Transmission

I'm coming from a Linux background and looking to use Transmission on my Mac Mini.

Recently I installed transmission on my Mac Mini, got it all working and started with 4-5 torrents going. Shortly after that I got an email from my provider (Rogers) that I had a IRC botnet/Virus drone acting on my network. I have isolated it either to my Mac Mini or my Linux box (NAS - off the network, waiting for a new NAS to arrive), but have not been able to find the exact source of the issue. This happened within a week of installing Transmission on my Mini. I've had Wireshark run on all my boxes and find nothing really unusual once I turn off all the extra programs that would make any significant traffic.

I trying to locate the problem computer on my network, I've scanned my computers one by one, and never found anything. I ended up just paving over my Mac Mini and now rebuilt it. I just put transmission back on it. I simply installed Transmission, I don't even have a single torrent loaded in to the program and it can be seen just chatting away on my outbound router logs. I'm wondering if there is anything inside Transmission that without even a torrent loaded in to it, makes it go off and talk to other clients on the 'net. I'm worried that if I turn this back on Rogers will be sending me nastygrams again. I just want to make sure that Transmission doesn't do anything that could be seen as acting in a botnet drone in anyway. I'm surprised Transmission is relatively chatty even with no torrents loaded in to it.

I was using TorrentFlux on my Linux NAS for the longest time without any issue from Rogers. Their security team is pretty useless when it comes to getting help, etc, and won't tell me what kind of packets they see on the 'net.

Depends how the ISP is doing detection.. IRC normally runs on port 6667 if you happen to be running Transmission on 6667 the ISP might think it is IRC traffic.

It would be the first I've heard of it, and I don't know what your ISP is using to judge botnet behavior, but just to take a wild guess, I'll say "no."

I guess it's possible that DHT or large peer connections might trigger off something, but those are behaviors shared by all torrent clients, and wouldn't be specific to Transmission.

I get a crappy message from them like this:

Dear Mr ...

Rogers is concerned about your personal security. We're writing you today to advise you that one or more of the computers in your home connected to the Rogers Internet service appears to be infected with an "IRC Bot/Virus"

A computer infected with an "IRC Bot/Virus" poses a security threat for both you and other customers ...

<snip>

IP 99.241.173.56 seen acting as an Botnet Drone 2010-11-20 10:54:10.
data:
Timestamp = 2010-11-20 10:54:10
IP = 99.241.173.56
ASN = 812
HOSTNAME =
CNC ASN =
CNC Port = 49400
Vir Guess = honeypot

I have no idea if 49400 is the target or source port from that, and the 'call centre' people at Rogers cannot provide any information beyond this stupid message. I'm not 100% sure that this message is coming from my Mini running Transmission, but it's odd that they contacted me within a week of me turning it on.

My only other question is why is Transmission so chatty on the IP link without even having a torrent loaded in to it?

This is what I see on my router outgoing log as soon as Transmission is running, yet I have no torrents at all in it. Sure I was running some torrents about a week ago... on a newly paved box without the torrents running, I shouldn't be announcing myself, so why this traffic? This is the outgoing log on my router, at the same time I get nothing at all on the inbound side. So why does transmission reach out, even if I have nothing?

src dest port
192.168.1.10 69.63.33.62 49530
192.168.1.10 183.178.118.55 23776
192.168.1.10 173.161.44.49 15971
192.168.1.10 173.27.251.87 47341
192.168.1.10 178.217.31.134 12430
192.168.1.10 173.161.44.49 15971
192.168.1.10 173.27.251.87 47341
192.168.1.10 71.201.79.228 64072
192.168.1.10 85.232.156.36 57186
192.168.1.10 71.198.47.166 53513
192.168.1.10 221.151.230.144 31045
192.168.1.10 77.39.47.63 6881
192.168.1.10 173.27.251.87 47341
192.168.1.10 82.41.140.221 59400
192.168.1.10 173.27.251.87 47341
192.168.1.10 91.132.158.188 23358
192.168.1.10 77.39.47.63 6881
192.168.1.10 217.77.60.189 58847

Charles wrote:I guess it's possible that DHT or large peer connections might trigger off something, but those are behaviors shared by all torrent clients, and wouldn't be specific to Transmission.

If this is DHT, that's really interesting. I find it interesting then that the client with no torrents is contributing to the DHT in the network. I'm not really a fan of that then, because I would like to contribute to the network for the torrents that I seed, but involving every running Transmission client in the DHT? Is that normal practice with other BT clients? I will let my Transmission client run with no torrents and see if that catches the eye of Rogers. If it does, I either have to argue with them that this is normal (ha! which if they don't like my traffic profile, then that'll be hard to do), or desist in the use of Transmission.

We've stacked a couple of "if"s on top of each other here, but just to follow the logic through... if it is DHT, then all you have to do is disable DHT.

DHT is a distributed peer network to pass search messages around, kind of like gnutella does. So if DHT is enabled then you are participating in that network by acting as a node in it, whether you're running any torrents or not. And yes, that's what other BitTorrent apps do too. Does that make sense?

Charles wrote:We've stacked a couple of "if"s on top of each other here, but just to follow the logic through... if it is DHT, then all you have to do is disable DHT.

DHT is a distributed peer network to pass search messages around, kind of like gnutella does. So if DHT is enabled then you are participating in that network by acting as a node in it, whether you're running any torrents or not. And yes, that's what other BitTorrent apps do too. Does that make sense?

Then that makes sense. I turned off the DHT for public torrents and the chattiness stops. Most of the torrents I use are private anyway. So I wonder if that's what Roger's doesn't like - but why it would stick to a honeypot detection node is interesting.

Thanks.