traffic towards port 6881

[droopy]

Hi,

With a disabled downloadstation and no other torrent application installed I still see a lot of external traffic coming in on port 6881. Anybody a clue what this could be?

[justinatomatic]

I had download station enabled but have never used it or loaded a torrent and I still get a tone of UDP traffic on port 6881 and outgoing traffic to machines all over the world.

"59","1.565954","192.168.0.2","112.156.19.192","UDP","Source port: 6881 Destination port: 63023"
"60","1.605960","46.0.46.160","192.168.0.2","UDP","Source port: 41307 Destination port: 6881"
"61","1.607234","192.168.0.2","187.39.199.113","UDP","Source port: 6881 Destination port: 52170"
"62","1.620024","82.1.235.66","192.168.0.2","UDP","Source port: 50277 Destination port: 6881"
"63","1.621208","192.168.0.2","83.28.160.236","UDP","Source port: 6881 Destination port: 51936"

I've since disabled downloadstation and increased my security settings. I'm still getting the same amount of incoming traffic. I'm also still getting outgoing traffic but now its at least getting ICMP errors.

"60","3.236236","192.168.0.2","46.249.0.124","ICMP","Destination unreachable (Port unreachable)"
"61","3.281731","82.17.163.201","192.168.0.2","UDP","Source port: 26796 Destination port: 6881"
"62","3.281811","192.168.0.2","82.17.163.201","ICMP","Destination unreachable (Port unreachable)"
"63","3.858085","178.156.72.128","192.168.0.2","UDP","Source port: 10026 Destination port: 6881"
"64","3.858089","192.168.0.2","178.156.72.128","ICMP","Destination unreachable (Port unreachable)"
"65","4.172768","89.122.156.56","192.168.0.2","UDP","Source port: 14401 Destination port: 6881"
"66","4.172772","192.168.0.2","89.122.156.56","ICMP","Destination unreachable (Port unreachable)"

Its seems that despite disabling downloadstation some process on the QNAP is still attempting to generate bittorrent trafic

[Hammond]

I just bought a netgear hub (GS105E) that has port mirroring so that I can see what traffic comes and goes from my QNAP NAS.
SHOCK AND HORROR...!!!!
It seems with NO torrents or any other form of download in the 'Download Station' the QNAP holds open tons of connections to the outside world.
(Every part of 'Download Station' been checked for a hidden file that may be listed or loaded or anything else - nothing)
Loads of traffic is coming and going. Mostly UDP port 6881 and a mix of other random port numbers.
At any one time it seems like there is at least 50 to 100 simultaneous connections happening to every country known to man.

WHAT IS GOING ON??

Example of a packet:

INBOUND:
0x0000 00 08 9B C3 FB 96 00 22-3F D3 10 AE 08 00 45 00 ..›Ãû–."?Ó.®..E.
0x0010 01 2F 1D 70 40 00 77 11-6F 56 46 1F 24 DD 0A 00 ./.p@.w.oVF.$Ý..
0x0020 00 FC B3 51 1A E1 01 1B-14 10 64 31 3A 72 64 32 .ü³Q.á....d1:rd2
0x0030 3A 69 64 32 30 3A 53 88-9C 14 F7 25 24 0C 4E DE :id20:Sˆœ.÷%$.NÞ
0x0040 E3 CF B7 A4 16 42 F8 BD-E4 7D 35 3A 6E 6F 64 65 ãÏ·¤.Bø½ä}5:node
0x0050 73 32 30 38 3A 53 06 B4-82 01 7C 18 50 F1 E1 8C s208:S.´‚.|.PñáŒ
0x0060 48 4B 4B 21 4A 40 BB 28-73 6D 79 DD 5B 5F F2 53 HKK!J@»(smyÝ[_òS
0x0070 15 5C 11 BF 02 48 75 5D-09 C5 83 E5 9D CF 59 D0 .\.¿.Hu].ŃåÏYÐ
0x0080 D9 62 0D 2E 81 11 DF 13-79 53 19 57 AA 69 E6 EB Ùb...ß.yS.Wªiæë
0x0090 5E 64 7D 45 37 5D EA DC-EC 16 F8 D6 DC 51 6D 45 ^d}E7]êÜì.øÖÜQmE
0x00A0 6A FB C7 53 37 3D 85 53-E8 59 E8 43 0C 57 EF 6E jûÇS7=…SèYèC.Wïn
0x00B0 0E 0A EE 64 8F 9B 3F 3A-BE 2D B6 33 1B 53 4A 93 ..îd›?:¾-¶3.SJ“
0x00C0 9D 7B E2 D9 DA D9 C8 66-BB E1 F3 61 9A 13 2F 72 {âÙÚÙÈf»áóaš./r
0x00D0 51 18 D3 7E 48 5C 7D 53-64 F5 62 6E 43 0B 4F 5A Q.Ó~H\}SdõbnC.OZ
0x00E0 9E D6 95 D3 97 06 F6 20-A3 4A 33 72 2D 3F 3B 48 žÖ•Ó—.ö £J3r-?;H
0x00F0 1A 53 72 01 85 95 FF 9E-1C C6 C9 6D 6C D9 C6 15 .Sr.…•ÿž.ÆÉmlÙÆ.
0x0100 D3 C4 E3 63 3C 3D 5C 2E-48 26 91 53 7F 58 D2 4D ÓÄãc<=\.H&‘SXÒM
0x0110 33 EE 34 CF A2 41 DC 80-E4 BC 87 F0 BE A6 7D 5F 3î4Ï¢A܀伇ð¾¦}_
0x0120 84 A1 D5 52 5B 65 31 3A-74 32 3A 02 D0 31 3A 76 „¡ÕR[e1:t2:.Ð1:v
0x0130 34 3A 55 54 54 52 31 3A-79 31 3A 72 65 4:UTTR1:y1:re

