Resurrecting a dead torrent tracker and finding 3M peers

So I was uh, downloading some linux isos, like usual. It was going slowly, so I opened up the Trackers tab in qBittorrent and saw the following: Most of the trackers were totally dead. Either the hosts were down or the domains weren’t being used. That got me thinking. What if I picked up one of these dead domains? How many clients would try to connect? What are trackers for, anyways? A tracker is a core component of the BitTorrent protocol. Trackers are the services that point you to other peers for the torrent. Without trackers, there would be no one to share the file with. Obviously this represents a major source of centralization in the torrent protocol. If your trackers aren’t maintained – or if they get forced offline by certain industry organizations – you’re out of luck. We have an alternative, called Mainline DHT, which performs a more decentralized lookup of peers based on infohash alone. DHT isn’t perfect, though. It relies on bootstrap nodes and is vulnerable to Sybil attacks. And in the example of my poorly-served torrent, DHT wasn’t surfacing any peers, regardless. Hosting a tracker Looking through the list of trackers marked “host not found”, I noticed udp://open.demonii.si:1337/announce was available. I bought the domain through Dynadot (one of the few .si domain registrars), then spun up a quick anonymous VPS. I mapped the domain to the VPS, then set up opentracker, the most widely used and robust torrent tracker software. Instructions for Ubuntu 24.04: sudo apt install gcc-14 g++-14 build-essential zlib1g-dev sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-14 14 sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-14 14 Follow the readme to compile, first the dependency libowfat (a GPL reimplementation of some of dan bernstein’s C libraries) and then opentracker itself. cvs -d :pserver:[email protected]:/cvs -z9 co libowfat cd libowfat make cd .. git clone git://erdgeist.org/opentracker cd opentracker make Finally, a quick systemd unit file to daemonize this service: [ Unit] Description = opentracker After = network-online.target Wants = network-online.target [ Service] Type = simple User = opentracker Group = opentracker WorkingDirectory = /var/lib/opentracker ExecStart = /home/opentracker/opentracker/opentracker -p 1337 -P 1337 \ -d /var/lib/opentracker -u opentracker Restart = on-failure LimitNOFILE = 65536 [ Install] WantedBy = multi-user.target What did I find? Before even starting opentracker, I saw a flood of traffic against UDP port 1337: I then started the tracker. After about an hour, it peaked at about 1.7 million distinct torrents across 3.1 million peers! Response from http://open.demonii.si:1337/stats?mode=everything : 273419141 https://erdgeist.org/gitweb/opentracker/commit/?id=b20b0b89264e9d28ab873b8b1cc9ba73cdb58aeb 10313 1735538 1735523 3155701 1342504 244224 21532 20219 263 58843612 18321703 33160261 3211543 4116689 0 12216193 1463740 536527 284756 243276 93237 63618 53934 36851 28990 352150 56610 24557 21628 24932 63250 38174 33730 27827 27166 22463 17820 17248 17276 17825 20144 27987 792338 1579577 1625355 2229105 1670317 1581574 846355 96656 68160 47801 36705 32256 27535 27593 27640 24090 20762 17880 0 0 55 0 0 0 0 883 0 0 Is this legal? Maybe. When the recording industry and other litigious organizations go after torrent trackers, they’re mainly chasing down the public-facing parts of the system. The legal decisions against websites like The Pirate Bay hinge on how they highlight popular movies, sell ads, and offer .torrent files. This is all taken as evidence of inducement, meaning the intentional promotion of copyright infringement. Does hosting tracker infrastructure, unadvertised, count as “inducement”? It’s a harder case to make. I’m aware that many torrents, both freely available and copyrighted, use this tracker. But it would be more difficult to prove intent here. Regardless, I was spooked. I thought through my chain of events and realized I had already fucked up by paying for the domain with a credit card. I shut down the VPS and deleted the domain quickly after confirming it works. So… the domain is available now. It’s quite easy to find unclaimed domains like this. If you want to do a public service, open.demonii.si and others are up for registration…