Libtorrent process pings random servers causing security concerns

Question

Libtorrent process pings random servers causing security concerns

abhishek-das-gupta opened this issue 9 months ago · comments

Abhishek Dasgupta commented 9 months ago

libtorrent version 1.1.5.0

boost version: 1.65.0

Hi @arvidn, we use libtorrent's python bindings within the cluster to distribute torrent among the nodes. This happens only one-time when the distribution is needed (cluster creation, re-distribution of new torrent etc) and the rest of the time the libtorrent process remains idle.
There have been numerous security concerns where the libtorrent process randomly pings servers out of the customer's network i.e anywhere in the world.
From the packet captures that we have done, it appears that the network traffic consist of "ping" packets and "get_peers" packets, which are network level packets for host discovery. There is no data transfer either in or out, not even metadata about data files.

currently we have these following rudimentary params set for the torrent handle:

      params = {'save_path': self.location + '/',
              'storage_mode': libtorrent.storage_mode_t.storage_mode_sparse}
    params['dht_nodes_name'] = dhtNodes
    params['ti'] = self.info
    params['max_uploads'] = 1

Are there any flags that I can set so that such pings for don't occur anymore. We were thinking on enabling such params for torrent handle after reading the doc:

params['enable_upnp'] = False
params['enable_natpmp'] = False
params['enable_lsd'] = True
params['enable_dht'] = False

Let us know if you agree or any other param needs to here as well.

Oleg · Answer 1 · Tue Sep 26 2023 22:13:28 GMT+0800 (China Standard Time)

Turn off the internet:
final ip_filter ipFilter = new ip_filter();
final error_code errorCode = new error_code();
ipFilter.add_rule(address.from_string("0.0.0.0", errorCode), address.from_string("9.255.255.255", errorCode), ip_filter.access_flags.blocked.swigValue());
ipFilter.add_rule(address.from_string("11.0.0.0", errorCode), address.from_string("127.0.0.0", errorCode), ip_filter.access_flags.blocked.swigValue());
ipFilter.add_rule(address.from_string("127.0.0.2", errorCode), address.from_string("172.15.255.255", errorCode), ip_filter.access_flags.blocked.swigValue());
ipFilter.add_rule(address.from_string("172.32.0.0", errorCode), address.from_string("192.167.255.255", errorCode), ip_filter.access_flags.blocked.swigValue());
ipFilter.add_rule(address.from_string("192.169.0.0", errorCode), address.from_string("255.255.255.255", errorCode), ip_filter.access_flags.blocked.swigValue());
torrentSession.set_ip_filter(ipFilter);

Arvid Norberg · Answer 2 · Wed Sep 27 2023 19:27:17 GMT+0800 (China Standard Time)

From the packet captures that we have done, it appears that the network traffic consist of "ping" packets and "get_peers" packets, which are network level packets for host discovery.

when you say "ping", do you mean an ICMP ping packet?
When you say "get_peers", it sounds like you may be talking about a DHT packet. Is it UDP with a bencoded dict where one of the strings is get_peers? If so, you probably haven't disabled the dht.

the snipped above where it looks like you attempt to disable the DHT is incomplete. what type is params? is it the add_torrent_params just like in the snippet above? If so, that's the wrong place. The DHT is disabled at the session level.

You need to pass the session settings into session_handle::apply_settings() for it to take effect.