user6565645 Posted April 19, 2014 Report Posted April 19, 2014 Once utorrent is started there are a plethora of attempted connections to IANA ip addresses. Is this part of the design of utorrent or is it just insecure? Utorrent sends out thousands of dns requests non-stop. I've opened up the port that I have setup in utorrent. But there are attempts to connect via any port >=1024.
DreadWingKnight Posted April 19, 2014 Report Posted April 19, 2014 Once utorrent is started there are a plethora of attempted connections to IANA ip addresses. Is this part of the design of utorrent or is it just insecure?Looks like someone has never heard of multicast. These IANA ranges are assigned to multicast services. uTorrent uses them for local peer discovery. Outbound rules: from any to any Inbound rules: from any to local listen port.
user6565645 Posted April 19, 2014 Author Report Posted April 19, 2014 That's a prerequisite of utorrent functionality? Local peer discovery and dynamic outbound ports? As a prerequisite of installation, I disabled the Local peer discovery for its vulnerabilities both within the utorrent application and all across Windows from upnp to link layer topology discovery. I've also disabled upnp, nat-pmp port mapping within the application as well as randomize each port. The outbound rules you suggest are a little too intense for my specific security needs. Is there any way to setup utorrent so that it communicates via one port and so that it doesn't send thousands of dns requests per hour? update: According to the manual here: http://www.bittorrent.com/help/manual/appendixa0212#bt.no_connect_to_services_listhttp://wiki.hidemyass.com/UTorrent Perhaps I could put a range of ports into bt.no_connect_to_services_listAnd add an ipfilter.dat with the undesired ranges of IANA IP's The manual doesn't specifiy whether ranges can be used or how to do so update: I set net.outgoing_port and net.outgoing_max_port to my desired port according to the manual. I didn't know a manual existed I'm glad I thought of it. Hopefully it works. update: To get rid of the insecure connections to IANA IP addresses make sure that under Options -> Preferences -> Advancedipfilter.enable=trueTo give you an example of how to configure the ipfilter.dat file google for "utorrent" "ipfilter.dat" or if this site is still active download from http://tbg.iblocklist.com/Lists/ipfilter.dat.gz Extract the file using 7-zip or another archiver into your installation directory. Use it as is or you can edit it or create your own with only the specific network that you do not want in your network. If you're on Windows 7, currently the installation directory is C:\Users\<username>\AppData\Roaming\uTorrent If the iblocklist site is down this is how to format the ipfilter.dat file, to block the network 10.0.0.0/8 you would type010.000.000.000 - 010.255.255.255 , 000 , BogonI'm fairly certain it doesn't need to be called Bogon but I kept it that way. You could also do this in your desired firewall but I personally don't want my firewall being taxed by utorrent if it doesn't need to be. Though I have the rules there anyway, especially if there is an upgrade and the "feature" is removed. To get rid of the outgoing connections to any and every port you can setnet.outgoing_port=your_desired_portnet.outgoing_max_port=your_desired_portIn the advanced preferences mentioned above. As far as the dns requests are concerned, disabling "Resolve IP's" in utorrent's peer tab does not work for me. I suspect it may have something to do with the way I setup my network. Perhaps I'm not allowing Windows to cache known DNS queries so that it can remember them instead of constantly asking for every address every time the address is accessed. I set the DNS Client to disabled under Start Menu -> Run -> services.msc because DNS Client is/was vulnerable to DNS cache poisoning https://technet.microsoft.com/library/security/ms08-037 I'm not confident that they fixed it in Windows 7, I'm still currently hardening my Windows installation so I don't have enough information to explain how to harden the DNS Client, I believe though DNSSEC and/or IPSEC may be the answer. For the moment, I've very reluctantly turned it on. I've seen a slow down in DNS queries but there are still thousands of queries. If security is your concern, you should disable and/or harden the above features. If speed is your concern, disabling the features above may slow down your connection. How much I'm uncertain, but at first glance it appears to be miniscule. As far as hardening is concerned, http://resources.infosecinstitute.com/articles/https://en.wikipedia.org/wiki/DMZ_%28computing%29#Dual_firewall