View Single Post
  #6 (permalink)  
Old May 26th, 2016
Lord of the Rings's Avatar
Lord of the Rings Lord of the Rings is offline
ContraBanned
 
Join Date: June 30th, 2004
Location: Middle of the ocean apparently (middle earth)
Posts: 664
Lord of the Rings has a distinguished reputationLord of the Rings has a distinguished reputationLord of the Rings has a distinguished reputation
Default

Quote:
Originally Posted by Lucio View Post
... all these PyGnutella connections were coming from a single group of IP addresses: 154.45.216.* (see screenshots). These servents had a very low uptime and kept connecting and disconnecting ...
Yes I detected this as a bad range 2 May 2014. I recorded 40 separate addresses from 140 to 200. The only one your snapshots show I didn't detect was 154.45.216.175.

Cogent Communications. For some reason two years ago I had it probably incorrectly listed as France Nantes Trident Mediaguard (I may have put this label next to the wrong ip group.) It is instead USA based.
OrgName: PSINet, Inc.
OrgId: PSI-2
Address: 2450 N Street NW
City: Washington

I detected these hosts via firewall log. Which is something I sometimes check if my program(s) appear to start struggling with connections (such as peers dropping below and struggling to get back to minimum peers whilst in UP mode.) Period of open log can range between 45 min to 2 to 3 hours though usually around an hour or less if I'm getting hammered. I sometimes check back to previous logs to see when they started to hammer. I share a lot of files and usually connect 24/7 which makes me a prime target for BOTs. When I recorded the hosts in question, there were also numerous other similar BOT ranges adding to the massive traffic.

The smallest hostiles file I work with has them blocked 154.45.216.128/25.

I don't normally record leaf connections, but no history of them connecting as peers over past 18 months with Phex at least.

I do not have any information as to what kind of BOT they might be (what their objective is.) But as happened with you, perhaps their objective is to disrupt standard connections and communications. It would not surprise me if they passed out fake information including fake hosts to connect to or other BOTs to connect to. But that's pure conjecture.
Reply With Quote