I have suggested several ways Tixati could identify bad and automatically deal with unwanted behavior.
I'm making a wish-list and if devs implement anything, some regular donations will be forthcoming haha! It's only fair?
Although this is only a hobby for me as I guess it always has been for the devs?
One of the main things i'd like is slightly more info in the "Event Log" tab on level 5+.
-Port numbers for DHT/tracker responses.
-Encrypted or Plain
-Initial Bitmap pieces of LOCAL and PEER.
-Peer Client id and peer id
Maybe there can be another option level excluding 'pieces' "6 - Max Info (minus piece transfer)"
I'd consider myself an expert at identifying bad peers. I've found 8 Snoop networks this year including what I think is "m_a_v_e_r_i_c e_y_e"
Some of these Snoopbot networks consist of 150 instances minimum PER bot. Some are so predictable and poorly implemented it's actually helped me identify their tactics.
I know this might sound 'sad' but I enjoy weeding out bad peers on Tixati nowadays far more than downloading any 'content'. If that makes sense. It's a challenge.
Tixati is an incredibly powerful if you know how to use the features.
My previous Feature Requests on the forum would all help identify the P2P abusers.
Tixati only really needs fine tuned to temporary ban or deprioritise some of the weird behavior I'm seeing.
I have Tixati logs, network logs, local WireShark logs. Everything possible to catch the unwanted behavior.
I've even broken down the protocol to byte level to understand this stuff. I've put a lot of effort in. I think I know what I'm doing and I'm getting the results I wanted.
100% Confirmed P2P SnoopBot - small scale
*** 23/04/2021 ***
[01:04:19] created from incoming connection <--- P2P connects to me. I have open ports on this 'bait' machine.
[01:04:19] receiving incoming connection
[01:04:19] logged in
[01:04:19] sent bitfield <--- He now knows I have 100.0% completion (REQUIRED to send me a 'notice')
[01:04:29] error: Remote disconnected
[01:04:52] initiating connection <--- Tixati can't contact him back. He has closed/firewalled ports
[01:04:59] receiving incoming connection <--- He comes back a second time.
[01:04:59] logged in
[01:04:59] sent bitfield <--- He now knows I have 100.0% completion (REQUIRED to send me a 'notice')
[01:05:09] error: Remote disconnected
[01:05:31] initiating connection <--- Tixati tries to return connection to P2P snoopbot but he is deliberately firewalled.
[01:05:47] error: Timed out connecting
[01:06:16] initiating connection
[01:06:33] error: Timed out connecting
[01:07:04] initiating connection
[01:07:20] error: Timed out connecting
[01:07:58] initiating connection
[01:08:14] error: Timed out connecting
[01:09:19] initiating connection
[01:09:35] error: Timed out connecting
[01:11:09] initiating connection
[01:11:25] error: Timed out connecting
[01:15:27] initiating connection
[01:15:43] error: Timed out connecting
[01:19:46] initiating connection
[01:19:58] stopping, ignored <---Manual ignore in Tixati
37439382021-04-23 01:04:21.46561310.10.0.8x.x.x.196BitTorrent356Extended Bitfield, Len:0x78
37443222021-04-23 01:05:02.22023710.10.0.8x.x.x.196BitTorrent356Extended Bitfield, Len:0x78
0000 13 42 69 74 54 6f 72 72 65 6e 74 20 70 72 6f 74 .BitTorrent prot <--- 0x13 = 19 decimal bytes, starting '42' ending before InfoHash
0010 6f 63 6f 6c 00 00 00 00 00 15 00 00 IN FO HA SH ocol............ <--- InfoHash edited out by me
0020 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX ................
0030 2d 4c 57 30 32 31 30 2d 35 38 63 36 66 39 39 30 -LW0210-58c6f990 <--- Spybot PEER ID (Identifying as LimeWire 2.1.0)
0040 XX XX XX XX ....
Spybot networks are NOT in the same category as fakers.
Professional Spybots will NEVER have any files. They monitor 1,000,000+ torrents. They'd need PetaBytes of storage if they stored files or even partials.
I've NEVER witnessed a mainstream P2P Spybot transfer files (any direction) and I have a setup to capture everything from these people.
A Spybot network's purpose is ONLY this:
1) CONFIRM you're a real P2P client, Test your incoming port for instance (DHT or Tracker participation alone is absolutely worthless)
2) CONFIRM your CLIENT ID and PEER ID (handshake)
3) CONFIRM you're holding files - THEY check OUR Torrent bitfield (IE: "received bitfield, 1,234 of 1,234 pieces" = complete peer)
4) IF you PASS the 3 tests above you might get a boring infringement notice from the SpyBot owner.
5) In addition, TIXATI connects outbound proactively TO the Spybot which is an alternative PASS for check (1) above
If Tixati had a 'cautious' mode and we were a COMPLETE peer, we would RESPOND to new incoming connections OR initiate outgoing connections and declare our bitfield as either "0 of 1,000" or random "365 of 1,000"
This means the Spybot cannot complete their checklist above to issue you with a P2P notice.
TIXATI then checks the PEERs bitfield which Spybots are always 0 of 1,000 (etc)
IF the PEER has nothing (bitfield less than equivalent to 3% perhaps) TIXATI should be cautious and disconnect
IF that PEER we shunned was a Spybot - We didn't fall in the 'trap'
IF that PEER we shunned was a REAL PEER it will obtain initial pieces elsewhere, then come back with say "bitfield 123 of 1,000" and TIXATI says OK yeah I know you're real now, start upload/download.
I note from Tixati & WireShark Logs the peer NEVER sent his bitfield at all. Perhaps no need if we are "complete peer", hence Tixati must pretend to be a "partial" to obtain the peers bitfield first
FAKE PEERS / NUISANCE PEERS / TIMEWASTER PEERS
I'll post some logs about that strange behavior next time.
-Example where Tixati handled it well
-Another where it happened for 3-4 hours