A few days ago I started receiving e-mails (22 in all) from my ISP, Speakeasy, warning of a possible violation of their Terms of Service policies. Included with their abuse template was an e-mail they had received from Video Protection Alliance. The gist of VPA's claim is that my IP address has participated in sharing copyrighted material using BitTorrent -- specifically, pornographic movies distributed by the companies with whom VPA has signed collection contracts. Within the body of VPA's rather threatening e-mail is a URL and password that would display the details of a settlement. I didn't even consider opening the link because a) I'm certain that their claim is bogus, b) I'm sure they consider viewing the settlement as an admission of guilt, and c) I don't want to trigger a follow-up event in their system.
However, before I could ignore the threat, I had to make certain that my network hadn't been subverted or compromised. I have two wireless access points on my network (one for 802.11b, one for 802.11n), both of which are secured with WPA2-PSK. It's possible the WiFi has been hacked, but not likely. I connected an Ethernet tap on the line between my firewall and my DSL modem. From a monitoring station listening to traffic on the public side of my network, I started a packet capture using Wireshark. I didn't see anything unusual (like, say 3 Mbps of BitTorrent traffic). ;) I looked at the RRD graphs on the firewall to see if there had been any historic peeks that I couldn't explain. Finally, I installed Snort and BASE on my monitoring station to detect any funny business.
So that I could prove that BitTorrent activity would actually be logged if it came from my network, I fired up Transmission and downloaded a Fedora 11 Live CD. That caused copious data to scroll down the screen. I wasn't entirely convinced that a BitTorrent client couldn't be operating in a covert mode, so I decided to do a bit of reading on the BitTorrent protocol. My goal was to be able to read the bencoded data within a metainfo file (.torrent file) and spy on communication between a client and the tracker. I found a Java library called Snark that proved to be a good starting point. I read through their source code line-by-line to see how they parsed the metadata file. I also studied a blog post on the topic at Code Commit by Daniel Spiewak.
I wrote three little command-line Java applications: a .torrent file parser that just displays the metadata, a utility that connects to the announce URL and pulls down a list of peers, and a utility that connects to the "scrape" URL of the tracker to get stats on a particular info_hash. Using the information included in the e-mails sent by VPA, I scrounged the net for the source BitTorrent files. Remarkably, I found all 22 of them. I opened each of the .torrent files and dumped the metadata to the console. Then I ran a fake announce connection on each tracker to collect a list of all the peers. I was hoping I'd find something obvious, like VPA running their own bogus tracker. Instead, I found an amusing way to cause BitTorrent traffic to start pouring on to my network. Of course, their packets went nowhere, but it was interesting to see the cause and effect.
At this point, I have a set of tools for doing more research, if needed. I've added three Java files to Subversion, if you'd like to take a look: Decoder, TrackerPeerList, and TrackerScraper. I now have a more complete understanding of the BitTorrent protocol, however I also learned that there are a whole mess of extensions and enhancements that add layers of complexity; peer exchange, distributed hash tables, and protocol encryption, just to mention a few ). I have yet to hear from Speakeasy, although I would imagine they cannot legally be straightforward and say "Yes, we know it's a scam. Just ignore it." I'll update the blog as I get more information. Congratulations for reading this far. :)
