davidmoore Posted September 9, 2009 Report Share Posted September 9, 2009 Does Torrent P2P make use of unsolicited UDP traffic? Since I've enabled the IPS on my router (1811w) I've been logging what it calls "UDP Bombs" being sent to my public address to the port that my computer has configured for incoming connections, as well as a port 0 (?).Examples:Sep 9 03:27:23.763: %IPS-4-SIGNATURE: Sig:4050 Subsig:0 Sev:50 UDP Bomb [70.79.208.87:0 -> publicaddress:0] VRF:NONE RiskRating:50Sep 9 03:27:23.839: %IPS-4-SIGNATURE: Sig:4050 Subsig:0 Sev:50 UDP Bomb [80.186.187.171:10259 -> publicaddress:10100] VRF:NONE RiskRating:50I looked up UDP Bomb and it came back with this:UDP Bomb attack: This is also called a UDP Flood or packet storm. The attacker congests the network by generating a flood of UDP packets between two computers using the UDP chargen service (a testing utility that generates a character string for every packet it receives), the quote-of-the-day (quotd) service, or the daytime service.I guess I'm just wondering if what I'm logging are actual "attacks" or if they are legitimate bittorrent traffic packets that I'm blocking thus hindering my download speeds. These UDP Bombs only appear to happen when I am actively downloading torrents. Link to comment Share on other sites More sharing options...
GTHK Posted September 9, 2009 Report Share Posted September 9, 2009 On your listening port? Capture the packets? UDP is used for uTP connections and for the DHT network. Link to comment Share on other sites More sharing options...
davidmoore Posted September 9, 2009 Author Report Share Posted September 9, 2009 I have uTorrent configured to listen on 10100.Hrm... I could setup a monitor session and use the other ethernet port on my computer to capture the packets with wireshark. I'm not sure what I would be looking for though. I'm also not sure how much of my firewall I would have to tear down so that the packets would get monitored. Would the IPS configured on the interface stop that interface from letting me monitor it?Since UDP is used for uTP and the DHT network, am I hindering myself by essentially dropping those connections?Also, I believe the IPS signature to be somewhat detailed, do you think that the UDP traffic from uTP and DHT could be mistaken by the IPS signature? Link to comment Share on other sites More sharing options...
GTHK Posted September 9, 2009 Report Share Posted September 9, 2009 I'm not familiar with IPS's, what are you using for this?Is DHT working in uT? Do you have any peers marked with [uTP]? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.