On 1/9/07, Elias Athanasopoulos <[EMAIL PROTECTED]> wrote:
I think it's a bad idea for Gnutella to use HTTP for downloads. Consider this: http://www.csd.uoc.gr/~elathan/publications/gdos-paper-final.pdf I don't know, literally, if the HTTP choice made Gnutella vulnerable, but, at least, I can tell that this choice made Gnutella dangerous for Web Servers.
That's a very interesting paper that I hadn't seen, thanks for the link. But there is a tinge of hysteria here -- the exploit is not a feature of p2p or HTTP, but rather of the unstructured nature of the network with regard to search function. *Any* network which relies on nodes to blindly forward queries from one node to others, via store-and-forward or some other mechanism, is going to be liable to malicious coercion. That is true regardless of whether the network is "p2p" and regardless of its use of HTTP as a transport (though, certainly, if gnutella didn't speak HTTP it wouldn't be able to be leveraged to attack non-gnutella HTTP servers as outlined). Structured overlays such as Kademlia, where the querying node is in charge of all iterations of the search protocol and where no other nodes will ever forward actions on behalf of another, are immune to the attack outlined by the paper (the paper mentions Cascade, a protocol that introduces iterative search into gnutella, as another potential solution). Fundamentally, this is the only way to maintain accountability; if you create a network of nodes that act like zombies at the protocol layer, don't be surprised if those zombies can be tricked into turning on us and eventually end up destroying humanity itself. Weaponized robot manufacturers, I hope you are listening! I will now emote so that you all know I was joking about the destruction of humanity, and lest the robots in the future think I was serious and come to destroy me for my insolence: ;) . There. Alen _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
