Re: [OT] Strange BitTorrent traffic from China IPs

To: Debian Users ML <debian-user@lists.debian.org>
Subject: Re: [OT] Strange BitTorrent traffic from China IPs
From: "Alexander V. Makartsev" <avbetev@gmail.com>
Date: Tue, 22 Oct 2024 12:46:06 +0500
Message-id: <[🔎] 58a252f8-183a-40ce-9fb8-e35c3fde526b@gmail.com>
In-reply-to: <[🔎] CAJmb-Ynsk2=FbXBSf3yyr5vwueQ4sF8aohXazz4jxNHv0FmpDg@mail.gmail.com>
References: <[🔎] de492efd-e778-4984-8104-86a7268f9190@gmail.com> <[🔎] b320282c-5e94-4d43-96fb-c9603c147a62@kalinowski.com.br> <[🔎] 78fb7f92-bbe2-4126-ae25-a978fc4f3d52@gmail.com> <[🔎] CAJmb-Ynsk2=FbXBSf3yyr5vwueQ4sF8aohXazz4jxNHv0FmpDg@mail.gmail.com>

On 22.10.2024 05:25, Nicholas Geovanis wrote:

On Mon, Oct 21, 2024, 6:28 PM Alexander V. Makartsev <avbetev@gmail.com> wrote:

On 21.10.2024 16:59, Eduardo M KALINOWSKI wrote:

they actually speaking the BitTorrent protocol? Could this be caused by simply connecting to the host (in some kind of port scan), or perhaps connecting and probing for some other vulnerability, maybe not even related to BitTorrent (something like "GET /admin?user=admin&password=imasuperhacker HTTP/1.0")?

It doesn't look like some port scan or automated exploitation attempts. Those are usually one-offs.
Instead, these suspicious connections successfully negotiate with my torrent client and stay connected, downloading that one ISO file indefinitely.
If I manually throttle these connections they disconnect after some time and soon after a new connection from another IP from the same subnet or different network establishes.

Maybe choose a couple of those subnets that they bounced-to after you throttled them. Look for other legitimate-looking connections in the logs from that same subnet over a longer time-span. Are they burning through whole subnets at-a-time which show no other legitimate connections to you? Or does it seem more scattershot than that? Examine the numerical values of the addresses. Do they seem to be working in a systematic fashion through the octets and subnets? Or does it arrive looking more random than that?

It does seem like random, not sequential in any way.
Here is a few example IPs I gathered from those suspicious connections:
36.32.56.219
36.32.63.210
36.106.178.254
36.106.54.166
112.101.176.215
121.56.211.154
182.245.68.120
222.211.26.158
117.181.164.206
182.136.100.183
59.34.152.170
144.0.15.230
163.142.241.158

I've already accumulated pretty long list. They all point to different ISP networks in China.
The only thing I'm certain of is that they use "bttracker.debian.org" to get peer information.
Maybe this is somehow tied to "webseed peer" of "debian-12.5.0-amd64-netinst.iso" torrent?
I don't know enough about torrent trackers or webseeds to be able to tell.

--

 With kindest regards, Alexander.

 Debian - The universal operating system
 https://www.debian.org

Reply to:

References:
- [OT] Strange BitTorrent traffic from China IPs
  - From: "Alexander V. Makartsev" <avbetev@gmail.com>
- Re: [OT] Strange BitTorrent traffic from China IPs
  - From: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>
- Re: [OT] Strange BitTorrent traffic from China IPs
  - From: "Alexander V. Makartsev" <avbetev@gmail.com>
- Re: [OT] Strange BitTorrent traffic from China IPs
  - From: Nicholas Geovanis <nickgeovanis@gmail.com>

Prev by Date: Re: battery tester
Next by Date: Re: [OT] Strange BitTorrent traffic from China IPs
Previous by thread: Re: [OT] Strange BitTorrent traffic from China IPs
Next by thread: Re: [OT] Strange BitTorrent traffic from China IPs
Index(es):
- Date
- Thread