Off Topic
Report problems with the forum itself, or any thing else not specific to Tixati
<<  Back To Forum

New Torrent Added, Amazon Server Mystery

by francesco on 2023/02/14 08:16:44 PM    
Hello again, I made test torrent that I downloaded from myself via qBittorrent portable, never published on tracker. An incoming peer showed up from 54.x.x.x an IP under Amazon.

by Guest on 2023/02/15 04:34:41 PM    
Your torrent information was collected by a DHT crawler, it's safe to say that this probably isn't associated with Tixati. The parties operating these crawlers are sometimes doing it to scan for CSAM, or in the case of BTDig they do to build a database of DHT torrents that can be searched. also crawl the DHT network.

However these Amazon/Linode IP addresses have annoyed me in the past, so I made a script to block them utilising the 'IP Filter' feature that exists within Tixati. Here are some IP address you can block:
Amazon:  (After 24h blocked: 202 In, 167 Out, 7,389 DHT)
Google:  (After 24h blocked: 5 In, 6 Out, 502 DHT)
Linode:   (After 24h blocked: 0 In, 19 Out, 1,070 DHT)
Microsoft Azure:  (After 24h blocked: 118 In, 3 Out, 327 DHT)

As you can see it's probably worth blocking Amazon and Linode IPs since they're the worst offenders when it comes to crawling DHT.
by notaLamer on 2023/02/22 12:49:20 AM    
Amazon AWS (crawler botnet) and Linode (SMTP/Email server) are used by ?P-?ch?l?n (replaced vowels: I, E, e, o) They have money to burn to use cloud providers. Possinly other parties too.

Cautionary note:
While ?P-?ch?l?n's surveillance bots will be naturally present on DHT, it is not an implication you have or have not a copywronged material on your hands.
If you do, you violate Tixati's license agreement.
If you don't (your case), forget about this.

It is recommended to block all the provided IPs to avoid wasting traffic and electricity. Go green!

If you have money to burn as well, you may try to set a legal precedent for if such intrusive surveillance is allowed by sueing the bot operators. The outcome depends on your legislation.
by francesco on 2023/03/16 09:36:21 PM    
Hey thanks for awesome reply Guest and Notalamer.
Thanks very much for your list, WHAT A HELL OF A LIST - i'll see to implement it if it wont slow down Tixati.

It isn't Tixati.
It is neither qBittorent calling or my shithole country ISP, I took some days to look into it and there is a humongous network of *them*, it isnt just bots that snitch on the DHT, it is a network because there is always one that comes to scan you as soon as you hit DHT - like sooner than anybody else - and propagate the info so they don't need lots of them coming at you to also "collect the torrents".

The thing is, quite honestly, we are winning this.

(They) care more about other things like implementing digital IDs and digital money and injecting us with graphene oxide. When they achieve "singularity" this is whenever they completely eviscerate society and smash it under monolithic control they will also have the copyrights for everything because they claim ownership of everything that exists.  

I checked, wow, they are clueless... (or they really know and hold it back)
by Guest on 2023/04/01 08:55:01 PM    
If you are running ANY torrent software, you should blocklist:

AWS + GOOGLE + AZURE as these don't allow P2P under T&C's and disk space is derisory so SeedBoxes are extremely unlikely here.

Nobody knows for sure but this is likely to be: MA-VE-RI-CK-EYE
FASTHOSTS UK   - Especially port 51500 (open ports their side)
NFORCE    NL   - Especially port 51500 (open ports their side)

These ISP's run AntiP2P by ?P-?ch?l?n (replaced vowels: I, E, e, o)  

We observed this ISP to use stealth tactics such as moving IP blocks around periodically presumably to avoid detection.
We still see mass DHT traffic whatever they attempt.
We see them read users bitfield then disappear - there is never any traffic
We see them show fake pieces like 27/987 to try and evade detection but we see it all
We see them show fake clients favourite is Deluge (ancient obsolete version) plus other rare clients (torch, etc) which is a giveaway

But we managed to set up mass DHT spoofing client which awakens this spy network,
very notable in a symmetrical formation which does not happen with genuine clients.

by notaLamer on 2023/04/14 05:41:27 PM    
Thank you for mentioning port 51500 explicitly. I decided to conduct a fun little experiment:
- Launch Wireshark with capture filter port 51500 on the interface Tixati uses. This way it does NOT track any traffic outside port 51500
- During the 8 hours it only recorded BT-DHT protocol communication. Wireshark has built-in viewer for DHT messages
- By inspecting incoming messages, see what infohash my client was asked about
- Search information on a DHT search engine about this infohash to confirm it's a bot request
- Verify by looking up the source IP, it will not be a residential customer
- For IPs already present on my IP Filter, they would not receive a reply. All legitimate DHT peers did communicate as usual.

Because this only included random DHT queries I HAVE NOTHING TO DO WITH I feel justified to post this information as-is. However I will change the names slightly. The list below ONLY included port 51500.

IP              AS      Company Name            Location        Requested Infohash                      Actual content name     8560    IONOS-AS / Fasthost     UK      8f899156f33c873c95cb1c4e45f13c58cd56292Q        T33n Wolf episode, Spanish  8560    IONOS-AS / Fasthost     UK      8b5153ff643c4149474c5a12d20065ea688850aL        H3nry D4nger episode   43350   Nforce hosting          NL      8b5153ff643c4149474c5a12d20065ea688850aL        H3nry D4nger episode   8560    IONOS-AS / Fasthost     UK      8bcbee20eb2cd66f07a24f6399277a3f8044fbeZ        T33n Wolf Season 1, English   8560    IONOS-AS / Fasthost     UK      8bdc6097d24e0c252b607aa3dbfe61e76b0890cL        St4r Tr3ck Discovery episode, English    8560    IONOS-AS / Fasthost     UK      8b5125ecbe01681c5b9f332006ab3ebddb6a5c6T        Ch4rm.3d 2018 episode, English

Note: I replaced the final letter of the infohash to avoid trouble for forum moderators. However I deem it important to preserve it for the sake of scientific consistency, verifiability and research. I hope this is OK.

Things learned:
1. They operate a centrally controlled botnet with servers in different locations
2. They do not hide themselves and constantly poll DHT to find new victims to prey on
3. Based on research, some seedboxes appear to use Nforce as their hosting provider, this doesn't mean it will not be used for botnets too
4. You can observe how multiple IPs query one infohash
5. You can observe how multiple IPs query infohashes for one particular copyright work series
6. You can observe a British IP looking up a Spanish show. Suspicious to say the least
7. By searching for production/publishing companies in reverse, you can find out their customers

I find it egregious that my client received these queries in the first place. However in this instance all of them were blocked thanks to the bad IP lists posted above. THANK YOU. They won't even receive a confirmation that I don't have any of this boring crap. This is not what I use BitTorrent for and I am happy to confirm that I 100% comply with the Tixati EULA :)
by notaLamer on 2023/08/12 01:52:00 AM    
I'm sorry to slightly derail this topic, if mods think so please lock or tell me and I will make a dedicated one. It's just here are all known links to date.

Suspects running on SoftLayer found:

This web site is powered by Super Simple Server