Help and Support
Ask a question, report a problem, request a feature...
<<  Back To Forum

Actual Example of P2P enforcement - with IP Filter file

by Guest on 2021/07/23 07:43:59 PM    
Some 'infringement notices' arrived in our abuse folder this week.

Instead of pressing the DEL key I've been investigating some of these.

I have obfuscated some of the following abuse notice


Notice of Claimed Infringement - Case ID XX
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Notice ID:   XX
Notice Date: 2021-07-20TXX:XX:XXZ

ISP PARENTCO INC.

Dear Sir or Madam:

I cert.ify und.er pena.lty of per.jury that I am au.thoriz.ed to ac.t on beh.alf of the Vi@c_omC?S Inc. compa.nies C?S Broa.dcasting Inc., CB? Stu?dios Inc., Para_mount Pi_ctures Corpora_tion, Sh-ow-time Netw-orks Inc., Vi com Intern-ational, Inc., and oth.er V-i-@-c-omC-B-S Inc. subsid.iaries and affil.iates (collecti.vely, the "Rig.hts Own.ers"), th.e ow.ners o.f cert.ain exclu.sive inte.llectual prop.erty ri.ghts in the cop.yrighted wo.rk(s) ident.ified in this noti.ce. I h.ave a go.od fai.th bel.ief th.at the inform.ation in this not.ice is accu..rate.


BS BS BS BS BS and more BS


OK, so lets see how they send these notices

Spin up a clean Win10 instance, install v2.84 and see what happens:

paste in the infohash reported...


Some 100% seeders looks good... some partials with bi-directional traffic, and some SCUMBAG IP's "lurking" with NO FILES!

This is an Anti-P2P enforcement bot - and again looks like they need two positive hits as evidence.
88.208.201.113 :51500  Location: United Kingdom ISP: F_a_s_t_h_o_s_t_s UK
185.107.94.48  :51500  Location: Netherlands    ISP: N_F_O_r_c_e NL


Again more dumbass stupid config, Port 51500 giving the game away on a massive range of their machines.

Probe some of the NL machines
IP             RDNS                   PORT              P2P_handshake_true
185.107.94.5   185.107.94.5           51500             True
185.107.94.13  185.107.94.13          51500             True
185.107.94.14  185.107.94.14          51500             True
185.107.94.47  185.107.94.47          51500             True
185.107.94.48  185.107.94.48          51500             True
185.107.94.58  185.107.94.58          51500             True
185.107.94.59  185.107.94.59          51500             True
185.107.94.62  185.107.94.62          51500             True

This is definitely dodgy AF!

Block it folks!

Tixati IP FILTER FILE:

# f_a_s_t_hosts and nfo_rce
FAASTHSTS:70.35.192.0-70.35.207.255
FAASTHSTS:77.68.32.0-77.68.63.255
FAASTHSTS:79.99.40.0-79.99.47.255
FAASTHSTS:88.208.192.0-88.208.251.255
FAASTHSTS:109.228.0.0-109.228.63.255
FAASTHSTS:213.171.192.0-213.171.223.255
FAASTHSTS:217.174.240.0-217.174.255.255
N_F_O_RCE:185.107.94.0-185.107.95.255

Going further, constantly probing these machines for handshakes, I found they often identify differently

They have gone to significant effort to "hide" the identifiers:

AND it seems this has been here a long time. Judging by some of the ANCIENT software versions

Bitcomet 1.35
uTorrent 3.1.3
Mainline 7.4.1
Transmission 2.61
Azureus 5.2.0
Vuze 5.2.0.1
+more

Interesting!

I'm ALWAYS logging...  ;-D
by Guest on 2021/07/24 03:06:45 PM    
Thank you, great findings! I wish more people would carry the knowledge (of their inboxes) out into the world.
I've seen a couple of 'misbehaving hosts' from NFO rce before, but after research that indicated many legit users chose that hosting for their low prices (aka 'notoriety') I thought they were legitimate after all. Apparently it's not that easy to determine as the enemies of informational freedom use the same companies for themselves. But the scale: a 64 IPv4 subnet!

I'm gonna assume the clowns in the e-mail are the 'I?E*' company due to being hired by the same PARAlyzed MOUNTain company, here is an old but accurate study specifically citing them as an example of false-positives: https://web.archive.org/web/20210412220418/http://dmca.cs.washington.edu/  I thought they operated solely off AWS and Linode (you can pretty much go and blacklist AWS, GCP, Azure ASNs right now as a whole due to traffic cost to normal legit users), apparently not and they're spreading operations. Or this is indeed a separate entity, because I still have 20k blocked hits for DHT coming from AWS (and even more from OVH).

The war on the clearnet continues, but only their lobby efforts will succeed sadly.




This web site is powered by Super Simple Server