Swell on the horizon - watching Scanners searching for Bittorrent clients

Following the News earlier this month ( see reddit ) about a Bug in Bittorrent-Clients that could lead to DDoS-attacks. We already run sensors that act like bittorrent-clients, so we expected to catch some scanner-waves that usually follow these publishings.

This is a very short analysis of all events we've seen on port 8333 (tcp/upd) on sensors, runnig bittorrent-clients; each connection-request count as on access/request, while subsequent communication is ignored. The timeframe is Aug 5. until Aug 31.

The average access-requests per day was around 30, rising up in a first wave starting Aug 17. that lead to avg. 200 requests / day, peaking on Aug 22. at nearly 500 requests/day. We've seen a total of 271 different IPs, with one IP accounting for half of the hits (, 4881, from china). Besides IPs that were catched by one or two sensors with many requests we've seen also some scanners like shodan (, crawling their way through the intertubes, hitting each sensor just once or twice.

The most-scanning country is China with more than 6000 requests , followed by Thailand (233), USA (200), Korea (160) and India (109).

Find below some pictures, displaying the count of attacks, top 10 of IPs and countries and the geographical distribution, as well as a list of IPs, accessing our sensors on port 8333 during the last week.

scanner-wave, cleaned by top-ip

Scanner-wave, excluding the most aggressive IP

scanner-wave, cleaned by top-ip

Scanner-wave, total, including all IPs

scanner-wave, geomap

geographical distribution

top 10 ips

Top Ten IPs

![top 10 countries](/bimages/swell-on-horizon/top-10-countries.png){% .img-responsive %}
Top 10 Countries