Attack Against Port 6881?

Alex Satrapa grail at goldweb.com.au
Tue Feb 4 23:15:55 EST 2003


Our Telstra Bigpong account came in today... 6Gb of excess traffic, 
apparently?

I have logs showing lots of attempts to connect to port 6881, from 
various places such as:
  - cust.90.110.adsl.cistron.nl
  - alb-24-195-149-48.nycap.rr.com
  - pc1-ldry1-4-cust23.blfs.cable.ntl.com
  - pc3-farn1-5-cust152.glfd.cable.ntl.com

Does anyone know what is supposed to be on port 6881?

Now to find out whether Telstra will acknowledge the fact that I didn't 
want that traffic (I have lots and lots of logs proving that my network 
was dropping every SYN packet - all 6Gb of them!).  I don't know if 
anyone else was affected, but the attack happened around December 29-31, 
and a little of the morning of Jan 1.  Has anyone else had a similar 
problem?

AFAIK, 6881 is the port used by "BitTorrent" - a file download system 
where you get a little bit of your bulk data from one source, a little 
bit from another, etc.  I think the idea is to maximise your own 
download without swamping the people sharing the bulk data.  My guess is 
that I was lucky enough to get the IP address of someone who'd been 
sharing warez, and so all those leeches were trying to connect to my 
non-existent BitTorrent server.

Interesting to note that they kept trying to connect at 4 second 
intervals, nonstop for 4 days, and Telstra just let the packets on 
through (don't they know how to recognise a DDoS yet?).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 225 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20030204/d3df5d0d/attachment.bin


More information about the linux mailing list