qBitTorrent users seeing infinite requests from peers in 1.180.24.0/23, 36.102.218.0/24 and 221.203.6.0/24

[anacrolix]

This is a discussion around #889 which I believe has been fixed with regard to anacrolix/torrent. I expect new IP subnets and possible resolution for the offending peers will be discussed.

[JockeyWang]

Here are some IPs I encountered, all from northern China, especially in Jilin and Inner Mongolia province. For Ipv6 addresses, the bits at position 65-112 are always 0, different from personal address.
1.180.24.2/87/220/225/242
1.180.25.15/84/131/210/216/246
36.102.218.131/132/138/222
42.52.131.43
59.47.225.165
59.47.237.156/189
123.184.152.39/88/89/90/98/103/132/133/245/249
218.7.138.15/18/20/24/27/29
218.24.113.70
218.60.174.9/10/30/32/64/65/115/215/222
221.203.3.15/16
221.203.6.54/58/60
2408:862e:ff:ff0d::201/205/209/20b/20d/211/212/21a/21b/21c/21d/226
2408:8738:6000:d::13/16/19/1e
240e:90c:2000:301::218/219/21a/21c/21d/224/225/229/22a/22d
240e:90e:2000:2006::201/202/203/206/208/209/21f
240e:918:8008:3::61
240e:918:8008:4::224

Thus, I use this rules:
1.180.24.0-1.180.25.255
36.102.218.0-36.102.218.255
42.52.131.0-42.52.131.255
59.47.225.0-59.47.225.255
59.47.237.0-59.47.237.255
123.184.152.0-123.184.152.255
218.7.138.0-218.7.138.255
218.24.113.0-218.24.113.255
218.60.174.0-218.60.174.255
221.203.3.0-221.203.3.255
221.203.6.0-221.203.6.255
2408:862e:ff:ff0d::0-2408:862e:ff:ff0d::ffff
2408:8631:2e09:d05::0-2408:8631:2e09:d05::ffff
2408:8738:6000:d::0-2408:8738:6000:d::ffff
240e:90c:2000:301::0-240e:90c:2000:301::ffff
240e:90e:2000:2006::0-240e:90e:2000:2006::ffff
240e:918:8008:3::0-240e:918:8008:3::ffff
240e:918:8008:4::0-240e:918:8008:4::ffff

Moreover, I found some other clients, not anacrolix/torrent, have similar behavior. I am still observing.
2409:8a1e:e23:85b0::8a8 - Transmission, do not report progress, and requests more than file itself.

[TomoeMami]

BT client UA changed, still infinite request

[TTsdzb]

There could be many possible reason for such massive batch of clients in China:

1. Some cloud drive provides bittorrent download feature. If their software is not properly developed, they could be using defective clients without knowing it. In this case the provider is responsible for their clients.
2. Some BT user was mistaken for PCDN and got banned. He was pissed off and run (or even produce) defective clients and hope someone else be banned as well. Such thing could possibly happen, and all we can do is block his IPs or clients.
3. There're underground industry providing PCDN, and they're suffering loss during the detection. To maintain their industry so they could profit, they chose to attack BT users.

The issue doesn't looks like normal bugs. If so, IP address of these clients should be distributed, without recognizable features.

The living environment of BT in China is not well. Ignorant people tends to profit instead of share. There're many users using clients that do not upload (or only upload to their private network), for download speed or just stingy with their network bandwidth. ISPs provide you internet with cascading NATs, and sometimes it's hard to make connections.

[tuxayo]

He was pissed off and run (or even produce) defective clients and hope someone else be banned as well

Produce, unlikely, that seems a genuine bug.
Even willingly run, that's a weird bug to have found and then choose to deploy a lot of clients.

[TTsdzb]

What the issue with PCDN that cause them to be banned?

Residential broadband internet service is much cheaper than commercial ones. ISPs profit with their commercial service, and subsidize residential ones with part of this profit. But soon large internet companies find out that using PCDN is way much cheaper than traditional CDN services. ISPs could not profit anymore.

