On 20/10/2024 15:44, Alexander V. Makartsev wrote:

Hello.

I host some Debian ISO images via BitTorrent, among other things and
recently I have noticed very high interest in one torrent in particular: "debian-12.5.0-amd64-netinst.iso".
My torrent client shows multiple connections from various networks (more
IPs than /24),
and according to "whois", all originating from China.
The odd part is these remote clients report their ID as "unknown",
connect using TCP protocol non-encrypted
and never send more than 4 download requests.

Are they actually speaking the BitTorrent protocol? Could this be caused
by simply connecting to the host (in some kind of port scan), or perhaps connecting and probing for some other vulnerability, maybe not even
related to BitTorrent (something like "GET /admin?user=admin&password=imasuperhacker HTTP/1.0")?


--
Justice always prevails ... three times out of seven!
-- Michael J. Wagner

Eduardo M KALINOWSKI
eduardo@kalinowski.com.br

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Alexander V. Makartsev" <avbetev@gmail.com> wrote:

I've already accumulated pretty long list. They all point to
different ISP networks in China.
The only thing I'm certain of is that they use "bttracker.debian.org"
to get peer information.
Maybe this is somehow tied to "webseed peer" of "debian-12.5.0-amd64-netinst.iso" torrent?
I don't know enough about torrent trackers or webseeds to be able to
tell.

Like I said before, I also seldom get normal torrent connections from
China IPs, and they behave like the rest peers from around the world.
They report correct information and status about themselves, request
chunks they need to download, up to 100% of completion and then
disconnect.

Another thought. Maybe these connections are part of some attack on
some part of the network infrastructure between them and you? You're
just a convenient endpoint. So it might be worth reporting them to some official body.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Alexander V. Makartsev" <avbetev@gmail.com> wrote:

On 22.10.2024 08:17, Max Nikulin wrote:

On 22/10/2024 03:21, Alexander V. Makartsev wrote:

If I manually throttle these connections they disconnect after
some time and soon after a new connection from another IP from the
same subnet or different network establishes.

May it happen that their internet providers have NAT and pools of
IP addresses for outgoing connections? New connection just uses
another IP from a pool with no efforts at the client side.

A shot in the dark: maybe client settings are rather aggressive in
respect to peer number to connect, but their bandwidth are
saturated by other (local) peers.

Connection IPs span over different networks, so I don't think it is a
pool or a few subnets of a single ISP.
Here is a few example IPs I gathered from those suspicious
connections: 36.32.56.219
36.32.63.210
36.106.178.254
36.106.54.166
112.101.176.215
121.56.211.154
182.245.68.120
222.211.26.158
117.181.164.206
182.136.100.183
59.34.152.170
144.0.15.230
163.142.241.158

whois on those addresses gives several real-looking personal email
addresses. I'd be inclined to send a polite email to some/all of them
asking if they know about these connections and can explain them.

I've already accumulated pretty long list. They all point to
different ISP networks in China.
The only thing I'm certain of is that they use "bttracker.debian.org"
to get peer information.
Maybe this is somehow tied to "webseed peer" of "debian-12.5.0-amd64-netinst.iso" torrent?
I don't know enough about torrent trackers or webseeds to be able to
tell.

Like I said before, I also seldom get normal torrent connections from
China IPs, and they behave like the rest peers from around the world.
They report correct information and status about themselves, request
chunks they need to download, up to 100% of completion and then
disconnect.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)