Last Sunday I added a torrent to my favorite bittorrent client: µTorrent. The download went quite fast in the beginning, but after sometime it crawled close to a halt. When I checked the "Peers" tab in µTorrent I noticed something very odd. A two groups of very similar IP addresses, all using the same bittorrent client: Azureus, and all using the same version: 2.4.0.2. One group started with 38.100 and the other group started with 208.10.
When I saw the list I had the feeling that something was wrong, but didn't give it much thought. However, when after a few days the, relatively small file, was still not finished I decided to see if there was a way to block those highly suspicious IP addresses.
When you enable the IP filter in µTorrent (the version I am using has this enabled by default), the bittorrent client reads a file called ipfilter.dat (if it exists). If you want to block IP addresses, you can add those addreses or ranges of addresses to this file. You can use Notepad or TextPad, or any other editor to create this file. You can either specify a single IP address to block on a line of its own:
xxx.xxx.xxx.xxxor you can specify a range of IP addresses as follows:
xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy
Before you create the file, check first if the
ipfilter.enable option has a value of true in the Advanced
Preferences of µTorrent. Press Ctrl+P to open the
Preferences dialog Window, and select the Advanced entry in
the list of preferences. Scroll the list of advanced options
until you see ipfilter.enable and check if its
value is set to "true". If not, select ipfilter.enable and
select the radio button in front of True and click the OK
button.
If you have a recent version of µTorrent you don't have to exit the client program now, you can (re)load the IP filter data after you have created or modified the ipfilter.dat file (see below). In order to do so select the Peers tab and then press the right mouse button in the overview that shows the IP addresses to open the context menu. In this menu you can select "Reload IPFilter" to (re)load the file with IP addresses.
Note that even though the version of µTorrent you're using has this option, you might have to select an active torrent first before you can open the context menu and select it.
Otherwise, exit the µTorrent program by either selecting Exit in the File menu, or selecting Exit in the context menu that appears when you click the right mouse button on the µTorrent icon in the system tray.
Next press the Windows button - which is located between the left Ctrl and left Alt key on your keyboard - and R at the same time (Windows + R). Enter the following into the text entry field and press return:
%appdata%\utorrentThis should open the folder that holds the settings and data files used by the µTorrent program.
Create in this utorrent folder a new file called ipfilter.dat. An easy way to do this is to disable "Hide extensions for known file types" in the Folder options, then create a "New Text Document" and rename the just created "New Text Document.txt" file to ipfilter.dat. Open this file in NotePad, TextPad, or your favorite text editor.
Next, if you want to block the same ranges as I am currently blocking, copy the following lines into your editor and save the file:
38.100.24.0-38.100.27.255
208.10.23.0-208.10.23.255
208.10.29.0-208.10.29.255Depending on the version of µTorrent you have, either start µTorrent again, or select "Reload IPFilter".
In case you're wondering how to obtain a range for a given IP address, I explain two methods. The first one uses the Whois lookup and Domain name search page of DomainTools, and enter the IP address to obtain more information. Since I use this tool quite often I've made a smart keyword in Firefox so I can initiate a search from the address bar. The other method just calculates a range of 256 IP addresses for a given IP, which might be enough. If not, you can always just add more ranges.
OrgName: Performance Systems International Inc.
OrgID: PSI
Address: 1015 31st St NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US
NetRange: 38.0.0.0 - 38.255.255.255
CIDR: 38.0.0.0/8
NetName: PSINETA
NetHandle: NET-38-0-0-0-1
Parent:
NetType: Direct Allocation
NameServer: NS.PSI.NET
NameServer: NS2.PSI.NET
Comment: Reassignment information for this block can be found at
Comment: rwhois.cogentco.com 4321
RegDate: 1991-04-16
Updated: 2005-10-05When you see this output you might be tempted to add the range 38.0.0.0 - 38.255.255.255 to your ipfilter.dat file. But that might be a bit too drastic. Note te comment lines which explain that reassignment information can be found at rwhois.cogentco.com.
Next use the online RWhois Web Interface to find out more about 38.100.24.96. Enter rwhois.cogentco.com in the host input field, the IP address 38.100.24.96 in the Query field and click on "Submit query".
When I used the rwhois web interface on 38.100.24.96 I got the following output:
id NET-2664180016
network-name NET-2664180016
ip-network 38.100.24.0/22
org-name SafeNet inc
street-address 4690 Millenium Dr Ste 400
city Belcamp
state MD
postal-code 21017
tech-contact ZC108-ARIN
updated 2007-10-05 20:45:56
updated-by jknowlesWhen I used Wikipedia to search for more information on SafeNet, the first result reported was a page on MediaSentry (Relevance: 100.0%):
MediaSentry is an American company that provides services to the music recording, motion picture, television, and software industries for locating and identifying IP addresses that are engaged in the use of online networks to share material in a manner said organizations claim is in violation of copyright. The company provides several services for this purpose, such as monitoring popular forums for copyright infringement, aid in litigation, early leak detection, and the distribution of decoy files.
The above is to me an extremely good reason to block SafeNet. I don't think that abusing bittorrent networks has anything to do with stoping copyright infringement, but what can one expect from shady associations like Recording Industry Association of America (RIAA), Motion Picture Association of America (MPAA), and Federation of the Phonographic Industry (IFPI).
Anyway, back to how to obtain an IP range from the above information. Note the line that starts with ip-network. The information following it is an IP range, but in Classless Inter-Domain Routing (CIDR, pronounced "cider") notation, which is as far as I know not supported by µTorrent. I used the online IP & Mask or CIDR calculator with Wildcard support to obtain the start IP address and end IP address of the range:
Address: 38.100.24.0 00100110.01100100.000110 00.00000000
Netmask: 255.255.252.0 = 22 11111111.11111111.111111 00.00000000
Wildcard: 0.0.3.255 00000000.00000000.000000 11.11111111
Network: 38.100.24.0 00100110.01100100.000110 00.00000000 (Class A)
Broadcast: 38.100.27.255 00100110.01100100.000110 11.11111111
HostMin: 38.100.24.1 00100110.01100100.000110 00.00000001
HostMax: 38.100.27.254 00100110.01100100.000110 11.11111110
Hosts/Net: 1022While one probably safely can use HostMin - HostMax as range, I decided to include the Network and Broadcast ip addresses as well, and used:
38.100.24.0-38.100.27.255blocking a total of 1024 hosts (counting network and broadcast both as hosts).
The other two IP addresses: 208.10.23.15 and 208.10.29.240, both are in the range assigned to Sprint. Sadly, Sprint doesn't run a rwhois server, so I was not able to find out who is using those IP addresses and what range(s) have been assigned. I decided to block the /24 range for each address (i.e. entering 208.10.23.15/24 and 208.10.29.240/24, resulting in:
208.10.23.0-208.10.23.255
208.10.29.0-208.10.29.255Each line blocks 256 hosts (counting network and broadcast both as hosts).