Soon some people found out there are great benefits providing PCDN services. Some of them buy batches of cheap residential broadband internet, others distribute works to internet users and give them commission (somehow like mining, people run a software on their computers). These industrialized PCDN providers are sucking the blood of ISPs, and also violated terms and conditions of home broadband services.

[TTsdzb]

He was pissed off and run (or even produce) defective clients and hope someone else be banned as well

Produce, unlikely, that seems a genuine bug. Even willingly run, that's a weird bug to have found and then choose to deploy a lot of clients.

There might be sour grapes. I think we should stay alert before we could say "It IS a genuine bug", since it's so susbisious.

In the original issue someone reported that this behavior has been going on for more than a week. It should have been found out if it's a bug.

[RealYukiSan]

What is PCDN?

[BUnipendix]

What is PCDN?

Networks/P2P CDN - W3C Wiki
windows delivery optimization for example

[TTsdzb]

I tried the following things in my filter dat:

1.180.24.0-1.180.25.255
36.102.218.0-36.102.218.255
221.203.6.1-221.203.6.255
240e:918:8008::0-240e:918:8008:ffff:ffff:ffff:ffff:ffff

And qbt could recognize 4 rules. I'm not sure whether this works.

[JockeyWang]

One more client found: 221.203.3.16.
Maybe 221.203.6.1-221.203.6.255 should update to 221.203.0.0-221.203.7.255

[WhiteCoffee9834]

[TTsdzb]

用中文补充一点背景信息：

如果 ISP 的商业宽带业务赚不着钱，会导致成本分摊到家用宽带业务，最终家宽涨价。如果 ISP 真的采取了这么简单的处理方式，不就相当于对技术一无所知的普通百姓为那些挂 PCDN 赚钱的人买单了吗？详细可以看这篇知乎问题

挂载 PCDN 进行盈利的行为违反了一般家用宽带的使用合同（只能使用，不能商业）。同时，早在 2017 年发布的《工业和信息化部关于清理规范互联网网络接入服务市场的通知》说明了未取得相应的电信业务经营许可证擅自开展 CDN 业务属于非法经营。

如果被检测出挂了 PCDN，限速只是最基础的惩罚手段。如果持续不改，可能会收到整改信，乃至被关停业务。

[Moredistant]

回收个鸡毛闲置资源，PCDN从诞生一开始就是互联网企业为了节省流量费而创造的，他的本质就是在薅民用宽带羊毛，再分点节约出来的流量费给挂PCDN的用户。中国民用宽带费用我记得是全球最低水平，现在全球经济下行，各互联网企业都在开猿节流，本着能省则省的原则运营商打击PCDN没什么问题。

[WhiteCoffee9834]

Discussion of PCDN is off-topic

In the previous issue, the repository owner mentioned a way to block client strings, blocking github.com/anacrolix/torrent (devel) (anacrolix/torrent unknown).

I only know how to block IP segments using dat files, but how to block client version string?

The software used is qBittorrent Enhanced Edition.

---

讨论PCDN脱离了主题

在之前的issue中,仓库主有提到禁止客户端字符串的方式,也就是屏蔽 github.com/anacrolix/torrent (devel) (anacrolix/torrent unknown)

目前只知道如何使用 dat 文件屏蔽 IP 段,如何屏蔽客户端标识呢

做种软件使用的是 qBittorrent Enhanced Edition

[karuboniru]

It do have such mechanism for blocking certain client ID, while due to lack of documentation following is just some guess by quick looking at the code.

Create a file named after peer_blacklist.txt under data folder of qBittorrent EE.

The file created should contain peer_id client_name per each line, and regex rule applies here.

[UshioA]

In qBittorrentEE, they use std::ifstream and >> to read peer_id and client, making client string github.com/anacrolix/torrent (devel) (anacrolix/torrent unknown) basically unbanable because it contains space.

Here i just substitute every space with \s as a work around. This also means that the regex rule cannot contain any whitespace or it won't work as expected.

