Resurrecting a dead torrent tracker and finding 3M peers (opens in new tab)

Is this legal isn’t a useful question. The better question is how likely are you to get sued? With civil lawsuits it doesn’t matter if it’s legal you can be sued and harassed by lawyers if you get on their radar.

Because knowingly helping people commit crimes generally counts the same as committing the crime yourself. I.e. federally in the U.S. under 18 USC 2a https://www.law.cornell.edu/uscode/text/18/2 The software you're running being "simple" isn't a defence for doing illegal things with it - like aiding others commit crimes.

There are a few internet/copyright safe harbor provisions (in the US) that might maybe (probably not) make it not a crime, I don't know, I'm not a lawyer. But your general thought when you hear "helping someone else commit a crime" ought to be "that's probably a crime itself".

Because music & movie industries hate P2P in general? That basically killed P2P dead in 2000s as it was becoming the next generation of decentralized Web.

Maybe it's about time to revisit it? It's just the matter of how to enforce DRM. They shouldn't care in this day and age with plenty ways to get licensing sorted out.

OP did actually host a tracker.

"I then started the tracker. After about an hour, it peaked at about 1.7 million distinct torrents across 3.1 million peers!"

(IANAL) It can be both legal and illegal

If you don't respond to takedowns, that's probably leaning towards being illegal*

If you respond to takedowns and blacklist the hashes, you're most likely fine*

*obviously depends on the jurisdiction and on whether matching hashes to IP:PORT is considered distribution/facilitation/whatever (take TPB's case as an example)

I know someone who ran a pretty large tracker for years, when he received a takedown he just blacklisted the hashes and he's been fine so far.

Do you think the police understand this nuance? Especially since most of the traffic that will go through there is probably copyright infringement?

They'll just see tracker and assume it's illegal.

Yeah. There are trackers (hosts used for coordination between bittorrent peers) and there are "trackers" (sites used for hosting .torrent files and magnet: URIs). Takedowns have been targeted exclusively at the latter.

The Anti-Circumvention Clause in the DMCA says "No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology [...] is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title [or] has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title"

Most torrent clients that people use (though not all) are actually wrappers around libtorrent, which is very well tested and has even been audited.

I've written hobby-quality clients and I think the answer is yes. First, you're dealing with input from a server you don't control, and second, you're doing quite a bit of interaction with the filesystem. It's hard enough to write a functional client in a memory safe language, getting it correct in C or C++ is bound to be pretty tough.

Transmission had a remote code execution vulnerability (CVE-2018-5702) through DNS rebinding that allowed attackers to execute arbitrary commands - tracker exploitation is definitely a real attack vector.

Data is encoded via bencode so it's a byte wise format. Known malicious trackers usually inject stuff in the sense that e.g. there is a payload to all known PDF files appended with a payload that targets the clients' OS.

The announcement related APIs are fairly easy to implement, but I wouldn't bet on it being implemented in a fuzzed testing environment. Transmission, for example, had multiple vulnerabilities over the years. Not sure about the other client implementations.

Possible but unlikely. The protocol is relatively simple, and what clients are out there have already been subjected to tons of untrusted input.

That's what I was hoping the author would explore.

Think about how many other programs are written in not-rust. You're worrying over nothing (or, alternatively, you should be worried about just about everything)

Is it really going to be all that bad?

The BitTorrent clients I’ve used all seemed pretty polite, backing off for like 60s at least for each tracker they can’t connect to.

If you buy one of the dead tracker domains and point it at an IP of someone else, but their services aren’t even listening on the port client wants to connect to (and don’t speak BitTorrent even if the port happened to coincide), I can’t imagine that even with a million BitTorrent clients wanting to connect it would really be all that much of a problem.

Common clients' announce interval is pretty long (usually 30 minutes). Then again, 3M peers makes for some volume...

More harming I think is that you can redirect all the DMCA complaints that come from aggressive intellectual property holders at a residential IP address. ISPs will just cancel your account, despite how legal running a tracker may be.

You mean redirect all the traffic to any IP the author intends to theoretically DDoS? Never thought of it, definitely scary with 3M peers

Googling, there's been at least one tracker shut down by US law enforcement, EliteTorrents [2005] https://www.latimes.com/archives/la-xpm-2005-may-26-fi-torre...

I think there have probably been more. There are definitely more that had civil suits with MPAA etc suing for damages.

It may be somewhat harder to make the case in the US, but a tracker where a great majority of what's listed is copyrighted, I'm pretty sure it can be shut down in the US.

VPS is from https://cockbox.org/ (as referenced in the article), which says it is based in Moldova?

There used to be a large public tracker running on .si, used widely in Slovenia where .si is from. Almost everyone who's been online in the last 20 years in Slovenia knows of or has used it. It also didn't disappear because of legal notices.

the guy (marcus hutchins) wasn't arrested for registering that domain, he was arrested for allegedly creating an unrelated piece of malware.

