nanog mailing list archives

Re: OT: Anyone seeing these sorts of probes? Port 46993 udp?

From: Clinton Popovich <pcprognosis () verizon net>
Date: Fri, 12 Mar 2010 03:42:11 -0500

I agree, this looks to be bit torrent traffic, The Pirate Bay has apractice of injecting fake client IP address. I have a feeling that iswhat your seeing. I would write more but power is out and the battery isgoing....


James Hess wrote:

Well, those UDP captures appear to be BitTorrent  Peer-to-Peer file
sharing traffic, or something disguised as such.
Note the  "64 31 3a 61 64 32 3a 69 64 32 30 3a"
and also the  textual reference to  info_hash

On Fri, Mar 12, 2010 at 12:18 AM, Joe <jbfixurpc () gmail com> wrote:

Not to distract from the IPV4/IPV6 thread, but just wondering if anyone has
seen this beavior or perhaps can enlighten me to its orgin/virus/meaning?

Internet Protocol, Src: 183.0.215.179 (183.0.215.179), Dst: 192.168.1.52
(192.168.1.52)
User Datagram Protocol, Src Port: 64514 (64514), Dst Port: 46993 (46993)
Data (101 bytes)

0000  64 31 3a 61 64 32 3a 69 64 32 30 3a 49 10 78 b3   d1:ad2:id20:I.x.
0010  9d 3f ab 23 75 7e d4 35 d7 cf c0 13 98 bf 84 30   .?.#u~.5.......0
0020  39 3a 69 6e 66 6f 5f 68 61 73 68 32 30 3a 09 61   9:info_hash20:.a
0030  e1 d8 9d cf ab 6a 2e 32 e8 42 92 73 b3 41 a3 72   .....j.2.B.s.A.r
0040  c7 f1 65 31 3a 71 39 3a 67 65 74 5f 70 65 65 72   ..e1:q9:get_peer
0050  73 31 3a 74 38 3a 31 30 30 30 34 32 35 35 31 3a   s1:t8:100042551:
0060  79 31 3a 71 65                                    y1:qe


Internet Protocol, Src: 183.0.215.179 (183.0.215.179), Dst: 192.168.1.52
(192.168.1.52)
User Datagram Protocol, Src Port: 64514 (64514), Dst Port: 46993 (46993)
Data (101 bytes)

0000  64 31 3a 61 64 32 3a 69 64 32 30 3a 49 10 78 b3   d1:ad2:id20:I.x.
0010  9d 3f ab 23 75 7e d4 35 d7 cf c0 13 98 bf 84 30   .?.#u~.5.......0
0020  39 3a 69 6e 66 6f 5f 68 61 73 68 32 30 3a 09 61   9:info_hash20:.a
0030  e1 d8 9d cf ab 6a 2e 32 e8 42 92 73 b3 41 a3 72   .....j.2.B.s.A.r
0040  c7 f1 65 31 3a 71 39 3a 67 65 74 5f 70 65 65 72   ..e1:q9:get_peer
0050  73 31 3a 74 38 3a 31 30 30 30 34 32 35 35 31 3a   s1:t8:100042551:
0060  79 31 3a 71 65                                    y1:qe

I'm seeing thousands of these per minute at one location, hundreds of unique
ip addresses. Some sort of bot net maybe?


Thanks much

Joe

------------------------------------------------------------------------



No virus found in this incoming message.

Checked by AVG - www.avg.comVersion: 9.0.733 / Virus Database: 271.1.1/2739 - Release Date: 03/11/10 16:50:00

Current thread:

Re: IP4 Space, (continued)
- - - Re: IP4 Space Mark Andrews (Mar 26)
    - Re: IP4 Space Lamar Owen (Mar 26)
    - Re: IP4 Space Doug Barton (Mar 29)
    - Re: IP4 Space Lamar Owen (Mar 30)
    - Re: IP4 Space Daniel Senie (Mar 10)
    - Re: IP4 Space Bill Bogstad (Mar 11)
    - Re: IP4 Space Owen DeLong (Mar 11)
    - Re: IP4 Space Mark Andrews (Mar 11)
    - OT: Anyone seeing these sorts of probes? Port 46993 udp? Joe (Mar 11)
    - Re: OT: Anyone seeing these sorts of probes? Port 46993 udp? James Hess (Mar 11)
    - Re: OT: Anyone seeing these sorts of probes? Port 46993 udp? Clinton Popovich (Mar 12)
    - Message not available
    - Re: IP4 Space Tim Chown (Mar 12)
    - Re: IP4 Space Owen DeLong (Mar 10)
    - Re: IP4 Space Jens Link (Mar 10)
    - Re: IP4 Space Owen DeLong (Mar 10)
    - Re: IP4 Space Steve Bertrand (Mar 04)
    - Re: IP4 Space - the lie bmanning (Mar 05)
    - Re: IP4 Space - the lie Cameron Byrne (Mar 05)
    - Re: IP4 Space - the lie Owen DeLong (Mar 05)
    - Re: IP4 Space - the lie Suzanne Woolf (Mar 05)
    - Re: IP4 Space - the lie bmanning (Mar 06)

(Thread continues...)