OT: Anyone seeing these sorts of probes? Port 46993 udp?

Clinton Popovich pcprognosis at verizon.net
Fri Mar 12 08:42:11 UTC 2010


I agree, this looks to be bit torrent traffic, The Pirate Bay has a 
practice of injecting fake client IP address. I have a feeling that is 
what your seeing. I would write more but power is out and the battery is 
going....

James Hess wrote:
> Well, those UDP captures appear to be BitTorrent  Peer-to-Peer file
> sharing traffic, or something disguised as such.
> Note the  "64 31 3a 61 64 32 3a 69 64 32 30 3a"
> and also the  textual reference to  info_hash
>
> On Fri, Mar 12, 2010 at 12:18 AM, Joe <jbfixurpc at gmail.com> wrote:
>   
>> Not to distract from the IPV4/IPV6 thread, but just wondering if anyone has
>> seen this beavior or perhaps can enlighten me to its orgin/virus/meaning?
>>
>> Internet Protocol, Src: 183.0.215.179 (183.0.215.179), Dst: 192.168.1.52
>> (192.168.1.52)
>> User Datagram Protocol, Src Port: 64514 (64514), Dst Port: 46993 (46993)
>> Data (101 bytes)
>>
>> 0000  64 31 3a 61 64 32 3a 69 64 32 30 3a 49 10 78 b3   d1:ad2:id20:I.x.
>> 0010  9d 3f ab 23 75 7e d4 35 d7 cf c0 13 98 bf 84 30   .?.#u~.5.......0
>> 0020  39 3a 69 6e 66 6f 5f 68 61 73 68 32 30 3a 09 61   9:info_hash20:.a
>> 0030  e1 d8 9d cf ab 6a 2e 32 e8 42 92 73 b3 41 a3 72   .....j.2.B.s.A.r
>> 0040  c7 f1 65 31 3a 71 39 3a 67 65 74 5f 70 65 65 72   ..e1:q9:get_peer
>> 0050  73 31 3a 74 38 3a 31 30 30 30 34 32 35 35 31 3a   s1:t8:100042551:
>> 0060  79 31 3a 71 65                                    y1:qe
>>
>>
>> Internet Protocol, Src: 183.0.215.179 (183.0.215.179), Dst: 192.168.1.52
>> (192.168.1.52)
>> User Datagram Protocol, Src Port: 64514 (64514), Dst Port: 46993 (46993)
>> Data (101 bytes)
>>
>> 0000  64 31 3a 61 64 32 3a 69 64 32 30 3a 49 10 78 b3   d1:ad2:id20:I.x.
>> 0010  9d 3f ab 23 75 7e d4 35 d7 cf c0 13 98 bf 84 30   .?.#u~.5.......0
>> 0020  39 3a 69 6e 66 6f 5f 68 61 73 68 32 30 3a 09 61   9:info_hash20:.a
>> 0030  e1 d8 9d cf ab 6a 2e 32 e8 42 92 73 b3 41 a3 72   .....j.2.B.s.A.r
>> 0040  c7 f1 65 31 3a 71 39 3a 67 65 74 5f 70 65 65 72   ..e1:q9:get_peer
>> 0050  73 31 3a 74 38 3a 31 30 30 30 34 32 35 35 31 3a   s1:t8:100042551:
>> 0060  79 31 3a 71 65                                    y1:qe
>>
>> I'm seeing thousands of these per minute at one location, hundreds of unique
>> ip addresses. Some sort of bot net maybe?
>>
>>
>> Thanks much
>>
>> Joe
>>
>>
>>
>>     
>
>
>
>   
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 9.0.733 / Virus Database: 271.1.1/2739 - Release Date: 03/11/10 16:50:00
>
>   





More information about the NANOG mailing list