On 21.10.2024 16:59, Eduardo M KALINOWSKI wrote:
On 20/10/2024 15:44, Alexander V. Makartsev wrote:
Hello.
I host some Debian ISO images via BitTorrent, among other things and
recently I have noticed very high interest in one torrent in
particular: "debian-12.5.0-amd64-netinst.iso".
My torrent client shows multiple connections from various networks
(more IPs than /24),
and according to "whois", all originating from China.
The odd part is these remote clients report their ID as "unknown",
connect using TCP protocol non-encrypted
and never send more than 4 download requests.
Are they actually speaking the BitTorrent protocol? Could this be
caused by simply connecting to the host (in some kind of port scan),
or perhaps connecting and probing for some other vulnerability, maybe
not even related to BitTorrent (something like "GET
/admin?user=admin&password=imasuperhacker HTTP/1.0")?
It doesn't look like some port scan or automated exploitation attempts.
Those are usually one-offs.
Instead, these suspicious connections successfully negotiate with my
torrent client and stay connected, downloading that one ISO file
indefinitely.
If I manually throttle these connections they disconnect after some time
and soon after a new connection from another IP from the same subnet or
different network establishes.
So it is an automated distributed process, the only thing still missing
is the purpose of it.
I know there are techniques to fool DPI systems and mask SNI of the
outgoing HTTPS connections, but AFAIK they should go to 443/tcp port and
my torrent port is different.
I'm pretty sure that other peers of tracker at "bttracker.debian.org"
are having exactly the same problem.
--
With kindest regards, Alexander.
Debian - The universal operating system
https://www.debian.org
