PSA: public torrents possibly being used for DDoS attacks

[anon]

Hello everyone,

I did a packet capture recently, and noticed some evidence of public torrents used to DDoS servers and perhaps individual users through fake peers. Those connections have destination ports 1, 80 and 443 and occur several times a second. The affected servers mostly discard the traffic, but sometimes respond with a HTTP 400 error.

Therefore, I recommend adding those to your client's port blacklist (bt.no_connect_to_services_list in uTorrent, "ignore peers with these data ports" in BiglyBT); even better, add all ports between 1 and 1024 if possible, since few if any legitimate peers use them. This setting does not affect tracker communication, so there should be no drawbacks. Furthermore, if you don't require Local Peer Discovery or UPnP, adding all private and reserved ranges to your IP filter is also a good idea.

If you notice any strange tracker URLs, look them up at the following lists and decide for yourself whether they're trustworthy or not.

https://github.com/ngosang/trackersl.../blacklist.txt
https://newtrackon.com/

[whyme]

Thanks for the great post, can you please tell me that how to add blacklist in BiglyBT or where is ignore peers with these data ports in BiglyBtT?

[anon]

where is ignore peers with these data ports in BiglyBtT?

Tools -> Options -> Transfer -> look at the bottom. The default value is 0. Unlike uTorrent, BiglyBT accepts port ranges, so you can set it to 0;1;80;443 to block only the ports I've seen, or 0-1024 for extra caution.

[Renk]

Hello everyone,

I did a packet capture recently, and noticed some evidence of public torrents used to DDoS servers and perhaps individual users through fake peers. Those connections have destination ports 1, 80 and 443 and occur several times a second. The affected servers mostly discard the traffic, but sometimes respond with a HTTP 400 error.

Therefore, I recommend adding those to your client's port blacklist (bt.no_connect_to_services_list in uTorrent, "ignore peers with these data ports" in BiglyBT); even better, add all ports between 1 and 1024 if possible, since few if any legitimate peers use them.

And on qBittorrent, I presume "disallow connection to peer on privileged ports" has to be ticked?

If you notice any strange tracker URLs, look them up at the following lists and decide for yourself whether they're trustworthy or not.

https://github.com/ngosang/trackersl.../blacklist.txt

But how do you blacklist trackers URLs ?

[anon]

And on qBittorrent, I presume "disallow connection to peer on privileged ports" has to be ticked?

Yes, that blocks all ports below 1024.

But how do you blacklist trackers URLs ?

I just add torrents as stopped and remove the "bad" ones (if any) manually before starting. Hosts file blocking is also always an option.

[anon]

A few updates.

• I removed my recommended public trackers, since turnover on those seems relatively quick. See the first post for a hint on how to avoid bad ones.
• uTorrent's IP filter does not affect UPnP functionality, so you can block LAN IPs without worrying about this (although manual port forwarding is recommended).
• Unfortunately, it doesn't affect tracker communication either, so you can't rely on it to block bad trackers.

[anon]

Other worthy entries for your port blacklist include: 3128, 6666, 6667, 8080.

[anon]

Doesn't really fit anywhere else, so let's throw it in here. I recently noticed the following IPs, all belonging to Ziggo in the Netherlands, will mirror any packets you send to them.

195.35.245.30
212.178.135.62
212.178.154.174
213.34.163.254
213.34.171.254

There are a few exceptions. ICMP appears to be always discarded, as are TCP packets with nonsensical flags (e.g. SYN,FIN,PSH). Other than that, attempt a TCP connection on any port and you'll get a split handshake, send any UDP data and it'll be echoed back at you, send a packet of any IP protocol type with any payload and you'll receive it too. The most likely explanation I see is that they're honeypots to attract anyone looking for "interesting" behavior. In theory this could be abused to perform DDoS attacks with spoofed source addresses, but since the reflection exchange rate is exactly 1:1 and these are few hosts with finite bandwidth, they aren't very attractive for the task.

In any case, worth adding to your IP filter due to the fact no legitimate BitTorrent activity will come from this; nonetheless iknowwhatyoudownload.com assigns laundry lists of downloaded torrents to all five addresses, presumably on the basis of mirroring the DHT packets they receive.