To me the solution maybe (Thanks @Duck1998 for new malicious clients)

-GT0003- github.com/anacrolix/torrent\s\(devel\)\s\(anacrolix/torrent\sunknown\)
-DT0001- dt/torrent/v1.00
-DT0001- dt/torrent/v1.01
-DT0001- DT\s0.0.0.1

[matchbean111]

I will try this ,thank you

[AutismGaming228]

It might be a rogue operation, considering a client under same IP has two different "percent downloaded", downloads at high speeds yet both don't increase. (I have "Accept multiple connections from the same IP" option enabled in qBittorrent)

[Moredistant]

this guy is a disgrace to China

[tuxayo]

this guy is a disgrace to China

Only racists and ultra nationalists care about where people are from so it not important.

If that's indeed a rogue operation, then there is no hope in the person managing those nodes updating them and the problem going away. It's insane they have so much bandwidth if they are leeching on multiple peers at these speeds.

[Dokupe999]

218.60.174.254
218.60.174.8

[karuboniru]

Noticed several clients in
240e:90e:2000:2006::/64

[Moredistant]

New malicious ip：123.184.152.242 123.184.152.81 123.184.152.90

There is another suspected new malicious client called "taipei-torrent dev". It did not report any download progress, and when I wanted to continue observing, It suddenly disappeared.

[Moredistant]

我又发现了它，它视乎下载到一定量，就会主动消失，像是在对抗反吸血检测
I found it again, and it seems to disappear once it reaches a certain amount of downloads, as if it is evading anti-vampire detection.

[Moredistant]

出个门被偷袭了，妈的
I was ambushed when I went out

[nulllee]

Same, same. This guy(↓) has downloaded more than 300GB from just one torrent on my computer with this client called Taipei-Torrent dev.
IP: 58.241.210.(7,8,9,10).

[nulllee]

And 58.241.210.5.

[LightmoonXD]

同样的问题，这些客户端偷走了我超过300倍于实际大小的上传量，不过我没有看到它突然断开连接。
Same here, these clients had taken more than 300 times the actual size of data.But I don`t notice any sudden disconnection.

[anacrolix]

That's interesting, I don't think Taipei torrent is based on my client.

[Moredistant]

That's interesting, I don't think Taipei torrent is based on my client.

from: https://github.com/jackpal/Taipei-Torrent

[ExplodingDragon]

或许可以配置一个策略，如果客户端请求流量在1天的窗口期超过文件实际大小的 25% 则直接拉黑？
似乎所有的客户端都不支持此方案 。

Maybe configure a policy to simply pull the plug if client request traffic exceeds 25% of the actual size of the file in a 1-day window?
It seems that all clients do not support this option .

[TTsdzb]

也许可以请求 qBittorrent Enhanced Edition 实现这个策略。它的限制是比较激进的。

Maybe we can request qBittorrent Enhanced Edition to implement this policy, since it has very aggressive limitations.

[anacrolix]

This is a pretty good idea. I would set the ratio to something like 3x the actual size of the torrent. So you would record an IP (and maybe port) combo against a total data download. If that quantity exceeds ~3x the size of the torrent in some timeframe (24-48 hours would be reasonable), you would block them for 24 hours.

The reason you want to do several multiples is you don't want to ban streaming clients that use caches for storage, and clients with legitimate errors (like the user running out of disk space, aborting the download, cleaning up and then restarting it).

[winnie23-23]

What about people on seedboxes that don't have opportunity to use anything beside what the provider offers? Had to stop 7 torrents after one of these Chinese IPs downloaded over 1 TB of data in one day on a single torrent. And it's not a solution at all as that prevents legitimate users from downloading the content. Ipfilter doesn't seem to work properly and as I use 3 different clients (deluge, qbt, transmission) there's no universal solution for that

[tuxayo]

What about people on seedboxes that don't have opportunity to use anything beside what the provider offers? [...] And it's not a solution at all as that prevents legitimate users from downloading the content.

If anyone notices that issue on their client on a seedbox, they need to report that to their provider and pester them about until they upgrade the software. The proper solution to this issue is someone using or managing those bugged versions to notice it.

[winnie23-23]

How it's gonna help? These Chinese IPs will still.do their thing and my seedbox provider can't do anything about it...they can't even update some clients to latest versions available and whitelisted on trackers I'm on...

