Brawling with BitTorrent

Gregory D Hough mr6re9-mI4xJ4qlgtBiLUuM0BA3LQ at public.gmane.org
Wed Aug 23 04:57:45 UTC 2006 

Walter Dnes wrote:
> On Tue, Aug 22, 2006 at 08:22:35AM -0400, Gregory D Hough wrote
> 
> 
>>Is anyone familiar with BitTorrent? I have a problem with it. I don't 
>>use it myself for anything cause I ain't a TV junkie or hyper-music 
>>enthusiast and I buy my distros attached to Linux magazines. I am just 
>>fed up with a persistant month-long "Afterglow?" I don't know if it is 
>>actually afterglow or if it is an MPAA/RIAA Torrent spy, but I want it 
>>to Go Away!
> 
> 
>>before I start throwing some brutal packets at the offending IP...
> 
> 
> ..before you start throwing some brutal packets at the offending IP...
> remember that IP addresses are trivially easy to forge on UDP.  You
> might be hitting an innocent 3rd party with a DOS attack, and they
> could file criminal charges against you.
> 
I'm truly compelled to respond in that other thread, but to avoid being 
obtuse I'll stick to the point in the reply that's mostly on the mark.

Walter, the word brutal was just an attention getter, sorry. If I filed 
criminal charges against every party that attempted to DOS my IP, I 
solemnly swear, I'd have legal pads up the ying-yang and court dates 
from here to eternity. What would be the point of forging a P2P beacon 
packet anyway, It doesn't include any redirection? I also expected to 
see that word criminal show up from using the word brutal; The pair 
instill fear and usually go hand-in-hand as in "brutal criminal." 
Incidently, I never said how brutal nor how many.
> 
>>like to know what is the proper way to make it stop.
> 
> 
>   Can I assume you have a static IP address?  If you have a dynamic IP
> address, change it.
> 
I don't wish to change my dynamic IP address. I like to treat it as 
though it were static. And besides, running away is cowardly when there 
is little chance of any harm coming from standing my ground in this 
instance. I could even turn off logging the 72 or so hits each day in 
the spirit of blissful ignorance to the ultimate doldrums of nothing 
ventured nothing gained.

>   A few UDP packets once every 20 minutes is *NOT* a DOS attack, so I
> wouldn't bother calling law-enforcement.  If you have logs, submit them
> to the ISP that owns that IP address.
> 
This is a rather benign example yes, but it is an effort to form a 
proper and ethical regime within automated tasks before threading any 
jigs for bigger FIN'd critters. Submitting logs would be one of my first 
automated outward expressions, and It would not be a law-enforcement 
contact initially I'm sure. I will probably have to learn how to 
integrate jwhois for appropriate <abuse at addresses> to generate messages 
to. Having said that, here is a typical "auto-reply" when pursuing the 
correct channels in incident reporting. It was quite lengthy and in 
multiple languages so it's abbreviated accordingly (note the hyphenated 
word auto-generated):

=================================================================
- To report scans, probes, hacking attempts, or similar activity,

please include an excerpt of your auto-generated log files showing ONLY 
THE INCIDENTS PERTAINING TO <bleep> INTERNET, cut and pasted directly 
into the email message, including:



    - Offending IP Address

    - Date

    - Specific Time

    - Time Zone and GMT offset

    - Source/Destination Ports

    - Any other brief pertinent details



***Screenshots will not be accepted in lieu of log excerpts.***



***Please DO NOT INCLUDE TRACEROUTES, WHOIS LOOKUPS, or PING results,

as these do not contribute to the investigation, and can often cause the 
message to become "garbled" or unreadable.***
=================================================================
This is a pretty good start wouldn't you say? So my next questions are; 
How many abuses should be sent per HH:MM:SS dd/mm/yy/etc without 
becoming too much of a pest; And how many upstream providers should be 
notified in instances where activity is malignant enough to warrant the 
extra effort in proving a genuine and not a forged *counterfeit* source 
address; And where is the actual effort when my Linux boxes will doing 
all the mundane tasks all by themselves?

Believe me, I understand the importance of notifying the proper 
authorities and adhering to due process. And I believe in ISAAC ASIMOV's 
three laws of robotics as well. When I don't know all the facts I ask 
and ask and ask til I get the correct answer or at least one which makes 
the most sense, as yours most certainly does.

Thanks again,
greg

BTW-I use the term "afterglow" in the context of "the activity one 
experiences on the wire immediately after one is assigned a new IP 
address where the former holder of that IP address, mere moments ago, 
was running all kinds of Internet applications, involved in an 
established botnet or P2P network among other things a bit torrential." 
You get what you afford when you google.
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list