Media Defender attacking Torrents transfers

[ubisuck]

There's talk of Media Defender using a Azureus mods to spoof ziptorrent and using it to leech and throttle down torrent upload. Apparently, TPB is aware of this.

here's some quote from different threads:

Code: Select all

There is a new enemy amongst us. This enemy is using a program named ZIPTORRENT to squeeze their way in every new or popular gaming torrent available today. Click to download ANY Ghost Recon Advanced Warfighter 2 torrent and you will notice what I speak of. Look in your peers list and will see MULTIPLE peers using ZIPTORRENT and sitting at 0.0% progress of download.

They are leeching and dumping data.
As the data goes in to their client it goes right out. This enables them
to highly slow down if not STOP the download speed for all others downloading.

We finally found out it was a Azureus mods:

edit: cannot post link to image

Media Defender states:

Code: Select all

MediaDefender uses a range of non-invasive technological countermeasures employed on P2P networks to frustrate users’ attempts to steal/trade copyrighted content. We have a proven track record of adapting to challenges and successfully protecting our customers as new technologies and networks arise.

Decoying and Spoofing are the most commonly known techniques that we employ. We send blank files and data noise that look exactly like a real response to an initiated search requests for a particular title. Pirated files will no doubt be on the networks, but with our protection applied it would be easier to find a needle in a hay stack than a real file amongst our countermeasures.

In addition to anti-piracy solutions, MediaDefender also offers a Leak Alert service. Our industry leading Leak Team scours Newsgroups, Usenet, and BitTorrent sites to see what cracked/pirated content has most recently leaked. Upon discovery, MediaDefender will download the leak and either send it or provide a secure ftp login for customers to sample the pirated material.

Note they openly admit to spoofing etc. Cheek is they claim to work using non invasive methods.

Here's a list of the IP that TPB found to be spoofing and choking some torrents:

updated list, this one comes from TPB staff, I received it through a good friend

----------------
ziptorrent:64.62.145.130-64.62.145.165
ziptorrent:65.19.131.0-65.19.131.85
ziptorrent:66.160.133.0-66.160.133.199
ziptorrent:87.117.250.0-87.117.250.150
ziptorrent:216.218.0.100-216.218.184.199
ziptorrent:216.218.190.0-216.218.199.255
ziptorrent:38.99.252.0-38.99.252.255
ziptorrent:38.99.253.1-38.99.253.200
ziptorrent:38.100.24.0-38.100.24.255
ziptorrent:38.100.25.0-38.100.25.255
ziptorrent:38.100.26.0-38.100.26.255
ziptorrent:38.100.134.0-38.100.135.255
ziptorrent:63.216.0.0-63.223.255.255
ziptorrent:64.62.145.0-64.62.145.255
ziptorrent:64.62.214.0-64.62.214.255
ziptorrent:64.93.64.0-64.93.64.255
ziptorrent:65.19.131.0-65.19.131.85
ziptorrent:65.19.143.0-65.19.143.255
ziptorrent:65.120.42.0-65.120.42.255
ziptorrent:66.117.5.0-66.117.5.255
ziptorrent:66.160.133.0-66.160.133.199
ziptorrent:66.160.158.0-66.160.158.255
ziptorrent:66.180.192.0-66.180.207.255
ziptorrent:66.186.192.0-66.186.223.255
ziptorrent:66.198.35.0-66.198.35.255
ziptorrent:81.230.187.01-81.230.187.99
ziptorrent:87.117.250.0-87.117.250.255
ziptorrent:100.0.0.0-115.255.255.255
ziptorrent:129.47.9.0-129.47.9.255
ziptorrent:154.37.0.0-154.37.255.255
ziptorrent:206.80.0.01-206.80.99.99
ziptorrent:207.45.196.0-207.45.196.255
ziptorrent:208.10.23.0-208.10.23.255
ziptorrent:208.10.29.0-208.10.29.255
ziptorrent:209.66.117.0-209.66.117.255
ziptorrent:209.133.121.0-209.151.247.255
ziptorrent:209.133.122.0-209.133.122.255
ziptorrent:209.151.247.0-209.151.247.255
ziptorrent:216.218.0.100-216.218.184.199
ziptorrent:216.218.190.0-216.218.199.255
ziptorrent:224.0.0.0-239.255.255.255
ziptorrent:240.0.0.0-255.255.255.255
------------------------------------------

open notepad, copy-paste these in it, save under whatever name you want and add this list in PG2

[Dazzle]

Cheers Ubisuck, I can confirm many of these IP's are in use disrupting other P2P networks and for that reason well worth blocking.