[xyhxh46]

Does anyone know how Deluge blocks clients, I only know that QEE can block clients at the moment.
请问有人知道deluge如何屏蔽客户端吗，我目前只知道qee可以屏蔽客户端，deluge只能屏蔽IP地址。

[Sphyix]

I started using qBitTorrent API to track who's downloading more than 125% of torrent max size without ever updating the completed %.
I can publish the list of IPs banned or make the c# script public.
I think this is more accurate than just banning entire subnets

[winnie23-23]

Will it work on seedbox? Or just on PC?

[Sphyix]

It would be a .exe that runs on windows.
Code is pretty basic, someone could easily rewrite it in other languages.
Only requirement is access to the API of the qbit instance

[Sphyix]

now we know, they just consume traffic

[tuxayo]

Damn so it's not a bug, it's an attack. Likely the asshole behind this found this ticket: thanks that you changed the name, now the developer can stop worrying of having a bug. And people won't blame them thinking anacrolix client has a terrible bug.

[tuxayo]

This discussion and #889 would benefit being renamed to explicitly mention that it's a malicious fork.

[F-TD5X]

hmm...

[LightmoonXD]

So, he is the one who uses bugs from anacrolix for no reason? This guy forked anacrolix on 15 Feb, and it did not match the earliest report for unusual leecher.（on Jan）I think anacrolix v1.53.3 had fixed up this problem, maybe he just using the normal client and modified it to escape the auto ban script?

[lirener]

240e:90e:2000:2006::209			中国辽宁省本溪市 中国电信IDC（持续攻击者）（探测=4）
240e:90c:2000:301::219			中国辽宁省本溪市 中国电信IDC（持续攻击者）
240e:90e:2000:2006::215			中国辽宁省本溪市 中国电信IDC（持续攻击者）
240e:90e:2000:2006::21b			中国辽宁省本溪市 中国电信IDC（持续攻击者）
240e:90c:2000:301::21d			中国辽宁省沈阳市 中国电信IDC（持续攻击者）
240e:90c:2000:301::216			中国辽宁省沈阳市 中国电信IDC（持续攻击者）
240e:90c:2000:301::225			中国辽宁省沈阳市 中国电信IDC
240e:90c:2000:301::211			中国辽宁省沈阳市 中国电信IDC（持续攻击者）
240e:90c:2000:301::22b			中国辽宁省沈阳市 中国电信IDC
240e:90e:2000:2006::21c			中国辽宁省本溪市 中国电信IDC（持续攻击者）
240e:90e:2000:2006::213			中国辽宁省本溪市 中国电信IDC
240e:90e:2000:2006::216			中国辽宁省本溪市 中国电信IDC（持续攻击者）
240e:90e:2000:2006::207
240e:90c:2000:301::223
240e:90c:2000:301::218
240e:90e:2000:2006::210
240e:90c:2000:301::22a
240e:90c:2000:301::229
240e:90e:2000:2006::205
240e:90e:2000:2006::21e
240e:90c:2000:301::21f
240e:90c:2000:301::224
240e:90e:2000:2006::208
240e:90e:2000:2006::217
240e:90c:2000:301::221
240e:90c:2000:301::21e
240e:90e:2000:2006::204
240e:90e:2000:2006::21d
240e:90c:2000:301::213
240e:90e:2000:2006::21a
240e:90e:2000:2006::206
240e:90c:2000:301::222
240e:90e:2000:2006::211
240e:90c:2000:301::226
240e:90e:2000:2006::203
240e:90c:2000:301::210
240e:90c:2000:301::220
240e:90c:2000:301::22c

2408:8631:2e09:d05::22e			中国辽宁省 中国联通政企专线（持续攻击者）
2408:8631:2e09:d05::233		中国 辽宁省 中国联通 政企专线
2408:8738:6000:d::10			中国黑龙江省大庆市 中国联通IDC（持续攻击者）
2408:8738:6000:d::12
2408:8738:6000:d::11
2408:8738:6000:d::1b
2408:8738:6000:d::1a
2408:8738:6000:d::17
2408:8738:6000:d::1c
2408:8738:6000:d::19
2408:8738:6000:d::15
2408:8738:6000:d::14

