Projects‎ > ‎


Interesting clients found in the BitTorrent DHT

The specification for identifying mainline clients is the "v" key in the root dictionary of every message.

 Name Prefix Examples/Notes
 uTorrentUT UTz\xAD  
 libTorrent, RasterbarLT LT\x01\x09 
 libTorrent (other?) ltlt\x0D\x00
 MooPolice MP 
 GetRight GR 
 MonoTorrent MOMO06
 Transmission TRTR\x02\x0B
 Vuze (maybe) AZAz\x00\xC3\xB1
Az\x00\xEF\xBF\xBD (common)
 Alpha Two A2A2\x00\x03
 Bravo Foxtrot BFBF-1.41

Maybe a Battlefield 3 patcher?
 Bravo TangoBT BT\x00\x01 
 DhtPlay DP 
 India Lima ILIL\x00\x10
 November Sierra NSNS\x01\x18
 Sierra Zulu SZSZ\x02\x06
 Tango Xray TXTX1a
 UltraTorrent1 UltraTorrent1 UltraTorrent1
 Uniform TangoUT uT01 
First client appears to be sharing a co-located server in the USA running a chinese language website that appears to promote an windows app called "octopus search artifact" which appears to be a bittorrent search engine of some description.
 Zulu Oscar ZoZo\x00\x06

Most of these clients appear to be in ex Warsaw Pact countries, sometimes a google search of the info_hashes appear on various bittorrent scrapers though they do not seem to allow peer exchange. Which makes me wonder if these are malware clients, private torrents that are hosted only by broken clients, or some kind of software that is using bittorrent as a peer2peer discovery system (think bonjour over DHT)
 Null 4 \0\0 \0\0\0\0

IP Address Key

Various clients send you an "ip" key, to helpfully convince you what your external ip and port are.
Obviously evil (or just plain buggy) clients will try to convince you otherwise.

These are in the wild. I noticed a South Korean client that claimed that it was a uTorrent client (UTz\xAD) that: 
            114.200.XX.XX:345YY v:UTz\xAD is trying to convince me I'm: 114.200.XX.XX:440ZZ
The port was correct, but the ip was the buggy/malicious clients own. 

A Vietnamese 'uTorrent' client (UTy\xA3) claimed that I was, which while it had the port correct, thought I was on an internal network.

            113.182.XX.XX:44XXX v:UTy\xA3 is trying to convince me I'm:

Other UTy\xA3 clients claimed similar nonsense
A US client thinks I'm in Belgium and one from Pakistan thinks I'm on its LAN.

            50.33.XX.XX:10XXX v:UTy\xA3 is trying to convince me I'm: 94.224.YY.YY:440ZZ

            182.186.XX.XX:47XXX v:UTy\xA3 is trying to convince me I'm:



Tokens are passed with each message, to supposedly help identify each message. Many clients just don't bother making this meaningful.

Some variations that I've noticed:
  • The UT client seems to use 4 bytes of random looking data
  • The LT, and Zo clients seems to use 2 bytes 
  • Timestamp ie. a number rendered in ascii 10047026 which appears to increase by one with each request.
  • Some use a random-looking string of 8 bytes
  • One particularly broken client had the token of ASCII '1', and kept requesting data from differing port numbers
  • Another uses the format 'abcde12733'  with the number part increasing due to different queries.
  • Yet another uses the format 'get_peers608', with the number part increasing.

Odd Hashes

There appears to be an oddity with some clients identifying as UT (Mostly UTy\xA3) requesting find_node with the following pattern:

It's statistically improbable that you'd want to look for an node like this.