Notes and Countermeasures for Recent anacrolix_torrent-style Unlimited Download Tools

Background#

Because major ISPs have rolled out regional traffic settlement and similar policies nationwide, they’re under pressure to crack down harder on PCDN users. The most common way they assess traffic is by calculating the upload/download ratio. To evade these assessments, some PT/PCDN users have started faking themselves as normal BT downloaders for certain torrents. However, these downloads are effectively unlimited and come with zero upload, often saturating the upload bandwidth of most seeders on the same torrent. This has a seriously negative impact on the overall network environment.

Reference article: 基于Bittorrent网络的流量消耗器

Some cloud storage providers (such as 123网盘) are using the same trick to bypass regulation or implement offline downloads. These providers also forge client versions or ID identifiers (e.g., GT0001/2/3...) to evade user blocking and blacklists. For example, 123网盘 disguises itself as anacrolix/torrent to pull traffic, mostly from servers located in Dalian, Liaoning. Heavy abuse reports from many BT users have caused headaches for the anacrolix/torrent developer, who initially suspected a new bug in his own program. With help from the community, the IPs were traced back to Xi’an Mingfu Cloud Computing Co., Ltd. (西安明赋云计算股份有限公司). 123网盘 is one of this company’s products, and Mingfu Cloud also provides edge cloud services in Liaoning.

Software sharing thread on the Right (恩山) forum: 基于 Bittorrent 网络的流量消耗器 / OP thank243

github issue that was first mistaken for a bug: Client requests indefinitely on storage write errors #889

github discussion: qBitTorrent users seeing infinite requests from peers in 1.180.24.0/23, 36.102.218.0/24, and 221.203.6.0/24 #891

The “traffic consumer” 123网盘 link: https://www.123pan.com/s/PipIjv-oREKv.html

Traffic consumer github repo (now deleted): thank243/trafficConsume

You can follow this document for practical steps: https://docs.qq.com/doc/DQnJBTGJjSFZBR2JW

Countermeasures#

Countermeasure A1: Upgrade QBEE to 4.6.4.10 or later#

QBEE 4.6.4.10 now supports automatic blocking of dt/torrent and Taipei-torrent, which already solves most cases. Note, however, that in the future, malicious tools may change or spoof their client name (Client-Name), rendering this rule ineffective (as of 2024‑04‑10 it has already been changed to hp/torrent, which breaks this strategy). QBEE releases: https://github.com/c0re100/qBittorrent-Enhanced-Edition/releases

If accessing GitHub is difficult, you can use tools like Xunlei to directly download the x64 version of 4.6.4.10: https://github.com/c0re100/qBittorrent-Enhanced-Edition/releases/download/release-4.6.4.10/qbittorrent_enhanced_4.6.4.10_x64_setup.exe

Note that some malicious addresses still use early anacrolix (such as 218.104.106.*, 221.203.3.*) and TrafficConsume. Because blocking the -GT003- ID would cause collateral damage to other normal clients, QBEE doesn’t include a rule for it, so these remain a gap in the defenses.

Countermeasure A2: Block the offending clients#

You’ll need QBEE. Under C:\Users\%Username%\AppData\Local\qBittorrent, create a new text file named peer_blacklist.txt and add the following content:

1
-GT0003- github.com/anacrolix/torrent\s\(devel\)\s\(anacrolix/torrent\sunknown\)
2
-DT0001- .*
3
-HP0001- .*

According to the software author, you’d better not block -GT0003- directly, as this can easily hit normal clients by mistake.

In addition, some malicious IPs use other software to perform similar behavior, so stay alert and use the other countermeasures to fill in the gaps.