//持续攻击者统计
240e:90e:2000:2006::/112		中国 辽宁省 本溪市 中国电信 IDC
240e:90c:2000:301::/112			中国 辽宁省 沈阳市 中国电信 IDC
2408:8738:6000:d::/112			中国 黑龙江省 大庆市 中国联通 IDC
240e:918:8008:1::/112			中国 内蒙古区 呼和浩特市 中国电信 IDC
240e:918:8008:2::/112			中国 内蒙古区 呼和浩特市 中国电信 IDC
240e:918:8008:3::/112			中国 内蒙古区 呼和浩特市 中国电信 IDC
240e:918:8008:4::/112			中国 内蒙古区 呼和浩特市 中国电信 IDC
240e:918:8008:5::/112			中国 内蒙古区 呼和浩特市 中国电信 IDC

@JockeyWang
@karuboniru
这些IPV6地址从 2024年02月07日 18:17:03 开始就对我的tracker：http://ipv6.rer.lol:6969/announce
进行持续ipv6 syn/rst攻击 流量大且持续 远超正常流量 几十倍之多
分析要么对方的IP是伪造的 要么就是客户端BUG
没有一个IP是能ping通的……流量可能1M/s

[y0umu]

If it is intended then this IS cyberwar.

[lirener]

new ip

240e:918:8008:2::226
240e:918:8008:3::222

[ours1505]

I think that is because it is a nat user or firewall?

[hanxuyuan]

发现了一个可疑目标，具体见图
该文件总共不到720M的，我上传了936M给它，它汇报自己下载进度不到16%

[Moredistant]

似乎是个老问题：qBittorrent-Enhanced-Edition/issues/432

[HelloFuNXXY]

文件也就400M

[maidmeow4]

Could you please share the file's link? I would like to give it a try too ;-).

[HelloFuNXXY]

抱歉拉黑后我忘记是哪个了_(:3

[Kyslie]

I met the same client name, and four similar IPs at the same time, every client takes about 1M bandwidth, progress is always 0% for days.

218.92.139.133
218.92.139.134
218.92.139.136
218.92.139.139

They apppered again several minitues after I release them from blocklist, but becomes two clients, each takes about 2M bandwidth, progress is 0.2%.

218.92.139.134:27127
218.92.139.139:26361

[bianfanbo]

真是无聊的玩意，不过bt网络就没有好的防御机制吗

[Ghost-chu]

I made some research about native-image, https://github.com/Ghost-chu/PeerBanHelper/releases/tag/2.2-RC1
PBH now can run on Windows, Linux, macOS without Java runtime, so you don't need install Java anymore.

PBH (Native Image) need ~60MB disk space and ~25MB RAM to run. (No more needing more than 500 MB to run a heavy JVM.)

[winnie23-23]

Nice work

Would anyone be available to help me.install it on my seedbox? They offer shell and MD Aceess

[Ghost-chu]

If you have shell, check if you have chmod command permission.

Then all you need to do is download & unzip the archive, run chmod +x peerbanhelper-binary to add execute permission to binary file and run it via ./peerbanhelper-binary.

Note: Programs started via the Shell will terminate when the Shell is disconnected, so you may wish to run them via screen or nohup.

For more discussion suggest moving to PBH's Issue Tracker, which is beyond the scope of anacrolix/torrent discussion.

[winnie23-23]

Via screen or nohup? I'm not that tech savvy :( but will give it a try and get back if not successful

[winnie23-23]

Where do I unzip the archive? Into my home folder?

[sfc9982]

I have seen 27.221.66.0/24 on my torrent.

[Simple-Tracker]

I recently discovered that qBittorrent Enhanced Edition now has these two clients (dt/torrent, taipei-torrent) in the default block list, so users can choose it as the easiest solution.

Also pointed out: this phenomenon (rather than the problem) has apparently nothing to do with anacrolix/torrent (although I'm guessing it's just a name change)

[JockeyWang]

Now the cat and mouse game starts, today they update and rename client as hp/torrent/2.01

[shelfofclub]

Many IPs from 1.180.24.0/24 with this client.

