How to detect if your IP addresses are being used in DHT Networks?

Peer-to-peer networks are still being used in many parts of the World to download music, software, or movies. In its heyday peer 2 peer traffic was driving a considerable chunk of internet traffic. A 2018 estimate shows it to be lagging behind Netflix and YouTube at about 4% of global internet traffic. It is most widely used in the APAC region with 7% of the internet traffic.¹

How does P2P Networks Work?

By nature, P2P networks are distributed where a network of peers can share files between them for faster downloads. It is also less susceptible to single point of failures since many nodes in the network share the same file. Most famous of P2P applications is BitTorrent. As the name implies, files are located and shared via the help of torrent files. In the past there were tracker servers to route peers to where the information exists but this was later replaced by a Distributed Hash Table (DHT) model where file information is stored as SHA-1 info-hash for routing purposes. Basically, various aspects of the torrent file are hashed and paired with a token to locate and download it from a number of closest nodes in the network.

Source: Wikimedia Commons.

The Risks of Being Involved in DHT Networks

P2P networks are most widely used for file sharing and gaming purposes. If a peer or node participating in such networks exists in your company environment, they may be downloading content that is in violation of DMCA laws or that infects your systems with malware. These networks do not have security controls for preventing distribution of malicious files. Therefore, detecting if your IP address are involved in these networks are important.

How can you detect if your IPs are part of DHT networks?

There are some open-source methods to detect if your IP address is part of a DHT network.

iknowwhatyoudownload.com provides a snapshot of what recently was being downloaded to a given IP address. Below an example of this can be seen for a North American IP address.

They basically listen in on DHT networks by putting files as baits and analyze the collected data. This website claims to “have 6,957,459 torrents which were classified and which are using now for collecting peer sharing facts (up to 200.000.000 daily).” ²

Similarly, binaryedge.io can be utilized to see if your IP address is appearing in torrent networks. They also monitor torrent networks and obtain data about nodes and peers serving and downloading torrent files. They also collect information about the torrent such as its name and info hash.

Source: Binaryedge.io

SOCRadar’s external attack surface module, AttackMapper, enumerates your organizations IP addresses to monitor them against these open sources and will alert you if your digital assets are being potentially abused by in DHT networks.