You are not logged in.

#1 2013-12-20 13:55:59

mpan
Member
Registered: 2012-08-01
Posts: 270
Website

Warning for ArchCD seeders: strange traffic from Kaia Global Networks

Since at least 2013/12/16 morning I'm observing strange torrent traffic from hosts located in subnets belonging to Kaia Global Networks:

  • 79.141.160.0/24

  • 79.141.162.0/24

  • 79.141.173.0/24

The traffic consists of massive downloads of Arch CD, and also Ubuntu LTS CDs (desktop and alternate). While I could believe this is just a coincidence, the problem is that:

  • At least one of the hosts is confirmed to make a full download of the same file more than once, and others seem to do the same.

  • All hosts have identical configuration (same services, exactly the same client version, unconfigured nginx server...)

I'm warning other Arch seeders, because they may be unaware that such traffic is using up their bandwidth. If others will confirm the traffic, I'll also notify Ubuntu seeders.

Kaia Global Networks has been notified, but they neither responded nor resolved the problem in the past 24 hours.

Last edited by mpan (2013-12-20 14:04:52)


Sometimes I’m a bit harsh on the outside — don’t get offended too easily!
PGP: C6B2EE64

Offline

#2 2013-12-20 14:28:31

/dev/zero
Member
From: Melbourne, Australia
Registered: 2011-10-20
Posts: 1,176
Website

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

Thank you.


Linux is NOT Windows | The Rootless Root
Toshiba Satellite i5-3230M 2.6GHz CPUs, 4Gb RAM, ArchLinux, wmii, nVidia GeForce GT 740M.

Offline

#3 2013-12-20 15:01:54

phanisvara
Member
From: west bengal, india
Registered: 2012-07-08
Posts: 74

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

wondering about the possible motive behind such an attack, what would they try to achieve? just wasting everybody's bandwidth? or is this perhaps some automated pirate-catching system, proving that you're distributing something, and then they're going to send you some legal humbug?

Offline

#4 2013-12-20 15:14:59

vacant
Member
From: downstairs
Registered: 2004-11-05
Posts: 801

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

Could be someone stress-testing their own systems. Not very considerate to do that for any length of time if that is the case.

Offline

#5 2013-12-20 15:24:53

mpan
Member
Registered: 2012-08-01
Posts: 270
Website

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

I don't think it's an attack. I don't see motives too. Hating Linux is not good enough reason to spend money on such thing wink.

During a talk with a friend we have came up with an idea that possibly someone is testing their own equipment on expense of others bandwidth. This is the only plausible explaination I can find for now. There were few others (students downloadnig Linux during a course, someone wanting to mirror images, misconfigured equipment), but they have flaws.

I would wait for reports/confirmations from other seeders, before jumping into conclusions. It's unlikely, but possible that it's just a very strange coincidence that just happened to me.

-- edit --
95.141.28.0/24
Only 2 hosts from this range in past 24 hours. One of them has downloaded Arch three times.

Is anyone else experiencing the issue?

-- edit --
79.141.161.0/24

Last edited by mpan (2013-12-24 09:27:56)


Sometimes I’m a bit harsh on the outside — don’t get offended too easily!
PGP: C6B2EE64

Offline

#6 2014-01-10 16:18:20

commx
Member
Registered: 2012-06-11
Posts: 13

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

mpan wrote:

I don't think it's an attack. I don't see motives too. Hating Linux is not good enough reason to spend money on such thing wink.

During a talk with a friend we have came up with an idea that possibly someone is testing their own equipment on expense of others bandwidth. This is the only plausible explaination I can find for now. There were few others (students downloadnig Linux during a course, someone wanting to mirror images, misconfigured equipment), but they have flaws.

I would wait for reports/confirmations from other seeders, before jumping into conclusions. It's unlikely, but possible that it's just a very strange coincidence that just happened to me.

-- edit --
95.141.28.0/24
Only 2 hosts from this range in past 24 hours. One of them has downloaded Arch three times.

Is anyone else experiencing the issue?

-- edit --
79.141.161.0/24

From which (exact) IP addresses are the connections coming from? I'll take a look into this then.

Offline

#7 2014-01-10 16:39:45

mpan
Member
Registered: 2012-08-01
Posts: 270
Website

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

None of the addresses I catched between 20th and 24th december, before subnet blocking them, are active anymore. Also no new subnets were observed since then.