[qwqcwcawa]

they Report download progress but About half a minute after the repeat report 0% Keep downloading

[shelfofclub]

they Report download progress but About half a minute after the repeat report 0% Keep downloading

After 100%, they download from 0% again?

I have banned them because many similar IPs with the same client and different progress. I believe there is a strong likelihood that they are abnormal.

[Side514]

By the way, its peer id is -HP0001-.

[Accurio]

有人开始游击战咯

Peer and Peer ID: hp/torrent/v2.01 -HP0001-

IP Address: 1.180.24.0/24 辽宁本溪电信

Peer and Peer ID: offline-download (devel) (anacrolix/torrent unknown) -GT0003-

IP Address : 240e:90e:2000::/48 辽宁本溪电信IDC

[NijikaIjichi]

最近发现一个很可疑的情况，本人做种的 SW_DVD9_WIN_ENT_LTSC_2021_64BIT_ChnSimp_MLF_X22-84402.ISO (哈希: 366adaa52fb3639b17d73718dd5f9e3ee9477b40)，会出现若干个IP相似，进度不同，且均使用 BitComet 2.04 (-BC0204-) 这一客户端的 peer 从我这里下载。他们的进度是合理的，即会随着我给他们上传而看似正常的增加进度，但每当一批 peer 消失后，就会有另一批具有同样特征的 peer 从我这里下载，一个晚上总共让我上传了 100 GiB，十分可疑。如果这类 peer 确实不正常的话，对于这种会伪装 PeerID、UA 甚至进度的 peer，除了 ban ip 或者 ban UA 之外，是否还有更为有效的对抗手段

目前发现的这类 peer 的 IP 段如下：

• 223.78.79.0/24
• 223.78.80.0/24
• 2409:873c:f03:6000::/60

Recently, I've noticed a suspicious situation. When seeding SW_DVD9_WIN_ENT_LTSC_2021_64BIT_ChnSimp_MLF_X22-84402.ISO (Hash: 366adaa52fb3639b17d73718dd5f9e3ee9477b40), I've observed several IPs that appear similar, with varying progress, all using the BitComet 2.04 (-BC0204-) client to download from me. Their progress seems reasonable, increasing with the upload I provide, but whenever a group of peers disappears, another batch with the same characteristics starts downloading from me. This has resulted in me uploading a suspiciously high amount, totaling 100 GiB in one night. If they are indeed behaving abnormally, besides banning IPs or banning User-Agents (UA), are there any more effective countermeasures against peers that may disguise their PeerID, UA, or even progress?

The IP ranges of these peers that I've identified so far are:

• 223.78.79.0/24
• 223.78.80.0/24
• 2409:873c:f03:6000::/60

[Ghost-chu]

同步服务器我这里提出了一个构想：https://github.com/users/Ghost-chu/projects/2?pane=issue&itemId=59333011

CIDR封禁：https://github.com/Ghost-chu/PeerBanHelper/issues/35

加个好友吧，一起聊一聊，想法重合度挺高的

[Accurio]

我怀疑你遇到的 BitComet 2.04 -BC0204- 和我遇到的 Transmission 2.94 -TR2940- 是同一批对等体，他们的特征是基本只下载 Windows 和 Ubuntu 系操作系统。我是直接屏蔽 UA 和 Peer ID。

[qpzr]

[acaly]

@Ghost-chu 你希望使用客户端来检测异常peer，但是如何防范对方也加入你的服务器然后进行干扰呢？通过自动收集数据然后定期人工审核吗？

[Ghost-chu]

目前的实现是分为匿名提交和常规提交。

用户可选的设置 AppID 和 AppSecret，如果设置了且验证通过，这条就是可信数据。否则是一条参考数据。

[bianfanbo]

这种是运营商打击pcdn的吗

[shelfofclub]

我没有具体了解过ISP打击pcdn，但根据前面大家的讨论，这种可能是被ISP打击的pcdn或者其他系统。它们为了避免打击，刷下载流量，控制上传和下载比例。

ChatGPT translation: I haven't delved into ISP crackdown on PCDNs specifically, but based on the earlier discussions, it appears that this could be a PCDN or another system targeted by ISPs. To evade such crackdowns, they might engage in practices like inflating download traffic, regulating upload and download ratios.

