Firewall false positives

[anonymous]

i found a link to a page about firewall false positives.

one of the FP is called "Stale IP caches"

If you have a dynamic IP address, you will often find that you receive a lot of unsolicited probes when you first obtain a new IP address. This often because the previous user of that IP address was running some application which has cached their IP address somewhere, and it's unaware that the owner of that IP has changed.

Often the involved applications are Internet game servers, peer-to-peer file/music software (e.g. Gnutella, Napster, Kazaa, audiogalaxy, etc..).

Some of these applications are poorly written to handle this situation and will incessantly pound an IP address thousands of times for many hours. As much as this may seem like an targeted attack, it is really just a function of poorly written code that gives no consideration to how many firewall false positives it generates.

ive always experienced this after running utorrent and i was wondering if and how often does utorrent check the IP of a client.

my firewall log has numerous entries where the port destination is my utorrent port.

[Ultima]

How often µTorrent tries an IP address is random, AFAIK.

[µtorrent-Guest]

its not YOUR µT, its the other guys that wants to connect to you!

[anonymous]

i know that µtorrent-Guest, but is there anyway so that the other people dont have my IP cached so long?

[Ultima]

Seeing as how everyone uses different clients, there's no way to do that unless you get every client to do so.

[µtorrent-Guest]

and how should the other clients know that you have stopped using BT?

These clients can only know that if they once try your IP and get the correct ICMP message for actively refusing connections.

http://en.wikipedia.org/wiki/ICMP_Destination_Unreachable

Then they can stop their connection attemps.

Asuming you send them these message, do you see after that from the SAME IP repeatedly connection attemps? That would be an indicator that the client used there is indeed stupid!

(like the fucking BitComet that hammers Trackers, constantly reconnects to you even whe you and he are both seeders, on the other hand does not obey "keep alive" requests and so on!)

[anonymous]

your right, Ultima. i sometimes forget how many bittorrent clients there are.

thanx to both of you for the replies.

[Switeck]

If you have DHT disabled and are firewalled as well, many trackers won't be giving your ip out in the first place (since you are not technically remotely connectable)...so you'd probably see (far?) fewer firewall false positives a day or so after stopping all torrents.

It also depends on the size of the torrents. 4+ GB monster torrents will keep crawling along and attempting ancient (and dead!) ips alot longer than <100 MB torrents that complete quickly due to sufficient seeds.

I'd also expect public torrents to generate less long-term firewall false positives than private "ratio enforced" torrents, simply because private torrents basically force people to stay connected alot longer. Public torrents, downloaders often 'hit-and-run' -- complete the download and leave almost immediately.

Also, the popularity of the torrents you're after may have a big effect -- if there's 10,000+ peers+seeds on a torrent...you may see a bunch of hits on your firewall for many days, as some poor sods are on crippled ISPs that only allows 1 KB/sec download speed...so they may be retrying your ip for WEEKS!