Swell on the horizon - watching Scanners searching for Bittorrent clients

Following the News earlier this month ( see reddit ) about a Bug in Bittorrent-Clients that could lead to DDoS-attacks. We already run sensors that act like bittorrent-clients, so we expected to catch some scanner-waves that usually follow these publishings.

This is a very short analysis of all events we've seen on port 8333 (tcp/upd) on sensors, runnig bittorrent-clients; each connection-request count as on access/request, while subsequent communication is ignored. The timeframe is Aug 5. until Aug 31.

The average access-requests per day was around 30, rising up in a first wave starting Aug 17. that lead to avg. 200 requests / day, peaking on Aug 22. at nearly 500 requests/day. We've seen a total of 271 different IPs, with one IP accounting for half of the hits (222.186.61.9, 4881, from china). Besides IPs that were catched by one or two sensors with many requests we've seen also some scanners like shodan (188.138.9.50, 85.25.103.50) crawling their way through the intertubes, hitting each sensor just once or twice.

The most-scanning country is China with more than 6000 requests , followed by Thailand (233), USA (200), Korea (160) and India (109).

Find below some pictures, displaying the count of attacks, top 10 of IPs and countries and the geographical distribution, as well as a list of IPs, accessing our sensors on port 8333 during the last week.


scanner-wave, cleaned by top-ip

Scanner-wave, excluding the most aggressive IP


scanner-wave, cleaned by top-ip

Scanner-wave, total, including all IPs


scanner-wave, geomap

geographical distribution


top 10 ips

Top Ten IPs

top 10 countries

Top 10 Countries

Appendix

server_ip    
-----------------
31.16.124.103
222.186.56.46
195.154.102.211
216.218.206.67
185.56.82.6
36.225.234.65
36.225.254.190
222.186.56.15
36.229.236.180
58.151.219.144
117.21.176.128
117.21.176.122
111.248.114.241
210.240.167.194
192.187.110.98
38.97.76.211
192.169.233.173
216.218.206.66
200.31.162.28
198.55.103.9
74.82.47.2
222.186.59.130
222.186.34.215
222.66.55.248
121.139.205.78
219.255.134.5
180.97.28.11
61.191.180.86
91.236.75.4
45.35.55.122
222.77.181.113
180.225.203.220
100.38.174.6
104.192.0.20
173.254.230.56
104.149.197.121
124.117.233.94
107.150.52.82
74.82.47.3
89.248.171.221
195.154.165.177
59.63.166.11
104.148.44.116
182.131.2.163
91.207.60.31
123.154.5.106
222.211.65.173
61.231.7.124
123.183.217.219
142.4.206.27
111.248.61.151
184.105.139.67
223.4.242.199
203.171.229.216
5.39.222.253
86.106.72.53
169.54.233.126
111.248.112.205
116.41.255.190
45.35.69.125
222.186.42.176
109.123.108.43
82.127.102.143
60.111.117.104
222.186.56.25
186.103.141.42
61.147.91.63
218.22.131.99
116.255.192.39
36.230.254.28
218.31.113.69
5.196.208.2
222.186.21.84
183.60.48.25
173.161.85.105
222.186.56.114
218.108.132.58
184.105.139.68
59.38.100.155
111.248.102.85
222.186.190.148
61.228.95.70
221.133.40.134
222.186.34.160
14.139.87.210
198.50.251.118
119.10.7.34
222.186.61.9
1.171.248.130
209.126.230.71
36.231.254.209
222.186.21.107
121.201.16.21
37.9.62.41
185.49.14.190
85.25.103.50
5.104.175.234
173.254.203.139
222.186.56.123
222.66.55.246
63.141.241.164
220.128.102.163
192.169.249.225
222.87.146.37
222.186.34.142
61.160.221.75
1.34.22.39
58.215.76.239
212.83.149.78
114.215.32.16
169.54.233.119
74.82.47.4
222.186.21.109
216.218.206.68
111.248.112.64
116.255.157.237
123.159.154.228
198.20.69.98
111.248.96.205
36.226.246.84
46.105.243.194
101.54.49.241
169.54.233.117
222.66.55.241
198.55.106.234
93.174.93.129
198.55.103.192
71.6.135.131
89.248.171.149
173.254.203.101
219.129.187.20
124.172.139.28
92.222.35.156
222.186.34.225
62.210.69.173
180.87.43.2
222.186.34.122
115.159.109.167
85.25.217.228
104.217.216.169
222.66.55.244
184.105.247.195
36.225.234.84
178.33.254.26
111.73.45.126
36.225.234.28
91.196.50.33
5.189.154.175
117.21.176.75
185.25.151.159
27.187.226.23
169.54.233.118
188.138.9.50
37.187.133.29
193.169.86.58
184.105.247.196
91.121.254.17
36.225.234.51
36.231.254.181
67.207.157.25
93.174.93.218
180.97.215.110
198.20.70.114
222.186.34.204
66.240.192.138
66.240.236.119
185.56.80.127
202.129.36.134
71.6.167.142
192.99.203.50
date: 2015.08
tags: analyse botnet ddos hacker security server taod

You code … we platform.