I think it's more like you buy an abandoned house where people used to go buy drugs

you buy the house and people are still coming knocking on your door asking you if you have any drugs to sell

you're not doing anything wrong, but if the police notice people constantly coming to your house to buy drugs they may do something about it

> I suppose real life is more interesting though, the guy who picked up the domain to stop the global ransomware crisis was picked up after Defcon if memory serves

That dude developed and sold banking malware, that's why he got arrested.

This guy didn't just buy the haunted house that previously had signs directing serial killers to where the victims are, he also reinstalled the signs and opened it back up to the public knowing that the serial killers were still around and reading the signs.

I mean, it's a bit absurd to compare copyright infringement to murder, but that's where your analogy started. He didn't just by the domain and do something innocent, he actually started running the software that helps people pirate things strongly suspecting that pirates would use it to help them pirate things... and then when he observed that was reality he (smartly IMO) shut it down.

Definitely a few. Media companies often send out infringement notices to ISPs to be forwarded to the user and I would guess this is how they get those IPs

The trackers only deal with torrents' info hash. No names, no descriptions, no list of contents, no nothing. opentracker, to use OP's chosen software as example, can run in both white- and blacklist mode (or whatever equivalent terminology it uses today). The former is self-explanatory, and the latter allows all hashes except the blacklisted ones. All open trackers, such as torrent.eu and opentrackr.org to name a couple, always operate in a blacklist fashion in order to openly accommodate any users to congregate for (almost) any content.

The tracker knows what it is tracking. I used to run a TV show tracker. It would keep track of all the users upload/download ratios.

I'm thinking of the Jon Evans novel "Invisible Armies" and the "bug" / backdoor in the P2P software that it's author users to pwm machines.

I don't really think so. The tracker is just a tiny part of the whole Bittorrent setup, and it's only really used by clients to get a list of peers. It's basically just an HTTP call to the tracker, returning a response. The only thing that I can quickly think of is returning some malformed bencode which could cause a memory exhaustion a client written by a novice.

The peer protocol (and variants, like uTP) are much more interesting to attack, and you don't need to host a tracker for that, you can just get peer IPs from trackers or DHT, connect, and do your magic.

utorrent v2.1 is still widely used by too many people, and it certainly is exploitable.

Yes DHT is "historical", in the sense that it doesn't care about when your torrent was created, just the infohash.

However, most torrents created for private trackers have the "private" flag enabled, which excludes them from DHT and PEX and a few other things. You can remove this flag yourself, but you're depending on a seeder doing the same for DHT to work.

DHT works as long as the client is configured to use it, so if that old seed upgraded their client they might end up automatically sharing the metadata over DHT.

Yes, this should work, in theory.

There are existing services like btdig that do this via DHT, I believe.

You don't even have to go that far, you can just use torsniff. But be aware there is a lot of nsfw material and potentially illegal material for all I know.

Easier to just trawl the DHT, like btdigg

How did they get that address?

Yes - the solution to run any illegal activity on the internet: just register the domain in "Russia, China, Iran, or similar country".

You should tell the TOR folks about your findings, they can finally shutdown the darknet and just move their stuff to China.

Yeah, I can imagine there's loads of people that set up a seedbox somewhere and just... forgot about it, or never bothered to tidy it up.

Many torrents are on multiple trackers and, via the almost ubiquitously supported announce-list extension, have multiple trackers listed in the torrent file itself. So those 3M clients are unlikely to have been sat doing nothing because this tracker had vanished, they would be participating in the swarms around the other trackers listed in the metadata for each torrent.

The word "hijacking" in this scenario would only be applicable if the domain was still registered and active and he forcefully took the domain away. That is not the case. The fact OP was able to register it quickly and easily indicates it was unused and to call this "hijhacking" would imply permanent ownership of domains even after previous owners knowingly let the registration lapse.

The legality of hosting a tracker isn't obvious, and as pointed out elsewhere the nuance is less about concrete legality and more about having the resources to deal with lawyers harassing you with lawsuits.

I would at least mask those IP addresses from the blog post...

I guess...the question is...who? Surely people have to pay to keep these peers just running. 3.1 million is how many millions of dollars in infra per month? I guess it's distributed amongst millions or thousands of people, sure, or may be most of them are bots.

From the outside it's indistinguishable, and you get sued anyway.

It doesn't matter. Bittorent will live on as long as humans exist. It definitely helped a lot in creating extremely important p2p and decentralized software such as ipfs, bitcoin, etc

Isn't that one of the first things they do when they identify + take down a site hosting CSAM?

If done in good faith[1], this is allowed.

[1]https://www.justice.gov/archives/opa/press-release/file/1507...

Or maybe those just got better at hiding?

yeah turns out Dynadot enforces a 7 day wait on deleting the domain and it's only been 6 days. should be free for registration on June 18 (i assume in 3 hrs if they mean UTC)