|
-
September 6th, 2001, 08:36 PM
#1
gnutella
this may be too much for some, but others might find it interesting..... taken from security focus...
I found what I believe may be a built-in DoS of sorts in Gnutella. For
those of you who are not familiar with Guntella, it is a peer-to-peer file
sharing system that popped-up a while back as one of the may alternatives to
Napster. Gnutella is more of a protocol specification than an application
so it has many different clients such as Gnotella, LimeWire, and BearShare
among others. Once on the network, the Gnutella client connects to other
hosts running Gnutella and starts exchanging lists of "up" hosts and search
queries. This (at least on my machine) creates about 5-45k worth of
background noise while the client is running. Additional bandwidth gets
consumed when the user downloads files from someone else or vice versa.
One of the many features of Gnutella is that it is firewall-aware and
will allow the user to force the client to advertise a different IP address
than is actually on his or her the machine to allow for any NAT that may be
going on. The client will also allow the user to change the port that
incoming clients will connect to as well.
The problem is that the software has no way of verifying what values the
user has set, which of course can lead to mischief. I can set the
advertised IP address and port to arbitrary numbers and the result will be
that the target machine will be bombarded with hundreds inbound tcp
connections from Guntella clients looking for information. Do this with
enough clients and you have a re-incarnation of the old Smurf attack. As of
this writing, I have verified this with the Gnotella and LimeWire clients.
I will be testing other clients as well but I am confident they will work
the same way.
reply:
What you're saying is correct... it's something in the Gnutella protocol
itself and, even if none of the clients out there let you specify an
arbitrary IP address to advertise, you'd still have those out there that
could write something to get into a Gnutella network and start falsely
advertising itself. It wouldn't be that hard at all for someone who is
familiar with the protocol.
Any DoS that could result from this is kind of limited, though, since
every Gnutella client is not going to connect to every other client's IP
that it knows of... they usually keep a cache of client IPs that are out
there and connect *up to* a certain, usually user-specified, number of
other clients at a time. At least that's how it's worked in every
Gnutella client that I've seen. With every client doing routing in the
network, there's simply no need for everyone to connect to everyone else,
so no one does that.
http://www.aciri.org/vern/papers/reflectors.CCR.01/
------------------
"Discussion is an exchange of knowledge; argument is an exchange of ignorance"
Stings Shack™
"ONWARD THROUGH THE FOG"
"640K ought to be enough for anybody." - - Bill Gates, 1981
AMAZING TECHS
-
September 6th, 2001, 09:19 PM
#2
What's an IP? Have anything to do with ego, super ego, or ID? Kidd'n. Deep.
"Discussion is an exchange of knowledge; argument is an exchange of ignorance"
If you disagree to agree, is it better for knowledge or just ignorance?
Maybe just a plain old impasse.
Always insightful, Sting. Thanks.
------------------
"Despite the high cost of living, it remains popular."
"Even crime wouldn't pay if the government ran it."
-
September 6th, 2001, 10:04 PM
#3
All I know is, if I'm unfortunate enough to get assigned the wrong IP on my dial-up, I'll get gnutella port probes that are the envy of anything Code-Red has dished out.
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
