Tuesday, May 10, 2011

23,000 IPs: 104 Proxies

The smackdown is on for 23,000 BitTorrent users who downloaded a Sylvester Stallone B-movie no one has ever heard of.  You can find the story at Wired.

You can also find a list of all the IP addresses here (PDF).

I figured this was right up my alley, so I compared the 23,000 addresses with the 3.7 million proxies in the database and got 104 hits (a whopping 0.45%).

149 if you count repeat offenders (the same IP address listening on different ports).

There is a smattering of obvious malware ports, mostly the ports Koobface has loved so much over the past two years (8085 and 9090), and our mystery port 27977.  There are a few traditional CERN type proxy ports (8080, 8000, etc), but the rest of them are all across the board, just like the SOCKS recidivists I mentioned on Proxy Obsession just before it went dark.

Are these repeat SOCKS4 offenders that we see in the proxy lists every fucking day actually BitTorrent clients on TOR?

I have to confess complete, utter stupidity on the inner workings of TOR, but I did some quick armchair research and it appears the likelihood is high that they are.  Or, at least, many may be.  TOR does indeed leverage SOCKS functionality, and, being part of the network, you'd have to leave the ports open, just waiting to be scanned by an army of proxy hunters.

And, the market for anonymizing BitTorrent over TOR is out there.

You learn something new every day.

If you have more information, enlighten me.

No comments:

Post a Comment