Re: Bittorrent Data Port Probe

From: Jonathan Yu (jonathan.i.yu@gmail.com)
Date: Wed Aug 22 2007 - 22:28:17 EDT


Hi there,

While you should be able to tell if it is BitTorrent based on traffic
sniffing under normal circumstances, there is also an implementation
of encryption compatible with clients such as uTorrent and Azureus, so
it becomes infeasible to tell whether or not it is BitTorrent traffic.

However, if you have traffic sniffing, then you can watch which hosts
the client connects to -- most trackers run on unencrypted HTTP
connections; you can look for common things such as "announce.php"
scripts or perhaps basing it on the DNS names used.

I am not a BitTorrent client developer so I don't know about the
internals of the protocol, but I have been using it as a client for
about a year now and have just gathered little bits here and there
about the implementation. I know that with uTorrent, there is an
option to completely disable Legacy (non-encrypted) connections. Users
could then use a popular tracker over HTTPS (I am not sure if any
currently exist) -- that would mean that they have plausible
deniability in terms of what they were using the tracker for. I am not
sure if you are trying to block use of BitTorrent altogether or just
illicit use, so the solution you choose could be either moderately
simple or very tricky...

I apologize if any information I have given here is incorrect because,
again, I am not an expert.

Hope this helps.

Regards,

Jonathan Yu

On 8/22/07, Paul Melson <pmelson@gmail.com> wrote:
> On 8/21/07, Tom Griffin <t.griffin@sheffield.ac.uk> wrote:
> > If I suspect that a particular port on a given host is listening for
> > incoming Bittorrent data requests, is there a way I can prove it by
> > means of a probe? I have attempted to find some protocol definition
> > documentation so I can build a very basic script which will pretend to
> > be another Bittorrent client to see how the application handles it, but
> > I cannot find such detailed information.
> >
> > If anybody can help with this, it would be much appreciated.
>
> How sure do you have to be? Personally, if I saw a host with port
> 6881 listening, I would treat it as if it had BitTorrent running until
> it was proven otherwise. You can try 'nmap -sV' to see if NMap can
> identify the service listening, but if it is BitTorrent, NMap won't
> identify it. It will fall back to a port number guess instead.
>
> Unfortunately, connecting to a BitTorrent peer port and getting
> anything useful back requires knowing the hash of a torrent being
> shared on that client, which is near impossible to guess. However, if
> you can sniff traffic on this port, you should be able to positively
> identify it as BitTorrent because it will contain the string
> 'BitTorrent protocol' fairly early on in the packet data.
>
> If you do discover a good working probe for BitTorrent, please share
> it with Fyodor so that he can add it to NMap.
>
> Good luck!
> PaulM
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:03 EDT