Brawling with BitTorrent
Gregory D Hough
mr6re9-mI4xJ4qlgtBiLUuM0BA3LQ at public.gmane.org
Wed Aug 23 04:57:45 UTC 2006
Walter Dnes wrote:
> On Tue, Aug 22, 2006 at 08:22:35AM -0400, Gregory D Hough wrote
>
>
>>Is anyone familiar with BitTorrent? I have a problem with it. I don't
>>use it myself for anything cause I ain't a TV junkie or hyper-music
>>enthusiast and I buy my distros attached to Linux magazines. I am just
>>fed up with a persistant month-long "Afterglow?" I don't know if it is
>>actually afterglow or if it is an MPAA/RIAA Torrent spy, but I want it
>>to Go Away!
>
>
>>before I start throwing some brutal packets at the offending IP...
>
>
> ..before you start throwing some brutal packets at the offending IP...
> remember that IP addresses are trivially easy to forge on UDP. You
> might be hitting an innocent 3rd party with a DOS attack, and they
> could file criminal charges against you.
>
I'm truly compelled to respond in that other thread, but to avoid being
obtuse I'll stick to the point in the reply that's mostly on the mark.
Walter, the word brutal was just an attention getter, sorry. If I filed
criminal charges against every party that attempted to DOS my IP, I
solemnly swear, I'd have legal pads up the ying-yang and court dates
from here to eternity. What would be the point of forging a P2P beacon
packet anyway, It doesn't include any redirection? I also expected to
see that word criminal show up from using the word brutal; The pair
instill fear and usually go hand-in-hand as in "brutal criminal."
Incidently, I never said how brutal nor how many.
>
>>like to know what is the proper way to make it stop.
>
>
> Can I assume you have a static IP address? If you have a dynamic IP
> address, change it.
>
I don't wish to change my dynamic IP address. I like to treat it as
though it were static. And besides, running away is cowardly when there
is little chance of any harm coming from standing my ground in this
instance. I could even turn off logging the 72 or so hits each day in
the spirit of blissful ignorance to the ultimate doldrums of nothing
ventured nothing gained.
> A few UDP packets once every 20 minutes is *NOT* a DOS attack, so I
> wouldn't bother calling law-enforcement. If you have logs, submit them
> to the ISP that owns that IP address.
>
This is a rather benign example yes, but it is an effort to form a
proper and ethical regime within automated tasks before threading any
jigs for bigger FIN'd critters. Submitting logs would be one of my first
automated outward expressions, and It would not be a law-enforcement
contact initially I'm sure. I will probably have to learn how to
integrate jwhois for appropriate <abuse at addresses> to generate messages
to. Having said that, here is a typical "auto-reply" when pursuing the
correct channels in incident reporting. It was quite lengthy and in
multiple languages so it's abbreviated accordingly (note the hyphenated
word auto-generated):
=================================================================
- To report scans, probes, hacking attempts, or similar activity,
please include an excerpt of your auto-generated log files showing ONLY
THE INCIDENTS PERTAINING TO <bleep> INTERNET, cut and pasted directly
into the email message, including:
- Offending IP Address
- Date
- Specific Time
- Time Zone and GMT offset
- Source/Destination Ports
- Any other brief pertinent details
***Screenshots will not be accepted in lieu of log excerpts.***
***Please DO NOT INCLUDE TRACEROUTES, WHOIS LOOKUPS, or PING results,
as these do not contribute to the investigation, and can often cause the
message to become "garbled" or unreadable.***
=================================================================
This is a pretty good start wouldn't you say? So my next questions are;
How many abuses should be sent per HH:MM:SS dd/mm/yy/etc without
becoming too much of a pest; And how many upstream providers should be
notified in instances where activity is malignant enough to warrant the
extra effort in proving a genuine and not a forged *counterfeit* source
address; And where is the actual effort when my Linux boxes will doing
all the mundane tasks all by themselves?
Believe me, I understand the importance of notifying the proper
authorities and adhering to due process. And I believe in ISAAC ASIMOV's
three laws of robotics as well. When I don't know all the facts I ask
and ask and ask til I get the correct answer or at least one which makes
the most sense, as yours most certainly does.
Thanks again,
greg
BTW-I use the term "afterglow" in the context of "the activity one
experiences on the wire immediately after one is assigned a new IP
address where the former holder of that IP address, mere moments ago,
was running all kinds of Internet applications, involved in an
established botnet or P2P network among other things a bit torrential."
You get what you afford when you google.
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list