Re: BitTorrent security questions


"Will Ashford" <ashford@xxxxxxxxxxxx> schreef in bericht
news:dpsu9n$42j$1@xxxxxxxxxxxxxxxxxxxxxxxxxxx
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Robert Glueck wrote:
> > I'm running a Linux desktop behind a NAT router with a
> > broadband connection to the Internet. I've also installed
> > an iptables based firewall (Firestarter) with a completely
> > permissive outbound traffic policy and an inbound traffic
> > policy of NO connections from any host allowed and NO
> > services on any port allowed for anyone.
> >
> > I frequently use BitTorrent (Azureus 2.3.0.6) to download
> > files from the web. In order to support this I enabled
> > port forwarding on the NAT router for ports 6882-6889 for
> > service BitTorrent. With these settings BitTorrent seemed
> > to be running all right.
> >
> > Recently, after I had installed an update for Azureus
> > (v.2.3.0.6), I noticed a new colored button in the status
> > bar which would be either yellow or red indicating a
> > "Possible NAT (TCP) problem".
> >
> > In the course of investigating this, I also noticed an item
> > "NAT/Firewall test" in the Azureus Tools menu which would
> > test the "incoming TCP/UDP listen port" which I had set to
> > 6886. When I ran this test, it failed with the message
> > "Testing port 6886 ... NAT error". The test dialog box
> > also offered the following explanation: "In order to get
> > the best out of Azureus, it's highly recommended to be
> > fully accessible from the Internet. This tool lets you
> > test and/or change the port used to accept incoming peer
> > connections."
> >
> > I took this recommendation to mean that I should open my
> > firewall for the ports used by bittorrent. Accordingly, I
> > added the inbound traffic policy "Allow service BitTorrent
> > for port 6881-6889 for everyone."
> >
> > With that the NAT status indicator button in the Azureus
> > status bar turned green ("NAT OK (TCP)"). Also, some of
> > the torrent health indicators for ongoing downloads turned
> > green, meaning "everything is going fine" whereas before
> > they had generally been yellow, meaning "you're connected
> > to peers, tracker is OK but you may have a NAT problem if
> > your torrents stay on yellow status all the time."
> >
> > After I'd made these changes everything seemed fine and
> > subjectively it seemed as though Azureus was working better
> > and down/uploading faster.
> >
> > Then I did a Shields Up (grc.com) port scan for the range of
> > ports 6881-6889 while Azureus was running and downloads
> > were proceeding. The result: 6881 stealthed, 6882-6885 and
> > 6887-6889 closed, 6886 OPEN. Ouch! I'd been running my
> > system with this configuration for more than a week.
> >
> > I immediately removed the firewall rule "Allow service
> > BitTorrent for port 6881-6889 for everyone" and did another
> > Shields Up port scan. The result: 6881-6889 stealthed.
> > BitTorrent down/uploads were still running fine.
> >
> > Next I also disabled port forwarding for ports 6882-6889 in
> > the NAT router. BitTorrent down/uploads were still running
> > fine.
> >
> > Several questions:
> >
> > 1. When my system was configured with port forwarding
> > enabled in the router and BitTorrent allowed for ports
> > 6881-6889 in the inbound traffic rules of my firewall, the
> > Shields Up port scan diagnosed port 6886 as open whenever
> > Azureus was running. Did that constitute a major security
> > hazard that a malicious hacker could have exploited? Could
> > he have installed malware via this "open" port, or was this
> > port only open for the BitTorrent protocol? If malware had
> > been installed would it have remained in my user area (I
> > wasn't running Azureus as root) or could I have been
> > rooted?
>
> Azureus only uses port 6881 TCP for data transmission and 6881 UDP for

I really don't agree with this. I'm only using port 55555 for Azureus, and
don't
have any problem with that ;-)

> distributed hash table (dht or "trackerless" torrents) communication by
> default. Ports 6882-6889 of either protocol are used for miscellaneous
> plugins and additional non-essential services offered by azureus which
> can be safely disabled or firewalled off. This is only a minor security
> risk as the program azureus would have to be exploited remotely (or you
> would have to install a corrupted copy) for an attacker to gain anything
> in this way and any gain would be restricted to the user azureus is
> running as (i.e., you). You can safely open only port 6881 TCP and UDP
> for azureus' use.
>
> > 2. What were the security implications when I was running
> > Azureus with NAT router port forwarding enabled for
> > 6882-6889 but firewall closed to traffic coming in on
> > 6881-6889? Was there a possibility of a security
> > compromise in that configuration?
>
> See above, only with a firewall blocking connections to the unnecessary
> ports the risk is even further mitigated. Unless the program has been
> installed compromised or locally compromised and is making outgoing
> connections to malicious servers (in which case you are already in
> trouble) you are perfectly safe. Were I you, I would track down
> whichever portion of azureus is opening port 6886 and disable it if
> unnecessary thought.
>
> > 3. What is the point of aiming for green settings for the
> > NAT status of the incoming TCP/UDP listen port 6886 and for
> > "torrent health", settings which potentially introduce
> > security hazards, when BitTorrent appears to be functional
> > even when these settings are in the yellow or red range?
>
> The "green" status of the bit torrent network allows you to receive
> connections from hosts who would otherwise be unable to contact you. Bit
> torrent is fully functional in "yellow" status and has an unavailable
> tracker (for whatever reason) in "red" status. Green status is highly
> desirable because it can result in speed boosts of well over 200%. Case
> in point, my system tends to download around 15-20 KB/s while yellow and
> has been known to reach over 500 KB/s while green.
>
> > Thanks in advance.
> >
> > Robert
> >
>
> Hope this helps,
> Will
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFDwfxqkIdrTCWKJM0RAkrKAKCcJURRjzfp7vNB5AkWQvjtWEkUjwCglW8p
> +x51bO4RtksoWScQ5KIKg1E=
> =GBl6
> -----END PGP SIGNATURE-----


.

Quantcast