drizzle Posted January 3, 2008 Report Posted January 3, 2008 I've done some preliminary experiments, and it APPEARS as though utorrent will start tracking _anything_ it receives an announce for... IE - I point a client/torrent to the utorrent embedded tracker, and getd8:intervali600e5:peersleeresponse even for torrents (info hashes) utorrent isn't doing anything with.Is this by design? I sort of expected it to only track torrents that (in some fashion) it already knew about. Like, 'torrents in the list', or 'active torrents', or 'only torrents being seeded'?As it appears to be acting as an 'open tracker', is there a timeout? That is, if it gets an announce for some random infohash, how long does it retain the data?
Firon Posted January 3, 2008 Report Posted January 3, 2008 Yes, it is an open tracker, as the FAQ says.It is by design. It's only intended for use within a LAN or sharing with a few known friends.
drizzle Posted January 3, 2008 Author Report Posted January 3, 2008 Hmmm... Since it is sharing the BT port, and that port is (typically) accessable to incoming connects, doesn't this constitute an attack vector?IE, You see utorrent clients in some peer list. You probe to find one with the tracker enabled, then start sending a series of announces with incrementing infohashes to cause that client to consume more and more memory caching the evergrowing list of 'tracked' torrents, eventually using all memory and pagefile space...Seems like it would be a lot safer (and not that hard) to check the incoming infohash against the list the client 'knows' about...Guess this should be moved to the 'Feature Request' (or security?) forums...
Firon Posted January 4, 2008 Report Posted January 4, 2008 Probably, but like no one has it enabled anyway. It's off by default, and hidden away in the advanced prefs, so.. you turn it on at your own risk.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.