OUTBOUND:
0x0000 00 22 3F D3 10 AE 00 08-9B C3 FB 96 08 00 45 00 ."?Ó.®..›Ãû–..E.
0x0010 00 81 00 00 40 00 40 11-C4 7B 0A 00 00 FC B4 5E ...@.@.Ä{...ü´^
0x0020 B6 96 1A E1 AF 6A 00 6D-C8 71 64 31 3A 61 64 32 ¶–.á¯j.mÈqd1:ad2
0x0030 3A 69 64 32 30 3A 6E 58-3C 82 95 A9 32 EA A9 BE :id20:nX<‚•©2ꩾ
0x0040 BB 0A 1B DD 6B EF AB E9-32 5C 36 3A 74 61 72 67 »..Ýkï«é2\6:targ
0x0050 65 74 32 30 3A BF 0B B3-32 E0 94 01 35 57 A1 EE et20:¿.³2à”.5W¡î
0x0060 56 F5 70 F4 F1 9B 1C 47-88 65 31 3A 71 39 3A 66 Võpôñ›.Gˆe1:q9:f
0x0070 69 6E 64 5F 6E 6F 64 65-31 3A 74 32 3A 02 8D 31 ind_node1:t2:.1
0x0080 3A 76 34 3A 4C 54 00 0E-31 3A 79 31 3A 71 65 :v4:LT..1:y1:qe

[andbir]

This is probably "the internet" happening to you. i.e. some hackers, some hijacked machines and some various media industry and attorney companies and computer firms helping either the media industry or its' attorneys find whoever is file-sharing or torrenting.

After all, anybody on the internet can send anything to anybody, as long as you have your ports open in your firewall i am sure someone will try to send something to you at some point in time, just to see what happens... After all you are connected to "everybody" so chances are that "somebody" will eventually knock on your door to see what happens.

[justinatomatic]

I turned off Downloadstation and set the security setting to high and including only my local IP range. While initialy the traffic was still there it died off after a few hours. Came home from work and the constant traffic is gone. Have't actually had chance to check with Wireshark but it looks like its fixed.

[schumaku]

All,

Nothing scary: The BitTorrent DHT (Distributed Hash Table) is by default on 6881/UDP. It allows the tracker-less operation of the BitTorrent network...

FMI: Google bittorrent dht trackerless

-Kurt.

[Hammond]

Well it is scary when you see a ton of connections to your file server and wonder what is going on!
Assuming Kurt is right and it is just DHT that runs even when no torrents are in progress this is something they should have a warning or on/off switch for.
I can totally understand while the server is busy downloading a torrent but when its idle I don't want it to be a fat node using all of my modems connection threads.
For the record my firewall has no port forwarding on for any those ports and UPNP is off too. Yet it still holds those connections open.. thats also not cool.
When 'download station' is off completely all connections are broken within a few minutes which proves it is only 'download station' and nothing else.

[schumaku]

Well it is scary when you see a ton of connections to your file server and wonder what is going on!

The majority of BitTorrent users has no clue what's going on behind - no matter if it's on a Mac, a Windows, a Linux system - or a NAS.

Assuming Kurt is right and it is just DHT that runs even when no torrents are in progress this is something they should have a warning or on/off switch for.

Well, first you should be aware that DHT is key to come away from the tracker based torrent files. In the not so far future, you will only see Magnet Links - directly searchable in the DHT - and no more torrent files. to bad,, QNAP has not opened the option to make use of Magnet Links in the new Download Station yet.

