ZipTorrent Pollutes and Slows Down Popular Torrents
Written by Ernesto on July 16, 2007BitTorrent users are facing a new enemy. A BitTorrent client named ZipTorrent, allegedly created by our friends from the anti-piracy organization Media Defender, leeches bandwith and spreads useless data chunks.
The goal of ZipTorrent is to slow down popular downloads as much as possible. They use hundreds of these clients at the same time and this can potentially bring the average download speed down to zero. Even more so, it is not unlikely that it will record your IP-address in the process so they can send you a copyright infringement notice on top of it.
On the Media Defender website we read:
“Decoying and Spoofing are the most commonly known techniques that we employ. We send blank files and data noise that look exactly like a real response to an initiated search requests for a particular title.”
According to ubisuck over at the mininova forums, Media Defender is doing just this with ZipTorrent. Apparently the fake client is a mod of the popular BitTorrent client Azureus which can be configured to send fake data.
Here’s a full screenshot of the ZipTorrent configuration screen. As you will see, there are some dubious settings like “fake upload ratio mode”, “no upload” and “safe fake download”.
It is not hard to check whether you are connected to these fake clients. In the peers list of your BitTorrent client they will show up as “ZipTorrent” and most of the time you will be connected to a bunch of them all originating from similar IP addresses with either 0% or 100% of the file completed.
However, there are blocklists to stop these malicious clients from connecting to your BitTorrent client. Pasted below is a list of the known IP-ranges ZipTorrent is on. The ranges were identified by The Pirate Bay team and are posted in several forums. You might want to add these to the blocklist of your BitTorrent client or PeerGuardian.
There’s one problem though, Media Defender will probably move to new IPs if they read this, a never ending story.
Update: The legitimacy of the screenshot and “ZipTorrent” is doubtful but the IP ranges are correct. Spoofing is not limited to a client like ZipTorrent and I’m told that clients like uTorrent and Azureus are also used to do this job.
ziptorrent:64.62.145.130-64.62.145.165
ziptorrent:65.19.131.0-65.19.131.85
ziptorrent:66.160.133.0-66.160.133.199
ziptorrent:87.117.250.0-87.117.250.150
ziptorrent:216.218.0.100-216.218.184.199
ziptorrent:216.218.190.0-216.218.199.255
ziptorrent:38.99.252.0-38.99.252.255
ziptorrent:38.99.253.1-38.99.253.200
ziptorrent:38.100.24.0-38.100.24.255
ziptorrent:38.100.25.0-38.100.25.255
ziptorrent:38.100.26.0-38.100.26.255
ziptorrent:38.100.134.0-38.100.135.255
ziptorrent:63.216.0.0-63.223.255.255
ziptorrent:64.62.145.0-64.62.145.255
ziptorrent:64.62.214.0-64.62.214.255
ziptorrent:64.93.64.0-64.93.64.255
ziptorrent:65.19.131.0-65.19.131.85
ziptorrent:65.19.143.0-65.19.143.255
ziptorrent:65.120.42.0-65.120.42.255
ziptorrent:66.117.5.0-66.117.5.255
ziptorrent:66.160.133.0-66.160.133.199
ziptorrent:66.160.158.0-66.160.158.255
ziptorrent:66.180.192.0-66.180.207.255
ziptorrent:66.186.192.0-66.186.223.255
ziptorrent:66.198.35.0-66.198.35.255
ziptorrent:81.230.187.01-81.230.187.99
ziptorrent:87.117.250.0-87.117.250.255
ziptorrent:100.0.0.0-115.255.255.255
ziptorrent:129.47.9.0-129.47.9.255
ziptorrent:154.37.0.0-154.37.255.255
ziptorrent:206.80.0.01-206.80.99.99
ziptorrent:207.45.196.0-207.45.196.255
ziptorrent:208.10.23.0-208.10.23.255
ziptorrent:208.10.29.0-208.10.29.255
ziptorrent:209.66.117.0-209.66.117.255
ziptorrent:209.133.121.0-209.151.247.255
ziptorrent:209.133.122.0-209.133.122.255
ziptorrent:209.151.247.0-209.151.247.255
ziptorrent:216.218.0.100-216.218.184.199
ziptorrent:216.218.190.0-216.218.199.255
Previously: Music Industry Gains Hollow Victory Over eDonkey Server
Next: Harry Potter and the Deathly Hallows leaked to BitTorrent
171 Responses
Pages: [1] 2 3 4 5 6 7 » Show All
I don’t think anyone is using 255.255.255.255, at least not for bittorrent, since that is the broadcast address. Or am I missing something?
thx for the advice
added
* note, i did a search in the log for ziptorrent, they have a lot of traffic going.
Thank you, as usual, you guys kick ass!
wow they do have a lot of traffic, thanks for the heads up torrent freak…wow 2/3 blocks every 3/4 seconds.
Actually ziptorrent was a client of it’s own, discontinued (?) in 2005:
http://en.wikipedia.org/wiki/ZipTorrent
Maybe the original author want’s to sue Media Defender for breach of TM, if registered ;-P
Hopefully will be added to the blocklists within pg2 :) ….
can anyone tell me how to add the above list to PG or a
url with a how-to?
[quote comment="133461"]can anyone tell me how to add the above list to PG or a
url with a how-to?[/quote]
It’s in the above link in the story
debol go to
http://wiki.phoenixlabs.org/wiki/PeerGuardian_2:Manual
This should not do anything all bt clients will ban clients that send bad data or am i missing something?
[quote comment="133473"]This should not do anything all bt clients will ban clients that send bad data or am i missing something?[/quote]
Thats a good thing, but the reallity is, that not everyone - and not all torrent engines - updates frequently, so you can get bad files from third parties.