[bianfanbo]

如果没法有效抵御这种无论是程序bug还是故意的攻击，我可能要考虑屏蔽所有中国IP，虽然速度会降低很多

[hanxuyuan]

发现新的IP，表现为peer伪造成为BC2.04的客户端（因为BC屏蔽这个peer失败），通过更改V6最后一两位的地址，对同一个资源反复下载，下载一定时间后，就会退出，换一个新IP继续从头下载，我以观察了半个多小时，确认！
以下为部分截图！按照截图的时间顺序排列

[hanxuyuan]

已经观察两个多小时，BC无法屏蔽IP段，只能屏蔽这个端口了
V6地址特征是——[2409:873c:f03:600*::*]:18550，其中共同特点是使用18550端口，*为随机

[Radium-bit]

最近又发现了两个新的吸血客户端：
-GT0003- gobind (devel) (anacrolix/torrent unknown)
-GT0003- offline-download (devel) (anacrolix/torrent unknown)
我已经考虑用Peer白名单了

[sqliuchang]

有没有整理好的常见客户端的白名单

[Ghost-chu]

这篇帖子里提到的有关 123 云盘离线下载的似乎有点道理的。我自己去试了一下 123 云盘的离线下载：用 QB 随机选一个文件夹，制作一个独一无二的新鲜种子，然后添加 123 云盘的离线任务。

123.186.146.159:54016
PeerId=-GT0003-, ClientName=offline-download (devel) (anacrolix/torrent unknown), Progress=0.19651740789413452, Uploaded=10657493

17778 端口开放，并且 gotty 有活动，具体情况记录在这里了：

https://github.com/Ghost-chu/PeerBanHelper/issues/56

[L4cache]

但是他们的客户端名称不一样？我碰到的恶意客户端没有叫 offline-download 的

[FrzMtrsprt]

我有碰到过名称不同但client id都为GT0003的吸血客户端，包括offline-download，可能是123云盘服务器的不同版本/分支。

I've encountered malicious clients in different names but with the same GT0003 client id, including offline-download, might be different versions/branches of 123 netdisk's server.

[Simple-Tracker]

现在我看到 anacrolix/torrent 就应激.JPEG

[NijikaIjichi]

我现在是直接写了条规则把 client name 里带 unknown 的全屏蔽了，其实 qbee 自带这个功能，不过它实际屏蔽的是区分大小写的 Unknown

[jemselindol]

如果实锤了说不定可以反制

比如，开一个客户端把上传速度限制特别低，但不断流。之后制作足够多足够大的种子，用大量ipv6同时做种，把种子交给123离线，卡他的离线服务器

或者制作大量种子，把种子tracker填上敏感地址的url，离线的时候就会试图连接这些地址，访问次数多了，或许能让离线服务器被墙或者运营商约谈什么的，国内ip墙了就是真墙了

[chengnan049]

我知道不应在 Issues 说这个，但我还是想说 123 NMSL

[oodzchen]

现在都是这样一下子突然出现一大批，真的跟DDOS似的

我已经手动拉黑一批IP了，清单如下

122.224.33.14
122.224.33.15
122.224.33.16
122.224.33.17
211.103.112.139
218.104.106.211
::ffff:1.180.24.222
::ffff:1.180.24.245
::ffff:1.180.24.87
::ffff:1.180.24.95
::ffff:1.180.24.97
::ffff:1.180.25.146
::ffff:1.180.25.210
::ffff:1.180.25.216
::ffff:1.180.25.247
::ffff:112.45.16.205
::ffff:112.45.20.233
::ffff:122.224.33.15
::ffff:123.184.152.132
::ffff:123.184.152.133
::ffff:123.184.152.244
::ffff:123.184.152.85
::ffff:123.184.152.89
::ffff:123.184.152.90
::ffff:211.103.112.139
::ffff:218.7.138.22
::ffff:221.11.96.67
::ffff:221.11.96.68
::ffff:221.11.96.73
::ffff:221.203.6.62
::ffff:36.102.218.173
::ffff:36.102.218.176