Countermeasure B: Block the involved IP ranges#

Write the following content into a text-format .dat file and then load it in your download client (QB). (Rules updated: 2024‑04‑12 21:00)

1
1.180.24.0-1.180.25.255
2
36.102.218.0-36.102.218.255
3
36.143.31.0-36.143.31.255
4
36.143.102.0-36.143.102.255
5
36.143.112.0-36.143.112.255
6
36.143.114.0-36.143.114.255
7
36.143.133.0-36.143.133.255
8
36.143.147.0-36.143.147.255
9
36.143.176.0-36.143.176.255
10
36.143.209.0-36.143.210.255
11
36.143.220.0-36.143.220.255
12
39.150.2.0-39.150.2.255
13
39.164.32.0-39.164.33.255
14
39.164.41.0-39.164.41.255
15
39.164.45.0-39.164.45.255
16
39.164.253.0-39.164.254.255
17
42.52.131.0-42.52.131.255
18
58.241.210.0-58.241.210.255
19
59.47.225.0-59.47.225.255
20
59.47.235.0-59.47.235.255
21
59.47.237.0-59.47.237.255
22
59.83.212.0-59.83.212.255
23
112.0.188.0-112.0.188.255
24
112.45.16.0-112.45.16.255
25
112.45.20.0-112.45.20.255
26
112.83.125.0-112.83.125.255
27
112.192.189.0-112.192.189.255
28
114.236.141.0-114.236.141.255
29
117.55.203.0-117.55.203.255
30
119.53.106.0-119.53.107.255
31
119.53.109.0-119.53.112.255
32
119.53.163.0-119.53.163.255
33
122.224.33.0-122.224.33.255
34
123.184.152.0-123.184.152.255
35
123.186.146.0-123.186.146.255
36
139.210.127.0-139.210.127.255
37
139.210.254.0-139.210.254.255
38
175.19.0.0-175.19.0.255
39
175.19.2.0-175.19.3.255
40
175.19.8.0-175.19.8.255
41
175.19.10.0-175.19.10.255
42
175.19.42.0-175.19.42.255
43
182.32.204.0-182.32.205.255
44
183.131.219.0-193.131.219.255
45
183.197.12.0-183.197.12.255
46
183.197.21.0-183.197.21.255
47
183.197.24.0-183.197.25.255
48
183.197.30.0-183.197.31.255
49
183.197.250.0-183.197.251.255
50
183.198.40.0-183.198.42.255
51
183.198.83.0-183.198.83.255
52
183.198.160.0-183.198.160.255
53
183.198.162.0-183.198.162.255
54
183.198.165.0-183.198.167.255
55
183.198.224.0-183.198.224.255
56
183.198.226.0-183.198.228.255
57
183.199.90.0-183.199.90.255
58
183.199.148.0-183.199.150.255
59
183.199.208.0-183.199.209.255
60
183.199.217.0-183.199.217.255
61
183.199.238.0-183.199.239.255
62
183.227.110.0-183.227.111.255
63
183.228.140.0-183.228.143.255
64
218.7.138.0-218.7.138.255
65
218.24.113.0-218.24.113.255
66
218.60.174.0-218.60.174.255
67
218.92.139.0-218.92.139.255
68
218.104.106.0-218.104.106.255
69
221.9.12.0-221.9.12.255
70
221.9.17.0-221.9.19.255
71
221.11.96.0-221.11.96.255
72
221.103.102.0-221.103.102.255
73
221.203.3.0-221.203.3.255
74
221.203.6.0-221.203.6.255
75
223.78.79.0-223.78.80.255
76
223.88.223.0-223.88.223.255
77
::ffff:1.180.24.0-::ffff:1.180.25.255
78
::ffff:36.102.218.0-::ffff:36.102.218.255
79
::ffff:36.143.31.0-::ffff:36.143.31.255
80
::ffff:36.143.102.0-::ffff:36.143.102.255
81
::ffff:36.143.112.0-::ffff:36.143.112.255
82
::ffff:36.143.114.0-::ffff:36.143.114.255
83
::ffff:36.143.133.0-::ffff:36.143.133.255
84
::ffff:36.143.147.0-::ffff:36.143.147.255
85
::ffff:36.143.176.0-::ffff:36.143.176.255
86
::ffff:36.143.209.0-::ffff:36.143.210.255
87
::ffff:36.143.220.0-::ffff:36.143.220.255
88
::ffff:39.150.2.0-::ffff:39.150.2.255
89
::ffff:39.164.32.0-::ffff:39.164.33.255
90
::ffff:39.164.41.0-::ffff:39.164.41.255
91
::ffff:39.164.45.0-::ffff:39.164.45.255
92
::ffff:39.164.253.0-::ffff:39.164.254.255
93
::ffff:42.52.131.0-::ffff:42.52.131.255
94
::ffff:58.241.210.0-::ffff:58.241.210.255
95
::ffff:59.47.225.0-::ffff:59.47.225.255
96
::ffff:59.47.235.0-::ffff:59.47.235.255
97
::ffff:59.47.237.0-::ffff:59.47.237.255
98