Azureus records the amount of times an ip adress sends bad data, and will automatically ban that IP once the amount of times they send bad data reach a certain point.
In the above ss, it shows as ziptorrent. The actual mod in question doesn’t include these client names but more client lists can be added either in the mod or with a spoofing plugin. These mods can emulate any client.
One peer reported noticing bad data being sent to him in utorrent but his client didn’t ban the ip. Even when you do, they re-appear in a few minutes using a different ip.
Attacks are linked to the use of hundreds of bots attacking the torrent, just after release. Several test’s have been done to prove this and a way was discovered to partialy confuse these bots. They search out and attack known films/games or uploaders names and attack. It takes about 6 minutes for these bots to discover new torrents then attack.
They work by swamping the torrent in the hundreds, faking uploading at a huge rate. The tracker gives them priority to the point were normal peers see little or none of the traffic.
This is just the tip of the iceberg. The uploader who passed this info claims that attacks have steped up a gear and that tpb is being attacked across the board. These bots are killing torrents left right and centre. They pose a serious risk to torrenting and must be taken seriously. We’ve always been at war with these groups but now it’s getting serious.
Take the list above and spread the word. The more people using these ranges in peerguardian, the better.
Forgot to add…
Comon signs to look for at the moment is the ziptorrent client. Peers who seem to be stuck at 0%. Peers who report as 100% and upload at an unreal speed.
I am making a list in PeerGuardian to block the ziptorrent IP ranges and got confused when I got to this range: 216.218.190.0-216.218.199.255
My computer knowledge is limited, but this range didn’t seem to follow the pattern of the other ranges. I thought that “199″ should be “190″.
Could someone let me know if this is a typo or not?
Many thanks!
@greenkeyboard & Jasper
While you are both right in your observation there is one tiny but important difference in the new approach of (allegedly) MediaDefender. (*)
Those peers do NOT send you bad data -at least not as heavily as it was done priviously which subsequently resulted in the (automated) fast banning of those “bad” guys.
Their new approach is to get as most upload slots as possible on the first seeder(s) and just suck up as much of the pieces that are intended to be distribute to “legitimate” sharing peers in the assumption that the source uploader will cease to seed after x-times the size of the torrent of distibuted pieces.
So this “new thread” is more a problem source uploaders need to be aware of then the “regular swarm buddy”, since there is no automated hashfail like banning system in place that prevent them from being sucked dry without that the content gets “in the wild” and they are most likely not even aware that they haven’t spread it widely even if they have 2 or 3 digit seeding figures for their torrents.
(*) I doubt that Randy is smart enough to come up himself with that new approach to behave friendly and just take instead of to be bad and give the poisoned fruit and be (automatedly) avoided in the consequence.
Maybe a new player in the house? ;-)
The media defender part comes from the uploader who is working with tpb to try and remove this threat. He reported it as a bot threat called media defender. I informed him that media defender is actually an anti_p2p group.
I origionaly produced the pic you see above. I wouldn’t assume that these mods up bad data. That’s not normaly the way these mods work. Problem is, people are reporting it. It’s possible that these people arn’t using the mod correctly as this is reported to produce the odd bad packet.
Maybe they’re learning how to use it correctly. Maybe another group is getting in on the act.
What you report fakefinder, sounds more like the behavour of these mods. May I ask that you locate the thread on mininova and post this info? Located here.
http://forum.mininova.org/index.php?showtopic=234996460&st=40
I’ve made a discovery. I’ve been monitoring this ziptorrent thing very closely. What I’ve figured out is that almost every single ziptorrent block by PG2 is from my local router IP which is 192.168.1.1 (Most of yours should be something about the same)and is going to something along the lines of 239.255.255.250 Port 1900. This is regular internet traffic and is nothing to be worried about. I have not traced it back to which line of text it is in the block list but I am working on it and will post which one it is very soon so you can delete it from the block list. I think it’s causing a lot of worry seeing all of these ziptorrent blocks when in reality, the blocklist added an IP address that is just normal internet traffic.
Here is how to stop all of the unnecessary blocking. I did this and am no longer pestered with useless ziptorrent blocks. People were complaining about how they were getting blocks even though they weren’t downloading. This fixes that problem.
1. Open up the notepad document you made of the ziptorrent block lists.
2. Scroll down to the bottom and delete the last two lines of text.
3. Save the document.
4. Open up PG2 and update your lists by clicking “Check Updates.”
5. You will now no longer be pestered with unnecessary ziptorrent blocks that are just regular internet traffic.
**mutters something about harry potter 2007 torrent**
**cough cough**
…ZipTorrent Pollutes and Slows Down Popular Torrents… http://www.dontwatchme.com
how can they keep leeching like this if it is as widespread as peaple say what is their bandwith bill.
Most likely withun a few days most tracker admins will block this kind of attack it sounds real noticeable talk about a wastw of money
I’ve often wondered that. Not just with this form of attack but in general.
They DON’T stop the flow of matterial as they are hired to do. How much money do you think companies are sinking into these groups just to watch there releses being circulated? How long do you think it would take companies to relise that they are wasting there money?
Perhaps this attack is a sign of desperation.
I’m kind of curious, if this decoy technology works by engaging in massive leeching, what stops people from setting up honeypot trackers to get their IPs, then setting up a bunch of counter-decoy machines to waste the anti-piracy group’s resources?
The problem with this approach seems pretty similar to the decoy bots on other networks - once people figure out what they’re up to, they’ll either block the decoys or set up countermeasures. As a preventative measure, it seems like a bit of a one trick pony.
Pages: [1] 2 3 4 5 6 7 » Show All
Responses are closed
All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.