Can I also ask that perhaps some one take up the task of keeping these blocklisted IP's up to date and removing out of date ones as it impacts on genuine users who find themselves (Rather, the IP they are using ) on stale and out of date blocklists that are many years old now.

[ubisuck]

I have a SS of the azureus mods that allows them to do that, but my account here lacks the right to post url, so I cannot do a img tag.

That list in my post is 20 hours old.

We have a discussion about this in the Mininova forum.

[Winston84]

Can I also ask that perhaps some one take up the task of keeping these blocklisted IP's up to date and removing out of date ones as it impacts on genuine users who find themselves (Rather, the IP they are using ) on stale and out of date blocklists that are many years old now.

contrary to what people think here the lists are updated almost on a daily basis .. I'm sure these
IP's will be blocked in a few days (those that are not already blocked) and then we will have the usual
whining about "excessive blocking" .

or you could use stuffer and block "ziptorrent" .. you won't be blocking any legitimate peers by doing so .
Last ziptorrent update was on August 24, 2005 and the website is gone .

[ubisuck]

they are using a modified azureus that spoof ziptorrent.

I could show you the SS but I cannot post url here.

[enigmax]

The screenshot ubisuck was trying to post;

http://img337.imageshack.us/img337/9598 ... onsrc6.jpg

[ubisuck]

thank you

[ejonesss]

simple way to prevent that is to ban the modded versions.

[ubisuck]

HOw? It reports in your client as, in this case, ziptorrent. That's what the list do.

[Nutty-Slack]

Interesting stuff (if you're into this kind of thing).

The 38.100.xx.xx range is probably familiar to most hardened P2P-ers, and I did actually notice and subsequently block (via firewall) the 208.xx.xx.xx range without knowing what was going down.
That range (208.0.0.0 - 208.35.255.255) is utilised by none other than Sprint.net, and those addresses seem to occur on 'torrents' with activity from the 38.100.xx.xx range (Performance Systems Int.).

Generally, if you see any 'multiple' IPs with the same prefix (say, the first five digits +/-) amongst your peers, it's a pretty safe bet that they're bad news.

[Dazzle]

contrary to what people think here the lists are updated almost on a daily basis .. I'm sure these
IP's will be blocked in a few days (those that are not already blocked) and then we will have the usual
whining about "excessive blocking" .

And what list is this winston ?

[Zarggg]

Well, I have an issue with the following two ranges:

Code: Select all

ziptorrent:224.0.0.0-239.255.255.255
ziptorrent:240.0.0.0-255.255.255.255

Both 224.0.0.0/4 and 240.0.0.0/4 are marked as "Reserved" by the IANA. In particular, the addresses 239.255.255.250 and 255.255.255.255 are located in those ranges, and you do not want to block them arbitrarily.

239.255.255.250 is used for UPnP devices, and 255.255.255.255 is the broadcast address.

I see nothing else queer in the rest of the list, so I would recommend simply deleting the last two ranges when you add the list to any IP blocklist.

[majinsoftware]

I would hate to see what there ratio's are like as they are not uploading anything.

[pogue]

Has anyone submitted those IP ranges to Phoenix Labs? Apparently blocklist.org is temporarily down, but I assume someone could post this info on their forum?

[ubisuck]

Not me.

[ShawnSpree]

Media defender can keep doing what it does.. Its not slowing me down one bit.. =) I love the smell of a well seeded torrent on a private tracker.

[Winston84]

And what list is this winston ?

How about this one :
http://www.bluetack.co.uk/config/nipfilter.dat.gz

or this one :
http://www.bluetack.co.uk/config/pipfilter.dat.gz