anup.goyal Posted January 14, 2008 Report Posted January 14, 2008 Hi all,I had encountered a strange behavior of uTorrent. It constantly ask for certain files from the unused IP spaces. I am monitoring one of such IP space and it is unnecessarily increase the traffic. I had seen only the clients which implement the uTorrent compatible PEX ( peer Exchange ) protocol in whcih uTorrent sends the maximum request.Does anyone know of a bug in the uTorrent implementation which lead to such a behavior. They basically insert bogus IP address in the system and spreads very fast through the network. I have checked the IP address returned by the uTorrent client and they also contain some unroutable IP. How is it possible that they had a unroutable IP in their IPLIST. Does anyone know of any known bugs or happen to observe the same.Any help is appreciated, i am trying to identify the problem behind this. it is bothering me because of large amount of unwanted traffic i observe. -anup
Ultima Posted January 14, 2008 Report Posted January 14, 2008 If you're referring to 239/8, then that's the IP multicast range, which µTorrent uses for LPD (for discovering peers on your local network). If you want to stop that from happening, disable LPD in Preferences > BitTorrent.
anup.goyal Posted January 14, 2008 Author Report Posted January 14, 2008 I am not referring to the 239/8 IPs. I know that uTorrent does local discovery. Infact i am not running any uTorrent application and still getting the request packets.All the request comes from some random IP in the internet. And i am not getting the point that why they are sending request to a unused IP space. How the information of this dark IPs entered into the system??Why their are lots of request for the same file comes to a single destination and from a large group of client ??All the requesting client runs uTorrent and my best guess is that there is some error in the implementation of uTorrent such that it gets misconfigured and request file from dark IP ??
DreadWingKnight Posted January 14, 2008 Report Posted January 14, 2008 What IP ranges are you referring to?
Ultima Posted January 14, 2008 Report Posted January 14, 2008 µTorrent doesn't make up bogus IPs to transfer data with. If it has an IP in its peer cache, then it's because someone else gave it the IP. It doesn't hand out IPs not in its peer cache either, so PEX wouldn't be the cause (rather, it wouldn't have sent bogus IPs to other peers via PEX, thus causing the IPs to propogate through the swarm).Are you sure the torrent isn't fake or poisoned? How often do you see this kind of behavior (as in, do you see it in every torrent, many torrents, some torrents, or a few torrents?)?Edit: Heh, DWK got to the other question I had before I managed to edit it in
anup.goyal Posted January 14, 2008 Author Report Posted January 14, 2008 They are not fake files request. Earlier i believe that some bogus peers are sending fake file request. But I checked the files after downloading them and they are legitimate files.I have seen the behavior on many different files. surprisingly, they all follow the same client software distribution. The distribution is like 90% - uTorrent, no azurues, no bitcomet... in other words no other famous client except uTorrent. the logic of someone else giving also make sense, but why for so many files does anyone care to give bogus IPs ? and why request are uTorrent dominant? If someone sends it, they will send to other client also. It might be some problem with implementation. Since nobody cares of these radiation traffic that's why it didn't come up yet.
DreadWingKnight Posted January 14, 2008 Report Posted January 14, 2008 Ok and the answer to my question is where?
funchords Posted January 15, 2008 Report Posted January 15, 2008 uTorrent has the vast majority of the "market segment" for the Mainline DHT, so its no surprise that the vast plurality or majority of clients making or answering queries are uTorrent. BitComet does use the Mainline DHT, but Azureus does not. Every client in the DHT network is responsible for remembering certain parts of the database -- so even though you see an infohash that does not correspond with something you're downloading, it doesn't mean it's fake. It's just asking if your part of the database knows anyone announcing that infohash.
Switeck Posted January 15, 2008 Report Posted January 15, 2008 Huge amounts of previous BOGON ip ranges have been mapped out to real ISPs around the world. The ips of course may be FIREWALLED even in route to them, as many ISPs like to use transparent proxies and other crap.
Firon Posted January 15, 2008 Report Posted January 15, 2008 just because it used to be a bogon IP doesn't mean it still is.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.