Sometimes I’m a bit harsh on the outside — don’t get offended too easily!
PGP: C6B2EE64

Offline

#8 2014-01-10 16:43:45

commx
Member
Registered: 2012-06-11
Posts: 13

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

Ok, fine. We're usually receiving loads of abuse mails regarding anonymization services we're providing colocation for and its beyond our control what customers actually do with their services.

Offline

#9 2014-01-13 05:21:29

mpan
Member
Registered: 2012-08-01
Posts: 270
Website

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

Hit me hard, please! I was checking them while I had all the ranges blocked in iptables...

27 addresses downloading from me when I was sending this post:
79.141.160.71-77
79.141.162.31-43
79.141.173.141-147

Last edited by mpan (2014-01-13 05:25:35)


Sometimes I’m a bit harsh on the outside — don’t get offended too easily!
PGP: C6B2EE64

Offline

#10 2014-02-12 00:31:54

Dävu
Member
Registered: 2014-02-11
Posts: 2
Website

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

I'm seeding a linux mint torrent, and I would like to know as well what these guys are trying to accomplish...

http://i.imgur.com/RmiHE4o.png

A few minutes later... (notice peer 79.141.162.33, 79.141.162.34, 79.141.162.38)

http://i.imgur.com/BvVjULj.png



-- mod edit: read the Forum Etiquette and only post thumbnails http://wiki.archlinux.org/index.php/For … s_and_Code [jwr] --

Offline

#11 2014-02-12 00:59:39

progandy
Member
Registered: 2012-05-17
Posts: 2,151

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

Maybe they are just filling unused bandwidth for fun?

Last edited by progandy (2014-02-12 01:07:57)

Offline

#12 2014-02-12 03:52:03

mpan
Member
Registered: 2012-08-01
Posts: 270
Website

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

After I have blocked KGN subranges the traffic dropped by about 90-95% (23GB montly upload for january Arch release vs >250GB over-half-month upload for december release). This means that their actions are increasing load by 10-20x.

Since KGN refuses to cease activities (an e-mail sent to me 2014/01/13) and they're clearly disrupting the service, maybe Arch and Ubuntu (and possibly other affected distros, if any) should consider blocking the operator on tracker?

Can someone start the topic on Ubuntu's forums too? I don't want to create account just to send a single notification.


Sometimes I’m a bit harsh on the outside — don’t get offended too easily!
PGP: C6B2EE64

Offline

#13 2014-02-12 04:01:24

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,412

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

Maybe you should send an email to [arch-general] or post something on the bugtracker.  It is just unlikely that the right eyes will see this request to block this IP range from the tracker.

Offline

#14 2014-02-12 06:45:53

mpan
Member
Registered: 2012-08-01
Posts: 270
Website

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

I wasn't requesting anything yet - just asking other users. This is an issue that hits multiple distros.

But maybe you're right. I've posted it as bug#38881. However the issue remains open for other distributions.


Sometimes I’m a bit harsh on the outside — don’t get offended too easily!
PGP: C6B2EE64

Offline

#15 2014-02-12 08:21:15

Dävu
Member
Registered: 2014-02-11
Posts: 2
Website

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

The "primary threats" blocklist from iblocklist.com seems to cover these ips:
https://www.iblocklist.com/list.php?lis … twayqovmxn

Offline

#16 2014-02-12 08:33:13

mpan
Member
Registered: 2012-08-01
Posts: 270
Website

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

Bluetack's level 1, which is what I use, does not. At least wasn't before I've blocked them. Also one can't assume that Linux seeders use anti-anti-p2p blocklists.


Sometimes I’m a bit harsh on the outside — don’t get offended too easily!
PGP: C6B2EE64

Offline

#17 2014-02-12 13:15:47

frepa
Member
Registered: 2013-02-13
Posts: 2

Re: Warning for ArchCD seeders: strange traffic from Kaia Global Networks

I am currently seeing this activity on a Debian torrent as well (debian-live-7.2-amd64-gnome-desktop.iso). It has been going on for a couple of weeks, and wasted all bandwidth I gave this torrent.
The "primary threats" blocklist from the earlier post did not block it for me. I instead created a custom blocklist for Transmission (my bitTorrent client), which was very simple.

Offline

Board footer

Powered by FluxBB