are there attacks known to Syncthing Servers and how can i block this

FunThomas · November 19, 2025, 10:35am

Hi,

today i have looked into my syncthing Logfile and i saw:

2025-11-18 18:50:41 WRN Failed to parse UPnP response (error="malformed HTTP response \"d1:ad2:id20:\\xc2<8Qd\\\"^篁\\\"\\xfdTe7\\x9c\\xa1\\r\\xbf\\xe39:info_hash20:\\xc2<8\\x88\\xed\\xc9\\\\\\xac\\xcf\\xfe,\\xcarݬ\\xaf\\x04u\\x833e1:q9:get_peers1:t2:l\\xa11:v4:LT\\x01/1:y1:qe\"" log.pkg=upnp)
2025-11-18 18:50:41 WRN Failed to parse UPnP response (error="malformed HTTP response \"d1:ad2:id20:J\"" log.pkg=upnp)
2025-11-18 18:50:41 WRN Failed to parse UPnP response (error="malformed HTTP status code \"\\xa7\\xc59:info_hash20:%v\\xce\\xd4>y\\x8fܡc\\xcbj0\\xa8\\x95\\xb6>\\xcd\\xf3\\xf3e1:q9:get_peers1:t2:/\\xf71:v4:LT\\x01/1:y1:qe\"" log.pkg=upnp)
2025-11-18 18:50:41 WRN Failed to parse UPnP response (error="malformed HTTP response \"d1:ad2:id20:n\\xf2\\xf4k\\xc7\\\"\\xb5\\xfa\\xa1s\\xacUd\\xbc)\\xeeg\\x84\\x1a\\xe69:info_hash20:n\\xf2\\xf4\\x85\\xd3\\xf0\\x81%\\xa5Ps\\xe6\\\\\\xe3\\xdeVQ\\xfb\\x8f\\x02e1:q9:get_peers1:t2:\"" log.pkg=upnp)
2025-11-18 18:51:19 WRN Failed TLS handshake (address=223.91.118.211:35854 error="tls: first record does not look like a TLS handshake" log.pkg=connections)
2025-11-18 19:18:51 WRN Failed TLS handshake (address=199.45.154.138:57068 error="tls: client offered only unsupported versions: [303 302 301]" log.pkg=connections)
2025-11-19 04:30:19 WRN Failed to parse UPnP response (error="malformed HTTP status code \"\\xad\\xc4qmԋ!P\\x18\\x16\\x02\\xa5w\\xe8po9:info_hash20:9\\xc19\\x8f\\xfb'a\\xac8Ȍ\\xcd|[G\\xa6\\xeae8\\xe2e1:q9:get_peers1:t2:\\xcf\\xc81:v4:LT\\x01/1:y1:qe\"" log.pkg=upnp)
2025-11-19 04:30:20 WRN Failed to parse UPnP response (error="malformed HTTP response \"d1:ad2:id20:!ѳI\\xf1\\xf1\\xbb\\xe9볦\\xdb<\\x87\\f>\\x99$^R6:target20:!ѳI\\xf1\\xf1\\xbb\\xe9볦\\xdb<\\x87\\f>\\x99$^Re1:q9:find_node1:t4:\\xdcG\\x00\\x001:v4:UT\\xb8\\\\1:y1:qe\"" log.pkg=upnp)

It seems someone with russian and chinese letters is trying to do someting to get access through the full night.

Are there some attacks to be known? How can i secure the connection?

I have a pc at home and a rented server with a static ip:port.

Is there a way the server does not accept connections beside the pc from home?

best regards,

Thomas

calmh · November 19, 2025, 10:55am

It looks like whatever is responding to UPnP queries is speaking some sort of torrent related protocol instead of UPnP. Not an attack, though.

FunThomas · November 19, 2025, 6:19pm

For me it looked strange since there were letters like 篁 볦 qmԋ and i dont have files with letters like this on the server.

Is it possible to block upnp request complete?

Is there some sort of hammering protection possible so if maybe 5 wrong packets in 5 minutes and then block request from this ip for 1 hour ?

best regards,

Thomas

system · December 19, 2025, 6:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.