>From: Bill Pringlemeir <[EMAIL PROTECTED]>
>To: Haxe <[EMAIL PROTECTED]>
>CC: gtk-gnutella-devel@lists.sourceforge.net
>Subject: Re: [Gtk-gnutella-devel] Gnutella Query
>Date: 14 Jun 2007 23:01:44 -0400
>
> > On Friday 15 June 2007 01:29, Lloyd Bryant wrote:
>
> >> What this person is attempting to do is create a DDoS (Distributed
> >> Denial of Service) tool. Basically, take every query that is
> >> received by a given node, and reply to it showing a matching file
> >> on the machine that attacker wishes to DoS.
>
>The paper on this has been out for some time and was posted to the GDF
>forum some time ago.
>
> "http://www.ics.forth.gr/~elathan/publications/gdos-paper-final.pdf";
>
Thanks for the link. All I had seen previously was a summary, linked to
another summary (which was somewhat slanted to make P2P networks appear to
be tools of the "black hats").
>If you read the paper, you have to mangle the returned file name to
>include new lines. GTKG already protects against this for queries it
>receives. I think that it also does this for forwarded query
>responses [but I am not so sure about that].
>
>The OOB (udp query responses) have a new cookie that protects against
>this DDOS attack.
>
>My understanding of the query protocol is that the network is flooded
>with the query, but only response to your own nodes or a proxied leaf
>will flow through. You would have to have both the target of the
>attack and the attacker connected to you to detect this.
>
>If you cannot do this file name trickery, you will just have the
>target web server do a "404 - NOT FOUND" which won't take nearly as
>much bandwidth. You have to gain something by using gnutella to do
>this. You get some anonymity, but the bandwidth multiplication is
>probably more important. There are lots of ways to do HTTP
>anonymously, so if gnutella nodes ignore files with newlines, it
>becomes much harder to use this for DDOS.
>
There are still some avenues open, but as noted they won't generate nearly
as much bandwidth usage per "tricked" node. It's still something that will
probably become an issue at some point in the future.
What's really scary is that the researchers were using the simplest possible
method for generating their query results - simply taking the query text and
appending ".mpg" onto it. Imagine the load they could have generated with a
more sophisticated context-sensitive approach (backed with a database of 50K
or so song titles/artists and maybe 1K or so of DVD titles).
>My guess would be that the OP wanted to spam instead. They are sort
>of the same thing I guess (DDOS vs spam).
The OP specifically mentioned "flooding the server", which I took to mean a
DDoS.
And on a quirky note: The paper mentions a substantial number of nodes that
were simply downloading any file from their falsified query results. I have
a hard time imagining any but the most naive Gnutella users from doing this,
but I can think of one group that *might* have automated programs doing
this: Media Sentry (and their counterparts elsewhere in the world). It
would be interesting to see if any of those "download anything" nodes
belonged to Media Sentry :-)
Lloyd B.
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Gtk-gnutella-devel mailing list
Gtk-gnutella-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/gtk-gnutella-devel