For Windows: https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Benchmark_v2.1.0.pdfhttp://usgcb.nist.gov/usgcb/microsoft/download_win7.htmlhttps://code.google.com/p/cm-ref-impl/source/browse/trunk/analysis-engine-core/src/main/resources?r=219http://www.nsa.gov/ia/_files/os/win7/win7_security_highlights.pdfhttp://www.nsa.gov/ia/_files/support/I33-011R-2006.pdfhttp://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/archived_guides.shtml For Linux:https://www.frozentux.net/documents/iptables-tutorial/http://www.amazon.com/Hardening-Linux-James-Turnbull/dp/1590594444http://www.amazon.com/Linux-Firewalls-Detection-Response-iptables/dp/1593271417https://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/https://grsecurity.net/https://en.wikipedia.org/wiki/AppArmorhttp://bastille-linux.sourceforge.net/ I don't yet have enough PC's to use a DMZ. I personally currently use a combination of two PC's because Windows isn't, as far as I can tell, very good for security. Linux isn't very good for games and many of the software on the market is only on Windows. I don't like the idea of using Wine. I don't like dual booting. And I personally didn't have good results when using the bare metal virtualization approach through open source software Xen. http://wiki.xen.org/wiki/Xen_Linux_PV_on_HVM_drivers I tried that approach for a while and decided I wanted the best of both worlds. This approach is still in alpha as I'm in the process of building and testing it. For the linux PC, I use Gentoo for its flexibility and its many security options, Selinux, App Armor, Tomoyo, SMAC (Simplified Mandatory Access Control), Grsecurity (which can be used in combination with one (or more?) of the others. For a production network I would go with CentOS because its free or Red Hat Enterprise Linux. Or use one of the firewall distros like pfSense https://en.wikipedia.org/wiki/List_of_router_and_firewall_distributions The linux PC acts as a router/gateway for the Windows PC. I had and still have a lot of headaches with Selinux because I use the strict policy. The targeted policy seems too loose, though it can be configured to be as strong as the strict policy. The only tools I have found useful so far for selinux is audit2allow, system-config-selinux, permissive domains permissive domain control is available in the system-config-selinux gui. https://danwalsh.livejournal.com/24537.htmlhttps://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html and disabling dontaudit for "silent denials"semodule -DB [temporarily disable]semanage dontaudit off [permanently disable]There are other tools available http://oss.tresys.com/projects/setoolssepolgen or "sepolicy generate" or sepolicy-generatehttp://www.dsm.fordham.edu/cgi-bin/man-cgi.pl?topic=sepolicy-generate&sect=8https://danwalsh.livejournal.com/32430.html sepolicy generate makes creating policy easier than using audit2allow but I haven't gotten it to work. Run the system in permissive mode for a while open/close programs, boot/reboot, etc then use audit2allow to get rid of the denials. http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=5http://www.gentoo.org/doc/en/security/security-handbook.xml?full=1http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml It's probably a good idea to scrutinize the guides "and the software" carefully for any holes intended or unintended. update: Well utorrent has been great, I don't know why I haven't thought of this before as I've been moving all of my software to open source for security and because I'm an aspiring programmer. https://en.wikipedia.org/wiki/Comparison_of_BitTorrent_clients I found qBittorrent to be the best application for my needs. I've used it before on linux. Though I seriously hate the way qBittorrent's gui looks. It looks like cheap minimalistic typical linux lameware as far as GUI's are concerned. I was looking at Deluge but its mostly written in python and some C++. Which is OK but I prefer C/C++. Bitcomet was my application before utorrent but the gui kept freezing and its not open source. I had this subconscious feeling utorrent was open source "in the past" but after doing some research I think it was Bittorrent that was open source and they purchased utorrent or something and turned their application into closed source. I still like utorrent for its flexibility, you can even turn off the ads, but its not open source. The rest of the applications in the wiki don't support one thing or another like Socks/Socks4/5, and other security features.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.