I was interested in how they were detecting monitors and whether they were just picking out any anomalous peers (say ones that don't accept connections). I was also wondering if the paper was going to be obviously flawed and funded by some copyright agency with the aim of articles such as the one we just read being created. I still wouldn't rule it out, but I feel that the methodology was sound.
To summarize for others indicators were:
"""
1. The proportion of a subnet that has been seen in BitTorrent swarms. Monitoring agencies may use a large proportion of their subnet for monitoring.
2. The length of time a peer spends in a swarm. Monitors may spend more
time in the swarm than regular file-sharers.
3. The number of different (IP, port, infohash) combinations per IP address.
Monitoring agencies may operate many clients from a single IP address.
4. Whether a peer reported by a tracker accepts incoming connections. Monitors may block all incoming connection attempts. (((This was discarded as an unreliable indicator)))
5. The number of swarms in which IP addresses from a particular subnet appear. Monitoring agencies may monitor many torrents from their subnet.
6. The number of times the same (IP, port) pair is observed concurrently in different swarms.
...
we found 1,139 IP addresses that were in the top first percentile for all four features (((1,2,3 and 5)))
IP addresses assigned to a company named
Checktor [3], which offers commercial BitTorrent monitoring services, and 16 addresses assigned to a medium-sized computer security consultancy company that
does not publicly acknowledge monitoring BitTorrent. Another subnet, which we
saw in over 500 swarms, belongs to a company that advertises itself as providing
“intellectual property advice”
...
We also found two subnets assigned to hosting companies
...
We speculate that copyright enforcement companies are using
these hosting companies as a front to disguise their identities. We also identified
a number of IP addresses allocated to large ISPs, such as Vodafone, Etisalat and
SingNet.
...
This feature (((6))) found IP addresses assigned to Peer Media Technologies [16] (a well-known copyright enforcement agency) monitoring seven Harry
Potter ebook and movie torrents, and the INRIA research institution [10], which
had been overlooked by features 1–5 because so few torrents were being monitored, and because a very small proportion of INRIA’s subnet was being used
for monitoring
"""
I didn't read too much further into their methodology for detecting "direct monitoring" other than to see a pretty graphic showing peer lying about their download completion.
To summarize for others indicators were:
"""
1. The proportion of a subnet that has been seen in BitTorrent swarms. Monitoring agencies may use a large proportion of their subnet for monitoring.
2. The length of time a peer spends in a swarm. Monitors may spend more time in the swarm than regular file-sharers.
3. The number of different (IP, port, infohash) combinations per IP address. Monitoring agencies may operate many clients from a single IP address.
4. Whether a peer reported by a tracker accepts incoming connections. Monitors may block all incoming connection attempts. (((This was discarded as an unreliable indicator)))
5. The number of swarms in which IP addresses from a particular subnet appear. Monitoring agencies may monitor many torrents from their subnet.
6. The number of times the same (IP, port) pair is observed concurrently in different swarms.
... we found 1,139 IP addresses that were in the top first percentile for all four features (((1,2,3 and 5))) IP addresses assigned to a company named Checktor [3], which offers commercial BitTorrent monitoring services, and 16 addresses assigned to a medium-sized computer security consultancy company that does not publicly acknowledge monitoring BitTorrent. Another subnet, which we saw in over 500 swarms, belongs to a company that advertises itself as providing “intellectual property advice” ... We also found two subnets assigned to hosting companies ... We speculate that copyright enforcement companies are using these hosting companies as a front to disguise their identities. We also identified a number of IP addresses allocated to large ISPs, such as Vodafone, Etisalat and SingNet. ... This feature (((6))) found IP addresses assigned to Peer Media Technologies [16] (a well-known copyright enforcement agency) monitoring seven Harry Potter ebook and movie torrents, and the INRIA research institution [10], which had been overlooked by features 1–5 because so few torrents were being monitored, and because a very small proportion of INRIA’s subnet was being used for monitoring """
I didn't read too much further into their methodology for detecting "direct monitoring" other than to see a pretty graphic showing peer lying about their download completion.