UTorrent Client Talking to DoD

[Absolut83]

I've discovered in the logs of my firewall that the machine i'm running UTorrent on is making outbound connections to Ip Addresses in each of the network ranges listed below. In my troubleshooting I've been able to narrow it down and see that these connections are only occurring when I have u torrent open and active transfers going. It seems to happen with most transfers, but not all. When I shut down the client, the connections stop. I'm wondering if any other users are seeing this, or if the Developers have any comments at to why this might be happening.

Client Version: 2.0 (build 18488)

The following network ranges are registered to the Department of Defense Network Information Center.

6.0.0.0 – 6.255.255.255

7.0.0.0 – 7.255.255.255

11.0.0.0 – 11.255.255.255

21.0.0.0 – 21.255.255.255

22.0.0.0 – 22.255.255.255

26.0.0.0 – 26.255.255.255

28.0.0.0 – 28.255.255.255

29.0.0.0 – 29.255.255.255

30.0.0.0 – 30.255.255.255

33.0.0.0 – 33.255.255.255

55.0.0.0 – 55.255.255.255

http://en.wikipedia.org/wiki/List_of_assigned_/8_IP_address_blocks

[DreadWingKnight]

And what trackers are being communicated with when the torrents are active?

[Absolut83]

I just started a transfer to test. Within 10 seconds, I was getting hits on my firewall. These are the trackers that show up in the list.

http://denis.stalker.h3q.com:6969/announce working 28m 46s 236 43 10

http://genesis.1337x.org:1337/announce working 29m 23s 225 37 0

http://nemesis.1337x.org/announce working 29m 22s 200 29 0

http://tracker.openbittorrent.com/announce working 31m 23s 236 43 10

http://tracker.publicbt.com/announce working 27m 28s 198 33 10

http://tracker.thepiratebay.org/announce offline (timed out) updating... 0 0 0

udp://denis.stalker.h3q.com:6969/announce working 28m 48s 237 43 10

udp://tracker.openbittorrent.com:80/announce working 27m 44s 236 43 10

udp://tracker.publicbt.com:80/announce working 28m 17s 198 33 10

udp://tracker.thepiratebay.org:80/announce updating... 0 0 0

I'm blocking the outbound connections to those subnets and logging them. Below are some of this hits I'm seeing on the firewall.

6|Mar 31 2010|15:54:19|106100|192.168.10.105|4432|6.163.229.73|22200|access-list inside denied udp inside/192.168.10.105(4432) -> outside/6.163.229.73(22200) hit-cnt 1 first hit [0xadbec344, 0x92b1a3a0]

6|Mar 31 2010|15:54:17|106100|192.168.10.105|4432|25.91.73.200|19167|access-list inside denied udp inside/192.168.10.105(4432) -> outside/25.91.73.200(19167) hit-cnt 3 300-second interval [0xadbec344, 0xceee5f29]

6|Mar 31 2010|15:54:12|106100|192.168.10.105|4432|25.81.189.94|25235|access-list inside denied udp inside/192.168.10.105(4432) -> outside/25.81.189.94(25235) hit-cnt 3 300-second interval [0xadbec344, 0xceee5f29]

6|Mar 31 2010|15:54:03|106100|192.168.10.105|4432|25.78.38.99|36035|access-list inside denied udp inside/192.168.10.105(4432) -> outside/25.78.38.99(36035) hit-cnt 3 300-second interval [0xadbec344, 0xceee5f29]

6|Mar 31 2010|15:53:53|106100|192.168.10.105|4432|25.76.246.187|20061|access-list inside denied udp inside/192.168.10.105(4432) -> outside/25.76.246.187(20061) hit-cnt 3 300-second interval [0xadbec344, 0xceee5f29]

6|Mar 31 2010|15:49:16|106100|192.168.10.105|4432|25.91.73.200|19167|access-list inside denied udp inside/192.168.10.105(4432) -> outside/25.91.73.200(19167) hit-cnt 1 first hit [0xadbec344, 0xceee5f29]

6|Mar 31 2010|15:49:10|106100|192.168.10.105|4432|25.81.189.94|25235|access-list inside denied udp inside/192.168.10.105(4432) -> outside/25.81.189.94(25235) hit-cnt 1 first hit [0xadbec344, 0xceee5f29]

6|Mar 31 2010|15:49:02|106100|192.168.10.105|4432|25.78.38.99|36035|access-list inside denied udp inside/192.168.10.105(4432) -> outside/25.78.38.99(36035) hit-cnt 1 first hit [0xadbec344, 0xceee5f29]

6|Mar 31 2010|15:48:52|106100|192.168.10.105|4432|25.76.246.187|20061|access-list inside denied udp inside/192.168.10.105(4432) -> outside/25.76.246.187(20061) hit-cnt 1 first hit [0xadbec344, 0xceee5f29]

[DreadWingKnight]

Being generated from peerlists from obenbittorrent and such as "randomy generated" peers in an attempt to throw off the anti-p2p groups snooping system.

This is not a bug in uTorrent. It's behaving as expected because of the peerlists it's being handed from the trackers.

[Absolut83]

I don't see any of those IP's in the peer list...

IP Client Flags % Down Speed Up Speed Reqs Uploaded Downloaded Peer dl.

