Jump to content

Strange hits in firewall after 1.2.2


oliversl

Recommended Posts

Posted

Hi,

I have a WinXP machine nated via a Linux server.

I have port-forwarding and is working ok.

After upgraded to 1.2.2 I noted strange hits in my firewall.

I see for example many hits to a specific port from different hosts.

I wonder if utorrent is publishing me with random ports?

I use a fixed port so I can port-forward the traffic to my machine.

So, how do I check if utorrent is really using a fixed port and not

a random port? I already configured correctly utorrent.

Example ports:

55338 (2000 hits in a 3 hour period)

51844

50868

Posted

Can you be more specific?

Is is TCP-traffic or UDP? What are the remote ports? Are it a lot of different hosts or a few specific ones? Which program do you use for NAT? IPtables? Which port is µTorrent using?

Posted

Hi Klaus, np.

Its all UPD traffice, originated in many different hosts and the destination port in my firewall is the same.

After a few hours, the "attacked" port change and again, too many different host try to connect to this new port.

Posted

It seems that uT is using random ports even that I configured that uT should use only 1 port.

It seems that uT is advertising a random port, instead of the one I configured.

I can't live without DHT, so, is there a way to confirm this bug?

Posted

Incoming connections use the one port you used.

Outgoing connections use random ports selected by the operating system.

This applies for TCP AND UDP.

http://www.utorrent.com/faq.php#My_firewall_is_reporting_connections_being_made_by_.C2.B5Torrent_on_a_port_besides_the_one_I_selected._What_gives.3F

If you're getting incoming connections on another port, then it's probably anti-P2P trying to get to you. :P That, or random port probes. Since it's UDP, it's more likely to be the former. There isn't really much you can do about it.

Posted

I'm prone to think that there are some bugged DHT-enabled BitTorrent clients out there. It would be most interesting to log outgoing DHT UDP-packets (or actaully, the IP and source-port) and check those against firewall logs. Either they respond too late to UDP-packets or share your (random) port-number with others. From looking at my own logs, it seem some BT-clients really do odd things when it comes to DHT. As I said in an other thread, days after using DHT, clients keep trying to connect to me or send me DHT-traffic.

It could also be a local problem, where your firewall does not track UDP-packets (long enough).

Anti-p2p could also be the problem, though, aren't they smarter? Why not use the incoming port? Or are they trying to DoS modems and routers?

Posted

I've had the anti-p2p hit me up over and over on different ports, usually UDP. It seems like they try the incoming port and then try other ports... I'm not really sure.

Posted

Here are some stats:

pkts bytes target prot opt in out source destination

9 770 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:50469 reject-with icmp-port-unreachable

5790 611K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:57982 reject-with icmp-port-unreachable

8022 893K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:55338 reject-with icmp-port-unreachable

18914 1836K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:50469

Check port 50469, it has 18914 hits!

Posted

Too bad no IP's are logged. Something funny: port 50469 has both a few Rejects as wel as many Dropped packets. I'm not sure exactly why the firewall sometimes rejects packets and other times drops, expecially not if it is sending out ICMP port-unreachable's.

Can you put a time-frame on these stats? The number of hits is not really unusual. If I connect to DHT, I will be getting hits days after at a rate of roughly 1800 per hour. And that is only to my BT-port. Never looked into random ports as you did. I wouldn't be surprised to find something in the neighbourhood of 100.000+ dropped/rejected packets all together.

Posted

Hi Klaus,

I have more stats, but this time using port 65535

# grep ' DPT=65535 ' /var/log/messages|cut -d ' ' -f 10|sort | uniq|wc -l

70 IPs offending

# grep ' DPT=65535 ' /var/log/messages|wc -l

85313 hits

# grep ' DPT=65535 ' /var/log/messages.1|head -n1

Dec 8 09:50:42 start

# grep ' DPT=65535 ' /var/log/messages.1|tail -n1

Dec 8 14:27:30 end

After "Dec 8 14:27:30" I stoped loging those packets, now I just DROP them

Look how they are now:

packets bytes port

109K 6537K 65535

HTH

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...