; 19.12.20 at 20:53.
    Primo Avulso Non Deficit Alter
    Reply With QuoteReply With Quote
    Thanks

  6. #5
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Quote Originally Posted by Renk View Post
    And on qBittorrent, I presume "disallow connection to peer on privileged ports" has to be ticked?
    Yes, that blocks all ports below 1024.

    But how do you blacklist trackers URLs ?
    I just add torrents as stopped and remove the "bad" ones (if any) manually before starting. Hosts file blocking is also always an option.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  7. #6
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    A few updates.
    • I removed my recommended public trackers, since turnover on those seems relatively quick. See the first post for a hint on how to avoid bad ones.
    • uTorrent's IP filter does not affect UPnP functionality, so you can block LAN IPs without worrying about this (although manual port forwarding is recommended).
    • Unfortunately, it doesn't affect tracker communication either, so you can't rely on it to block bad trackers.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  8. #7
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Other worthy entries for your port blacklist include: 3128, 6666, 6667, 8080.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  9. Who Said Thanks:

    moonlite (09.09.21)

  10. #8
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Doesn't really fit anywhere else, so let's throw it in here. I recently noticed the following IPs, all belonging to Ziggo in the Netherlands, will mirror any packets you send to them.

    195.35.245.30
    212.178.135.62
    212.178.154.174
    213.34.163.254
    213.34.171.254

    There are a few exceptions. ICMP appears to be always discarded, as are TCP packets with nonsensical flags (e.g. SYN,FIN,PSH). Other than that, attempt a TCP connection on any port and you'll get a split handshake, send any UDP data and it'll be echoed back at you, send a packet of any IP protocol type with any payload and you'll receive it too. The most likely explanation I see is that they're honeypots to attract anyone looking for "interesting" behavior. In theory this could be abused to perform DDoS attacks with spoofed source addresses, but since the reflection exchange rate is exactly 1:1 and these are few hosts with finite bandwidth, they aren't very attractive for the task.

    In any case, worth adding to your IP filter due to the fact no legitimate BitTorrent activity will come from this; nonetheless iknowwhatyoudownload.com assigns laundry lists of downloaded torrents to all five addresses, presumably on the basis of mirroring the DHT packets they receive.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  11. Who Said Thanks:

    BrianBosworth (15.03.22)

+ Reply to Thread

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •