oliversl Posted December 9, 2005 Report Posted December 9, 2005 Hi,I have a WinXP machine nated via a Linux server.I have port-forwarding and is working ok.After upgraded to 1.2.2 I noted strange hits in my firewall.I see for example many hits to a specific port from different hosts.I wonder if utorrent is publishing me with random ports?I use a fixed port so I can port-forward the traffic to my machine.So, how do I check if utorrent is really using a fixed port and nota random port? I already configured correctly utorrent.Example ports: 55338 (2000 hits in a 3 hour period)5184450868
Klaus_1250 Posted December 9, 2005 Report Posted December 9, 2005 Can you be more specific?Is is TCP-traffic or UDP? What are the remote ports? Are it a lot of different hosts or a few specific ones? Which program do you use for NAT? IPtables? Which port is µTorrent using?
oliversl Posted December 9, 2005 Author Report Posted December 9, 2005 Hi Klaus, np.Its all UPD traffice, originated in many different hosts and the destination port in my firewall is the same.After a few hours, the "attacked" port change and again, too many different host try to connect to this new port.
chaosblade Posted December 9, 2005 Report Posted December 9, 2005 UDP means its DHT related, so try disabling DHT and check again.I wonder why its on random ports though.
oliversl Posted December 9, 2005 Author Report Posted December 9, 2005 It seems that uT is using random ports even that I configured that uT should use only 1 port.It seems that uT is advertising a random port, instead of the one I configured.I can't live without DHT, so, is there a way to confirm this bug?
Firon Posted December 10, 2005 Report Posted December 10, 2005 Incoming connections use the one port you used.Outgoing connections use random ports selected by the operating system.This applies for TCP AND UDP.http://www.utorrent.com/faq.php#My_firewall_is_reporting_connections_being_made_by_.C2.B5Torrent_on_a_port_besides_the_one_I_selected._What_gives.3FIf you're getting incoming connections on another port, then it's probably anti-P2P trying to get to you. That, or random port probes. Since it's UDP, it's more likely to be the former. There isn't really much you can do about it.
Klaus_1250 Posted December 10, 2005 Report Posted December 10, 2005 I'm prone to think that there are some bugged DHT-enabled BitTorrent clients out there. It would be most interesting to log outgoing DHT UDP-packets (or actaully, the IP and source-port) and check those against firewall logs. Either they respond too late to UDP-packets or share your (random) port-number with others. From looking at my own logs, it seem some BT-clients really do odd things when it comes to DHT. As I said in an other thread, days after using DHT, clients keep trying to connect to me or send me DHT-traffic.It could also be a local problem, where your firewall does not track UDP-packets (long enough).Anti-p2p could also be the problem, though, aren't they smarter? Why not use the incoming port? Or are they trying to DoS modems and routers?
Firon Posted December 10, 2005 Report Posted December 10, 2005 I've had the anti-p2p hit me up over and over on different ports, usually UDP. It seems like they try the incoming port and then try other ports... I'm not really sure.
Klaus_1250 Posted December 11, 2005 Report Posted December 11, 2005 Could it be that those same anti-p2p people keep bugging me with countless packets days after I used DHT?
oliversl Posted December 11, 2005 Author Report Posted December 11, 2005 Here are some stats: pkts bytes target prot opt in out source destination 9 770 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:50469 reject-with icmp-port-unreachable 5790 611K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:57982 reject-with icmp-port-unreachable 8022 893K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:55338 reject-with icmp-port-unreachable18914 1836K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:50469Check port 50469, it has 18914 hits!
Klaus_1250 Posted December 13, 2005 Report Posted December 13, 2005 Too bad no IP's are logged. Something funny: port 50469 has both a few Rejects as wel as many Dropped packets. I'm not sure exactly why the firewall sometimes rejects packets and other times drops, expecially not if it is sending out ICMP port-unreachable's.Can you put a time-frame on these stats? The number of hits is not really unusual. If I connect to DHT, I will be getting hits days after at a rate of roughly 1800 per hour. And that is only to my BT-port. Never looked into random ports as you did. I wouldn't be surprised to find something in the neighbourhood of 100.000+ dropped/rejected packets all together.
oliversl Posted December 14, 2005 Author Report Posted December 14, 2005 Hi Klaus,I have more stats, but this time using port 65535# grep ' DPT=65535 ' /var/log/messages|cut -d ' ' -f 10|sort | uniq|wc -l70 IPs offending# grep ' DPT=65535 ' /var/log/messages|wc -l 85313 hits# grep ' DPT=65535 ' /var/log/messages.1|head -n1Dec 8 09:50:42 start# grep ' DPT=65535 ' /var/log/messages.1|tail -n1Dec 8 14:27:30 endAfter "Dec 8 14:27:30" I stoped loging those packets, now I just DROP themLook how they are now:packets bytes port109K 6537K 65535HTH
Recommended Posts
Archived
This topic is now archived and is closed to further replies.