[hanxuyuan]

看看这个
https://docs.qq.com/doc/DQnJBTGJjSFZBR2JW

[MisakaMikoto-35c5]

最近我发现一批新的疑似吸血客户端，他们的特征是 IP 都在一个 /24 下面，下载同一个种子，端口相同（都是 38391），并且 UA 是 qBittorrent 4.6.4.10 或者 qBittorrent Enhanced/4.6.4.10。我注意到他们主要还是因为前两个特征，下面三张截图是以时间先后顺序捕捉到来排序的（在前面的越早捕捉到）：

此外，我还用了一个脚本去自动 ban 一些重下任务的 IP，因为我也不确定这个脚本的这个功能是否可靠，所以我也没法给这些 IP 下定论。但根据短时间大量相近 IP 下载同一个种子这个特征，因此个人感觉很可能就是同一人干的。下面是我使用的脚本输出的有关的日志：

$ grep 106.47.210. vampire.log
2024-04-21 19:02:49.512 INFO qb-ban-vampire - check_progress: [106.47.210.221:qBittorrent Enhanced/4.6.4.10] Detected strange behavior: Client re-download torrent more than 0 times.
2024-04-21 19:02:49.512 INFO qb-ban-vampire - do_once_banip: [106.47.210.221:qBittorrent Enhanced/4.6.4.10] Banned cause by behavior.
2024-04-21 19:18:30.895 INFO qb-ban-vampire - check_progress: [106.47.210.97:qBittorrent Enhanced/4.6.4.10] Detected strange behavior: Client re-download torrent more than 0 times.
2024-04-21 19:18:30.896 INFO qb-ban-vampire - do_once_banip: [106.47.210.97:qBittorrent Enhanced/4.6.4.10] Banned cause by behavior.
2024-04-21 19:23:05.211 INFO qb-ban-vampire - check_progress: [106.47.210.76:qBittorrent Enhanced/4.6.4.10] Detected strange behavior: Client re-download torrent more than 0 times.
2024-04-21 19:23:05.211 INFO qb-ban-vampire - do_once_banip: [106.47.210.76:qBittorrent Enhanced/4.6.4.10] Banned cause by behavior.
2024-04-21 19:25:42.947 INFO qb-ban-vampire - check_progress: [106.47.210.182:qBittorrent Enhanced/4.6.4.10] Detected strange behavior: Client re-download torrent more than 0 times.
2024-04-21 19:25:42.947 INFO qb-ban-vampire - do_once_banip: [106.47.210.182:qBittorrent Enhanced/4.6.4.10] Banned cause by behavior.
2024-04-21 19:32:46.569 INFO qb-ban-vampire - check_progress: [106.47.210.224:qBittorrent 4.6.4.10] Detected strange behavior: Client re-download torrent more than 0 times.
2024-04-21 19:32:46.570 INFO qb-ban-vampire - do_once_banip: [106.47.210.224:qBittorrent 4.6.4.10] Banned cause by behavior.
2024-04-21 19:39:25.333 INFO qb-ban-vampire - check_progress: [106.47.210.179:qBittorrent 4.6.4.10] Detected strange behavior: Client re-download torrent more than 0 times.
2024-04-21 19:39:25.333 INFO qb-ban-vampire - do_once_banip: [106.47.210.179:qBittorrent 4.6.4.10] Banned cause by behavior.
2024-04-21 19:52:23.446 INFO qb-ban-vampire - check_progress: [106.47.210.114:qBittorrent Enhanced/4.6.4.10] Detected strange behavior: Client re-download torrent more than 0 times.
2024-04-21 19:52:23.446 INFO qb-ban-vampire - do_once_banip: [106.47.210.114:qBittorrent Enhanced/4.6.4.10] Banned cause by behavior.

[fhwiew]

vcb的资源几乎全被盯上了,一个没注意两天给我吸了1T上传