Enig123, on 22 September 2012 - 06:45 AM, said:
I have observed log lines like this:
Quote
It looks like a real client.
Hi
Well, it's hard to say what goes for that particular client you have encountered. As I see it it's either a client used by the abusers to do some stuff related to a particular file, like checking sources, uploading and downloading status etc. Or it's simply a normal peer with an IP in a same IP range used by the abusers.
Personally I have these IP ranges blocked in PG2 so I haven't noticed that kind of statement myself. But all hits I have had from 112.80.132.0 - 112.80.139.255 the last days originate from the abusers attacking particular node IDs. They are not that many ([Edit] that is from IPs starting with 112.80 [/Edit]), but here are a few examples on attacked IDs found during searches:
2012-09-20 22:33:28: Kad: Out request for opcode 0x21 from IP 222.94.6x.127:14603 ID = CB2DEFA46F0074F386963B9A6156xxxx v = 8 2012-09-20 22:33:28: Kad: Out request for opcode 0x21 from IP 112.80.13x.69:14605 ID = CB2DEFA46527E1F3994CFD5CA98Axxxx v = 8 2012-09-20 22:33:31: Kad: Out request for opcode 0x21 from IP 122.96.12x.16:14602 ID = CB2DEFA4070D08E0636737229419xxxx v = 8 2012-09-20 22:33:34: Kad: Out request for opcode 0x21 from IP 222.94.5x.83:14603 ID = CB2DEFA4144F703272C397946E78xxxx v = 8 2012-09-20 23:11:18: Kad: Out request for opcode 0x21 from IP 114.97.7x.184:14660 ID = DFE539FFDBED67B9EBAF47EC6AA0xxxx v = 8 2012-09-20 23:11:18: Kad: Out request for opcode 0x21 from IP 112.80.13x.58:14617 ID = DFE539FFD1BB4492A731A86DBB91xxxx v = 8 2012-09-20 23:11:18: Kad: Out request for opcode 0x21 from IP 125.80.24x.65:14622 ID = DFE539FFF8F006C0EB890FFE301Bxxxx v = 8 2012-09-20 23:11:24: Kad: Out request for opcode 0x21 from IP 112.80.13x.65:14606 ID = DFE539FF9910BCD4F93EE59F5951xxxx v = 8 2012-09-20 23:11:26: Kad: Out request for opcode 0x21 from IP 114.97.7x.212:14634 ID = DFE539FFA5E6B99AF546380C7432xxxx v = 8 2012-09-21 01:29:40: Kad: Out request for opcode 0x21 from IP 112.80.13x.84:14605 ID = 86BA02DAC830A4E08390534A6348xxxx v = 8 2012-09-21 01:29:40: Kad: Out request for opcode 0x21 from IP 112.80.13x.221:14611 ID = 86BA02DAF85F4D863580A7F35192xxxx v = 8 2012-09-21 01:29:44: Kad: Out request for opcode 0x21 from IP 117.14.15x.41:14609 ID = 86BA02DAF42F7581D9770895342Bxxxx v = 8 2012-09-21 14:47:21: Kad: Out request for opcode 0x21 from IP 120.1.11x.235:14602 ID = 331893962FD17B28547D5D7FD719xxxx v = 8 2012-09-21 14:47:21: Kad: Out request for opcode 0x21 from IP 222.94.5x.39:14683 ID = 331893966D31F7340EB562F13A26xxxx v = 8 2012-09-21 14:47:17: Kad: Out request for opcode 0x21 from IP 183.128.21x.146:14601 ID = 3318939653BC1A43EA3833E3A924xxxx v = 8 2012-09-21 14:47:28: Kad: Out request for opcode 0x21 from IP 110.240.15x.245:14601 ID = 331893965D36D33676BAD4FBBA05xxxx v = 8 2012-09-21 14:47:42: Kad: Out request for opcode 0x21 from IP 123.117.18x.31:14623 ID = 331893965439FAE4BA3551FE7B75xxxx v = 8 2012-09-21 14:47:44: Kad: Out request for opcode 0x21 from IP 112.80.133.1x:14840 ID = 331893962C8BC624CA4E9B37853Axxxx v = 8
It is clear that IDs starting with CB2DEFA4, DFE539FF, 86BA02DA and 33189396 are attacked. I can't say if the IDs represent words or files yet, but I have seen many source requests for other IDs so it's possible that the attackers now are focusing more on specific files than keywords.
So generally speaking, I don't think this is caused by flawed clients, but your example may be a normal peer. But if I would make a guess based on the hits I've got from the ranges I have blocked I would estimate it that it's a 95% chance that it's a bad peer.
If you could find a way to match such a client you are mentioning to a file ID then it would be possible to check if that ID seems to be attacked. Only the first 4-5 first hex digits in the ID are needed to make a check if the ID may be guarded and attacked. The more digits the better, but on the other hand it also may reveal what file that would be, I mean if you would be thinking of posting about it..
This post has been edited by Nissenice: 23 September 2012 - 10:48 PM