Re: [OT] Strange BitTorrent traffic from China IPs

Tue, 22 Oct 2024 00:46:35 -0700 

On 22.10.2024 05:25, Nicholas Geovanis wrote:




On Mon, Oct 21, 2024, 6:28 PM Alexander V. Makartsev 
<avbe...@gmail.com> wrote:


    On 21.10.2024 16:59, Eduardo M KALINOWSKI wrote:

     they actually speaking the BitTorrent protocol? Could this be
    caused by simply connecting to the host (in some kind of port
    scan), or perhaps connecting and probing for some other
    vulnerability, maybe not even related to BitTorrent (something
    like "GET /admin?user=admin&password=imasuperhacker HTTP/1.0")?

    It doesn't look like some port scan or automated exploitation
    attempts. Those are usually one-offs.
    Instead, these suspicious connections successfully negotiate with
    my torrent client and stay connected, downloading that one ISO
    file indefinitely.
    If I manually throttle these connections they disconnect after
    some time and soon after a new connection from another IP from the
    same subnet or different network establishes.



Maybe choose a couple of those subnets that they bounced-to after you 
throttled them. Look for other legitimate-looking connections in the 
logs from that same subnet over a longer time-span. Are they burning 
through whole subnets at-a-time which show no other legitimate 
connections to you? Or does it seem more scattershot than that? 
Examine the numerical values of the addresses. Do they seem to be 
working in a systematic fashion through the octets and subnets? Or 
does it arrive looking more random than that?

It does seem like random, not sequential in any way.
Here is a few example IPs I gathered from those suspicious connections:
36.32.56.219
36.32.63.210
36.106.178.254
36.106.54.166
112.101.176.215
121.56.211.154
182.245.68.120
222.211.26.158
117.181.164.206
182.136.100.183
59.34.152.170
144.0.15.230
163.142.241.158


I've already accumulated pretty long list. They all point to different 
ISP networks in China.
The only thing I'm certain of is that they use "bttracker.debian.org" to 
get peer information.
Maybe this is somehow tied to "webseed peer" of 
"debian-12.5.0-amd64-netinst.iso" torrent?

I don't know enough about torrent trackers or webseeds to be able to tell.

--

 With kindest regards, Alexander.

 Debian - The universal operating system
 https://www.debian.org






















					Reply via email to