I can totally understand while the server is busy downloading a torrent but when its idle I don't want it to be a fat node using all of my modems connection threads.

Well, that's the future already here today. Are you making use of Skype - and have ever checked the connections?!?

For the record my firewall has no port forwarding on for any those ports and UPNP is off too. Yet it still holds those connections open.. thats also not cool.

We can't balme QNAP for that! Forget the crappy consumer router and wanabe-firewall boxes - real firewalls don't allow this kind of traffic.

When 'download station' is off completely all connections are broken within a few minutes which proves it is only 'download station' and nothing else.

If that's an attempt to explain that the data you spotted really DHT traffic ... so I was not that wrong.

Now, congratulation for your discovery: I bet that only one of 1'000 users here in the forum (on the global BT userbase much less!) do recognize what is going on under the hood of BItTorrent - 1 Mio. users will be happy that it works, and a hand ful is wondering...

However - it's time to bash your own ears. Of course, there is a control for the DHT functionality:

bt_connection.PNG

Enjoy,
-Kurt.

[Dr Strangelove]

Now, congratulation for your discovery: I bet that only one of 1'000 users here in the forum (on the global BT userbase much less!) do recognize what is going on under the hood of BItTorrent - 1 Mio. users will be happy that it works, and a hand ful is wondering...

-Kurt.

Model: TS-112
Current firmware version: 3.8.3 Build 20130426

1001 now

Took a bit of sleuthing.

Blocked Protocol and Port access to some VPN IP addresses on a modem and then started seeing Port 6881 ... China, Russian, Ukraine...Oh crap!!!

Just happy there was a reason. Disabled now.

Thanks Kurt.

[microsaft]

This happened to me aswell as soon as (or a bit later) when i enabled qnap download station. I also do not have the port forwarding enabled for 6881 but still the connections open thru the firewall and end up reaching the nas endpoint.
I do not like this behaviour and disabled download station again for this reason. if i need it i will enable it just for the moment and disable again.

[schumaku]

I also do not have the port forwarding enabled for 6881 but still the connections open thru the firewall and end up reaching the nas endpoint.

Without the port forwarding configured manually, and without the "Enabled UPnP Port Mapping", ...
- new incoming DHT connections can't be established (DHT can be disabled if you don't want understand the advantages for the BT community)
- then, to run BitTorrent, the other port range must be forwarded (as configured), otherwise downloads will be massively slowed down.

Nothing wrong with both kind of access attempts.

[pwilson]

This happened to me aswell as soon as (or a bit later) when i enabled qnap download station. I also do not have the port forwarding enabled for 6881 but still the connections open thru the firewall and end up reaching the nas endpoint.
I do not like this behaviour and disabled download station again for this reason. if i need it i will enable it just for the moment and disable again.

Disable UPnP-IGD at your Router to prevent software on devices inside your network from being able to setup "random port forwarding" without your consent or knowledge. Maintaining "manual port-forwarding" at your Router is a PITA, but it will at least this keeps "you" in control of Port-Forwarding. Malware programmers love UPnP-IGD-enabled Routers as it allows them to do whatever they want with your Router.

For some interesting reading, please review the following documents:

• Wikipedia article: Universal Plug and Play
• Gibson Research Corporation (Steve Gibson) articles:
  • Unplug n' Pray
  • Shields Up! - Port Authority Database - Port 1900
  • Universal Plug n'Play (UPnP) Internet Exposure Test
• How to Geek article: HTG Explains: Is UPnP a Security Risk? Published 08/24/12

You can have "convenience" (UPnP-IGD enabled), or you can have "security" (UPnP-IGD disabled). You can not have both. Personally, my UPnP-IGD is disabled at my Router, so I endure the pain of manual Port-Forwarding.

[Don]

Not a NAS issue. If you have port forwarding turned off and you still see unsolicited traffic then your router is broken.

[schumaku]

I also do not have the port forwarding enabled for 6881 but still the connections open thru the firewall and end up reaching the nas endpoint.???

When you scroll some posts back - on the 15 April 2011 post I've placed a screenshot showing the controls in Download Station showing the options to enable/disable the UPnP IGD control.

[jsarcone]

I'm seeing the same thing and I'm going back and for with Qnap Support. Disabling Download Station didn't work. I had to disable the entire service from the application Center and UPnP from Discovery service. This seems to stop the flooded of request. When I changed my DNS from Google/OpenDSN to my ISP for troubleshooting I was flooded again with Spam. Once I change my DNS and turned off these service it has subsided but not completely stopped.
I really think that there is something going on here.