24.209.56.77 µTorrent 2.0 D HX 100.0 8.9 kB/s 4 | 0 8.57 MB

24.224.228.135 µTorrent 2.0 D HX 100.0 5.9 kB/s 4 | 0 11.2 MB

24.238.210.127 [uTP] µTorrent 1.8.4 D HXP 100.0 0.3 kB/s 6 | 0 11.4 MB

62.169.100.148 [uTP] µTorrent 2.0 D HXP 100.0 2 | 0 480 kB 409.5 kB/s

64.231.46.239 [uTP] µTorrent 1.8.4 D HXP 100.0 0.9 kB/s 2 | 0 208 kB

198.129.33.65.cfl.res.rr.com [uTP] µTorrent 2.0 D HP 100.0 0.4 kB/s 2 | 0 1.31 MB

65.182.41.8 [uTP] BitTorrent 6.4 D HEP 100.0 1.0 kB/s 2 | 0 496 kB

c-67-180-226-133.hsd1.ca.comcast.net µTorrent 2.0 D HXe 100.0 5.1 kB/s 3 | 0 7.23 MB

67.241.239.19 [uTP] BitTorrent 6.4 D HXP 100.0 12.6 kB/s 10 | 0 25.8 MB

68.149.3.141 [uTP] µTorrent 1.8.5 D HXP 100.0 3.3 kB/s 3 | 0 6.34 MB

69.11.91.196 [uTP] µTorrent 2.0 D HXeP 100.0 3 | 0 944 kB

ool-457b8053.dyn.optonline.net µTorrent 2.0 D H 100.0 5.0 kB/s 3 | 0 4.12 MB

69.211.11.135 [uTP] BitTorrent 6.4 dS HXP 100.0 1.59 MB

70.43.122.87 [uTP] BitTorrent 6.2 D HP 100.0 76.2 kB/s 18 | 0 87.1 MB

adsl-149-78-219.mia.bellsouth.net [uTP] µTorrent 2.0 d HXP 100.0 2.00 MB 1.20 MB 285.6 kB/s

pool-74-98-85-194.ptldor.fios.verizon.net [uTP] µTorrent 1.8.5 d HXP 100.0 2.20 MB 409.5 kB/s

adsl-75-11-169-251.dsl.sndg02.sbcglobal.net [uTP] µTorrent Mac 0.9.1 D HXP 100.0 9.4 kB/s 5 | 0 17.1 MB

75.92.173.146 BitTorrent 6.4 D HX 100.0 6.2 kB/s 3 | 0 5.98 MB

75.158.85.114 [uTP] µTorrent 2.0 D HXP 100.0 3.3 kB/s 3 | 0 5.75 MB

c-76-31-68-241.hsd1.tx.comcast.net [uTP] BitTorrent 6.3 D HXP 100.0 17.0 kB/s 8 | 0 1.56 MB 409.5 kB/s

76.64.233.36 [uTP] µTorrent 2.0 D HXP 100.0 3.6 kB/s 3 | 0 7.51 MB

76.97.60.219 [uTP] µTorrent 2.0 D HXeP 100.0 103.2 kB/s 0.1 kB/s 42 | 0 40.7 MB

76.118.230.140 µTorrent 2.0 D HX 100.0 43.1 kB/s 16 | 0 56.2 MB

cpc1-dals8-0-0-cust192.hari.cable.virginmedia.com [uTP] µTorrent 2.1 dS HXP 100.0

78.101.178.108 BitTorrent 6.1.2 D HX 100.0 2.1 kB/s 3 | 0 2.34 MB

cpc1-epso4-2-0-cust205.6-3.cable.virginmedia.com [uTP] µTorrent 2.0 D HXeP 100.0 3.2 kB/s 3 | 0 1.12 MB

84.123.211.136.dyn.user.ono.com µTorrent 2.0 dS HX 100.0 1.03 MB 121.3 kB/s

86.89.80.155 BitTorrent 6.4 dS X 100.0 624 kB

86.186.175.171 [uTP] µTorrent 2.0 DS XP 100.0 3 | 0 1.56 MB

88-106-226-0.dynamic.dsl.as9105.com BitTorrent 6.4 D HXE 100.0 3.9 kB/s 3 | 0 464 kB

S0106002275cfb093.ed.shawcable.net µTorrent 2.0 dS HXe 100.0 896 kB

98.14.14.118 BitTorrent 6.3 DS H 100.0 1.1 kB/s 2 | 0 1.87 MB

98.144.14.53 BitTorrent 6.4 D HX 100.0 3.4 kB/s 3 | 0 6.21 MB

[DreadWingKnight]

Did you right-click your peers tab area and copy the peerlist or did you just select all and copy?

[Absolut83]

I just did the select all. When I right click, and paste into UltraEdit, It counts 2600 lines. I so see those IP's in that list however.

So the trackers provide a list of peer's and if a connection is actually made with a peer, then it shows up in the peer list, is that correct? Everything else that is in this large list is peer's that have not actually established a connection?

[DreadWingKnight]

So the trackers provide a list of peer's and if a connection is actually made with a peer, then it shows up in the peer list, is that correct?

If you are actively connected to it, it shows up in uTorrent's window.