Why is my Torrent client calling University of Iowa?

[The Lurker]

I recently setup Sophos UTM on a spare machine and have been learning some fascinating things about network security.

Most recently, going through the l dashboards I have discovered that uTorrent running on my server is sending out huge amounts of traffic to the university of Iowa. I tried to figure out why, but I have no idea how to narrow down what specifically in the client is trying to communicate to this IP. I tried using wireshark to obtain more info but that only tells me that the protocol is a GSVP.

This is the log entry from Sophos:
2016:10:09-20:45:06 sophos ulogd[6840]:
id="2105"
severity="info"
sys="SecureNet"
sub="ips"
name="UDP flood detected"
action="UDP flood"
fwrule="60013"
initf="eth0"
srcip="172.16.0.6"
dstip="128.255.150.200"
proto="17"
srcport="38599"
dstport="57279"

One more producing tons of traffic.
2016:10:09-21:32:00 sophos ulogd[6840]:
id="2105"
severity="info"
sys="SecureNet"
sub="ips"
name="UDP flood detected"
action="UDP flood"
fwrule="60013"
initf="eth0"
srcip="172.16.0.6"
dstip="209.222.15.232
srcport="38599"
dstport="51413"

What could this be?

 

[DrLobotomy]

That protocol is for industrial cameras..ie control.

GigE Vision - Wikipedia, the free encyclopedia

 

[The Lurker]

That protocol is for industrial cameras..ie control.

GigE Vision - Wikipedia, the free encyclopedia

Yeah, I found that too. So bizzare.

 

[DrLobotomy]

Are your webcams all taped up?? He he

 

[The Lurker]

Are your webcams all taped up?? He he

Ha Ha!

I thought the same thing, but I have no cams attached to this machine. Its definitely coming from the uTorrent client. If I stop all traffic, that exception disappears. I just have no clue why it try's to communicate to those addresses. My only guess right now, is its sending some data back to the tracker and it happens to be at those addresses. I emailed the tracker with the info, maybe they will clear it up for me.


I can whitelist that IP, but I just want to know what its sending and why so much of it.

 

[DrLobotomy]

I suggest that 'maybe' they use that protocol & ip address to mask what it may be really doing. I am no protocol programmer but I could see something like that being a good way to keep ISP's off your data stream somehow.

Smarter than me person chime in anytime!!!

 

[michalrz]

Maybe someone is simply using a non-standard port for torrenting, and your client is peer-to-peering with that someone at the time.

 

[The Lurker]

Maybe someone is simply using a non-standard port for torrenting, and your client is peer-to-peering with that someone at the time.

It seems to have been something in the intrusion prevention system incorrectly classifying these packets. I went through the module and as per the instruction disabled services that do not exist on the network. After doing that, this big producer of packet drops stopped. It stopped even though I did not disable UDP/TCP flood protection on source and destination packets.

I wish the log was more specific in identifying the cause of the drop, instead of just identifying the system responsible. I mean it says the "Fwrule" but what is that?

 

[michalrz]

It seems to have been something in the intrusion prevention system incorrectly classifying these packets. I went through the module and as per the instruction disabled services that do not exist on the network. After doing that, this big producer of packet drops stopped. It stopped even though I did not disable UDP/TCP flood protection on source and destination packets.

I wish the log was more specific in identifying the cause of the drop, instead of just identifying the system responsible. I mean it says the "Fwrule" but what is that?

fwrule is simply the id of the firewall rules entry that triggered the warning, or in this case, 'info'.
eth0 is your first network interface, fwrule IDs above 60k are reserved for the product's own built-in rules.
Both cases you listed show a single LAN client doint this - can you remove him?

 

[The Lurker]

fwrule is simply the id of the firewall rules entry that triggered the warning, or in this case, 'info'.
eth0 is your first network interface, fwrule IDs above 60k are reserved for the product's own built-in rules.
Both cases you listed show a single LAN client doint this - can you remove him?

Where can I find the FWrule inside the interface, Id like to know which rule specifically is causing it?

That lan client that is doing this is my server.

 

[michalrz]

Where can I find the FWrule inside the interface, Id like to know which rule specifically is causing it?

That lan client that is doing this is my server.

I'm sorry but I just don't know that much about this one. I only have Forti stuff.

I was under the impression this is almost expected to have an UTM panic about gaming UDP traffic or torrenting UDP traffic.

According to this: Packetfilter logfiles on the Sophos UTM - Sophos Community
60013 is UDP flooding. Iptables has a buckets (grin) parameter - how many bursts to how many new hosts in a given amount of time. It looks like you're simply hitting a preset hence the 'info' severity.

EDIT: all in all this looks like a problem with utorrent more.

 

[The Lurker]

I wonder how I can figure out what to adjust the parameters too so it doesn't flag it.