::ffff:59.83.212.0-::ffff:59.83.212.255
99
::ffff:112.0.188.0-::ffff:112.0.188.255
100
::ffff:112.45.16.0-::ffff:112.45.16.255
101
::ffff:112.45.20.0-::ffff:112.45.20.255
102
::ffff:112.83.125.0-::ffff:112.83.125.255
103
::ffff:112.192.189.0-::ffff:112.192.189.255
104
::ffff:114.236.141.0-::ffff:114.236.141.255
105
::ffff:117.55.203.0-::ffff:117.55.203.255
106
::ffff:119.53.106.0-::ffff:119.53.107.255
107
::ffff:119.53.109.0-::ffff:119.53.112.255
108
::ffff:119.53.163.0-::ffff:119.53.163.255
109
::ffff:122.224.33.0-::ffff:122.224.33.255
110
::ffff:123.184.152.0-::ffff:123.184.152.255
111
::ffff:123.186.146.0-::ffff:123.186.146.255
112
::ffff:139.210.127.0-::ffff:139.210.127.255
113
::ffff:139.210.254.0-::ffff:139.210.254.255
114
::ffff:175.19.0.0-::ffff:175.19.0.255
115
::ffff:175.19.2.0-::ffff:175.19.3.255
116
::ffff:175.19.8.0-::ffff:175.19.8.255
117
::ffff:175.19.10.0-::ffff:175.19.10.255
118
::ffff:175.19.42.0-::ffff:175.19.42.255
119
::ffff:182.32.204.0-::ffff:182.32.205.255
120
::ffff:183.131.219.0-::ffff:193.131.219.255
121
::ffff:183.197.12.0-::ffff:183.197.12.255
122
::ffff:183.197.21.0-::ffff:183.197.21.255
123
::ffff:183.197.24.0-::ffff:183.197.25.255
124
::ffff:183.197.30.0-::ffff:183.197.31.255
125
::ffff:183.197.250.0-::ffff:183.197.251.255
126
::ffff:183.198.40.0-::ffff:183.198.42.255
127
::ffff:183.198.83.0-::ffff:183.198.83.255
128
::ffff:183.198.160.0-::ffff:183.198.160.255
129
::ffff:183.198.162.0-::ffff:183.198.162.255
130
::ffff:183.198.165.0-::ffff:183.198.167.255
131
::ffff:183.198.224.0-::ffff:183.198.224.255
132
::ffff:183.198.226.0-::ffff:183.198.228.255
133
::ffff:183.199.90.0-::ffff:183.199.90.255
134
::ffff:183.199.148.0-::ffff:183.199.150.255
135
::ffff:183.199.208.0-::ffff:183.199.209.255
136
::ffff:183.199.217.0-::ffff:183.199.217.255
137
::ffff:183.199.238.0-::ffff:183.199.239.255
138
::ffff:183.227.110.0-::ffff:183.227.111.255
139
::ffff:183.228.140.0-::ffff:183.228.143.255
140
::ffff:218.7.138.0-::ffff:218.7.138.255
141
::ffff:218.24.113.0-::ffff:218.24.113.255
142
::ffff:218.60.174.0-::ffff:218.60.174.255
143
::ffff:218.92.139.0-::ffff:218.92.139.255
144
::ffff:218.104.106.0-::ffff:218.104.106.255
145
::ffff:221.9.12.0-::ffff:221.9.12.255
146
::ffff:221.9.17.0-::ffff:221.9.19.255
147
::ffff:221.11.96.0-::ffff:221.11.96.255
148
::ffff:221.103.102.0-::ffff:221.103.102.255
149
::ffff:221.203.3.0-::ffff:221.203.3.255
150
::ffff:221.203.6.0-::ffff:221.203.6.255
151
::ffff:223.78.79.0-::ffff:223.78.80.255
152
::ffff:223.88.223.0-::ffff:223.88.223.255
153
2408:862e:ff:ff0d::0-2408:862e:ff:ff0d::ffff
154
2408:8631:2e09:d05::0-2408:8631:2e09:d05::ffff
155
2408:8738:6000:d::0-2408:8738:6000:d::ffff
156
2409:873c:f03:6001::0-2409:873c:f03:6001::ffff
157
2409:873c:f03:6002::0-2409:873c:f03:6002::ffff
158
2409:873c:f03:6003::0-2409:873c:f03:6003::ffff
159
2409:873c:f03:6004::0-2409:873c:f03:6004::ffff
160
2409:873c:f03:6005::0-2409:873c:f03:6005::ffff
161
2409:873c:f03:6006::0-2409:873c:f03:6006::ffff
162
2409:873c:f03:6007::0-2409:873c:f03:6007::ffff
163
2409:873c:f03:6008::0-2409:873c:f03:6008::ffff
164
2409:873c:f03:6009::0-2409:873c:f03:6009::ffff
165
2409:873c:f03:600a::0-2409:873c:f03:600a::ffff
166
240e:90c:2000:301::0-240e:90c:2000:301::ffff
167
240e:90e:2000:2006::0-240e:90e:2000:2006::ffff
168
240e:918:8008:1::0-240e:918:8008:1::ffff
169
240e:918:8008:2::0-240e:918:8008:2::ffff
170
240e:918:8008:3::0-240e:918:8008:3::ffff
171
240e:918:8008:4::0-240e:918:8008:4::ffff

