HellO! On Tue, Jan 09, 2007 at 08:53:55AM -0700, Alen Peacock wrote: > On 1/9/07, Elias Athanasopoulos <[EMAIL PROTECTED]> wrote: > >I think it's a bad idea for Gnutella to use HTTP for downloads. Consider > >this: > > > >http://www.csd.uoc.gr/~elathan/publications/gdos-paper-final.pdf > > > >I don't know, literally, if the HTTP choice made Gnutella vulnerable, but, > >at > >least, I can tell that this choice made Gnutella dangerous for Web Servers. > > That's a very interesting paper that I hadn't seen, thanks for the > link. But there is a tinge of hysteria here -- the exploit is not a > feature of p2p or HTTP, but rather of the unstructured nature of the > network with regard to search function. *Any* network which relies on > nodes to blindly forward queries from one node to others, via > store-and-forward or some other mechanism, is going to be liable to > malicious coercion. That is true regardless of whether the network is > "p2p" and regardless of its use of HTTP as a transport (though, > certainly, if gnutella didn't speak HTTP it wouldn't be able to be > leveraged to attack non-gnutella HTTP servers as outlined).
Right. As the title says, it uses unstructured overlays to make the trick, *but* the attack is further amplified because Gnutella uses HTTP for file transfers in the application level. Redirecting some thousands of connections to a computer may not be that much, compared to force a Web server to serve some thousands of downloads. > Structured overlays such as Kademlia, where the querying node is in > charge of all iterations of the search protocol and where no other > nodes will ever forward actions on behalf of another, are immune to > the attack outlined by the paper (the paper mentions Cascade, a Well, DHTs can be also abused. A node can still lie in its entrance. See a similar paper that (mis)uses Overnet for example: http://portal.acm.org/citation.cfm?id=1146894&dl=acm&coll=&CFID=15151515&CFTOKEN=6184618 Regards, -- Elias Athanasopoulos Distributed Computing Systems (DCS) Institute of Computer Science (ICS/FORTH) Heraklion, Crete A bug can become a feature by documenting it. _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
