# opentracker (torrent tracker) IP address bombardment



## rambetter (Aug 26, 2009)

I'm running opentracker-0.2009.06.27 from ports, compiled with a white list, meaning the tracker will refuse to track any torrents unless I tell it to track a specific torrent.  I'm running the tracker to distribute a legitimate file that is freely downloadable from other websites.

Now my question - it appears that I am getting hundereds of leechers, and I have done some investigating.  Within a minute, I get requests from similar IP addresses:


```
-rw-r--r--  1 nlandys  nlandys  289 Aug 26 12:03 request0001_89.238.168.13
-rw-r--r--  1 nlandys  nlandys  293 Aug 26 12:03 request0002_89.238.156.186
-rw-r--r--  1 nlandys  nlandys  289 Aug 26 12:03 request0003_89.238.156.59
-rw-r--r--  1 nlandys  nlandys  285 Aug 26 12:03 request0004_89.238.168.191
-rw-r--r--  1 nlandys  nlandys  291 Aug 26 12:03 request0005_89.238.168.152
-rw-r--r--  1 nlandys  nlandys  289 Aug 26 12:03 request0006_89.238.156.119
-rw-r--r--  1 nlandys  nlandys  291 Aug 26 12:03 request0007_89.238.156.109
-rw-r--r--  1 nlandys  nlandys  285 Aug 26 12:03 request0008_89.238.156.84
-rw-r--r--  1 nlandys  nlandys  289 Aug 26 12:03 request0009_89.238.156.65
-rw-r--r--  1 nlandys  nlandys  287 Aug 26 12:03 request0010_89.238.168.221
-rw-r--r--  1 nlandys  nlandys  291 Aug 26 12:03 request0011_89.238.168.37
-rw-r--r--  1 nlandys  nlandys  289 Aug 26 12:03 request0012_89.238.168.24
-rw-r--r--  1 nlandys  nlandys  285 Aug 26 12:03 request0013_89.238.156.141
-rw-r--r--  1 nlandys  nlandys  293 Aug 26 12:03 request0014_89.238.168.168
-rw-r--r--  1 nlandys  nlandys  291 Aug 26 12:04 request0015_89.238.168.179
-rw-r--r--  1 nlandys  nlandys  289 Aug 26 12:04 request0016_89.238.168.235
-rw-r--r--  1 nlandys  nlandys  283 Aug 26 12:04 request0017_89.238.156.21
-rw-r--r--  1 nlandys  nlandys  291 Aug 26 12:04 request0018_89.238.156.10
-rw-r--r--  1 nlandys  nlandys  291 Aug 26 12:04 request0019_89.238.156.159
```

I captured these HTTP requests using a little helper program that I wrote.  You see the dates of the HTTP requests and the IP address from which it came.  As an example, here are 2 of the requests from similar IP addresses, that came back-to-back:


```
GET /announce?uploaded=0&compact=1&numwant=200&no_peer_id=1&info_hash=%224%B0%89X%03S%F1%7D%95%E6.%FEj%00%12%D9%1C%5CM&downloaded=0&peer_id=-UT1770-%CA%BE%DC%0E%26%ED%95g%BA%18D%2A&event=started&left=754307397 HTTP/1.1
Host: tracker.clanwtf.net
Connection: close
Accept-Encoding: gzip
```


```
GET /announce?uploaded=0&compact=1&numwant=200&no_peer_id=1&info_hash=%224%B0%89X%03S%F1%7D%95%E6.%FEj%00%12%D9%1C%5CM&downloaded=0&peer_id=-UT1770-%40+Zr%BE%1A%28%AA%E7%EC%D7%07&event=started&left=754307397 HTTP/1.1
Host: tracker.clanwtf.net
Connection: close
Accept-Encoding: gzip
```

Is this deliberate bombardment to my tracker to throw the torrent off track?  I'm really puzzled by this.  I am getting in the ballpark of 500 leechers reported as a result of this.


----------



## rambetter (Aug 26, 2009)

Some additional info.

A couple of legit HTTP requests that came in from my own client look like this:


```
GET /announce?info_hash=%224%B0%89X%03S%F1%7D%95%E6%2E%FEj%00%12%D9%1C%5CM&peer_id=-lt0C40-%F7%27%03j0%7ChV%E4%12%9EZ&key=5335acbf&ip=99.50.206.241&compact=1&port=6948&uploaded=3633455360&downloaded=0&left=0&event=stopped HTTP/1.1
User-Agent: rtorrent/0.8.4/0.12.4
Host: tracker.clanwtf.net:6969
Accept: */*
Accept-Encoding: deflate, gzip
```


```
GET /announce?info_hash=%224%B0%89X%03S%F1%7D%95%E6%2E%FEj%00%12%D9%1C%5CM&peer_id=-lt0C40-%A9t%FB8%F0%E4%B9%B82%2A%CE%11&key=6aec66b3&ip=99.50.206.241&compact=1&port=6921&uploaded=0&downloaded=0&left=0&event=started HTTP/1.1
User-Agent: rtorrent/0.8.4/0.12.4
Host: tracker.clanwtf.net:6969
Accept: */*
Accept-Encoding: deflate, gzip
```

Also, the tracker URL is here:
http://tracker.clanwtf.net:6969/stats


----------



## vivek (Aug 26, 2009)

Depend upon torrent file (like game or movie ) you can get thousands of leechers and few hundreds seeders per torrent. It is pretty common.


----------



## rambetter (Aug 26, 2009)

But why would the HTTP requests come grouped from similar IP addresses?


----------