Among these, 59.83.212.* and 218.92.139.* are using the Taipei-Torrent dev tool.

For convenience, the IP block list above already includes these rules.

Since the author has updated QBEE to 4.6.4.10, which silently auto-blocks dt/torrent and Taipei-torrent requests, going forward there will be no active updates of new IP ranges related to these clients unless they change their names. You’re welcome to continue reporting malicious addresses to me (e.g., via Bilibili DMs or comments).

In addition, you can add the following IPs to your blacklist, and define corresponding rules by following the pattern above (these IPs are still under observation):

1
2409:8a1e:e23:85b0::8a8    # 2024-02-06 tool is Transmission, no progress reporting, download exceeds file size; currently no other malicious addresses found in this IP range
2
2409:8a1e:e20:2f00::8a8    # 2024-02-27 tool is Transmission, no progress reporting, download exceeds file size; currently no other malicious addresses found in this IP range
3
221.204.25.0-221.204.25.255    #2024-03-22 tool is BitComet 2.04, restarts download from 0% after reaching over 90%
4
2002:ddcc:19cf::ddcc:0-2002:ddcc:19cf::ddcc:ffff    # same as above

Some users have also encountered IPv4-mapped IPv6 addresses, which look like ::ffff:221.203.6.57. The author still needs to run more tests here, and suggestions are welcome.

At present, someone has discovered that rules like ::ffff:0:0-::ffff:ffff:ffff or ::ffff:0.0.0.0-::ffff:255.255.255.255, which seem to block only IPv4-mapped IPv6 addresses, actually end up blocking all IPv4 addresses. It’s better not to do this, or at least test thoroughly before deciding.

For example, for 221.203.6.57 above, you can add another rule: ::ffff:221.203.6.0-::ffff:221.203.6.255.

For convenience, the IP block list above already includes these rules.

Countermeasure C: Limit upload speeds#

Be aware this is only a stopgap measure. These clients are extremely aggressive at draining upload bandwidth: if they are connected, other torrents will barely get any upload speed, defeating the point of seeding.

Countermeasure D: Use helper tools for blocking#

Here I use qBittorrent-ClientBlocker, running it locally alongside QBEE.

Tool link: https://github.com/Simple-Tracker/qBittorrent-ClientBlocker

Tool link: PeerBanHelper

Please refer to the project docs for full usage notes. A few extra points:

This strategy can be used together with the other countermeasures.
At each startup, it clears the existing blacklist of blocked addresses. If needed, remember to back it up, or bake them into the rules.
Some antivirus engines such as Huorong and 360’s QVM engine may falsely flag it as malware. You’ll need to whitelist it. If in doubt, check VirusTotal. For example, the analysis for version 3.1: https://www.virustotal.com/gui/file/857e67cc52c06723bd05332d045733f7ea9e308d887e1c086bae841511cc6ec6