←back to thread

Resurrecting a dead torrent tracker and finding 3M peers

(kianbradley.com)
655 points k-ian | 1 comments | 17 Jun 25 17:40 UTC | HN request time: 0.439s | source
Show context
ck45 ◴[17 Jun 25 19:31 UTC] No.44302950[source]
My first thought is, how many BitTorrent clients have vulnerable parsing code? Could a malicious actor register the domain and infect clients?
replies(3): >>44303420 #>>44303976 #>>44309675 #
1. CactusRocket ◴[18 Jun 25 13:22 UTC] No.44309675[source]
I don't really think so. The tracker is just a tiny part of the whole Bittorrent setup, and it's only really used by clients to get a list of peers. It's basically just an HTTP call to the tracker, returning a response. The only thing that I can quickly think of is returning some malformed bencode which could cause a memory exhaustion a client written by a novice.

The peer protocol (and variants, like uTP) are much more interesting to attack, and you don't need to host a tracker for that, you can just get peer IPs from trackers or DHT, connect, and do your magic.