Re: Guntella Built-in DoS

From: Brian Smith (avalon73@arthurian.nu)
Date: 09/06/01


Date: Thu, 6 Sep 2001 16:05:36 -0400 (EDT)
From: Brian Smith <avalon73@arthurian.nu>
To: Robert Stoll <bob@esr.com>
Subject: Re: Guntella Built-in DoS
Message-ID: <Pine.LNX.3.95.1010906155906.14262A-100000@camelot.arthurian.nu>

On Thu, 6 Sep 2001, Robert Stoll wrote:

> The problem is that the software has no way of verifying what values the
> user has set, which of course can lead to mischief. I can set the
> advertised IP address and port to arbitrary numbers and the result will
> be that the target machine will be bombarded with hundreds inbound tcp
> connections from Guntella clients looking for information. Do this with
> enough clients and you have a re-incarnation of the old Smurf attack.
> As of this writing, I have verified this with the Gnotella and LimeWire
> clients. I will be testing other clients as well but I am confident
> they will work the same way.

What you're saying is correct... it's something in the Gnutella protocol
itself and, even if none of the clients out there let you specify an
arbitrary IP address to advertise, you'd still have those out there that
could write something to get into a Gnutella network and start falsely
advertising itself. It wouldn't be that hard at all for someone who is
familiar with the protocol.

Any DoS that could result from this is kind of limited, though, since
every Gnutella client is not going to connect to every other client's IP
that it knows of... they usually keep a cache of client IPs that are out
there and connect *up to* a certain, usually user-specified, number of
other clients at a time. At least that's how it's worked in every
Gnutella client that I've seen. With every client doing routing in the
network, there's simply no need for everyone to connect to everyone else,
so no one does that.

----------------------------------------------------------------------
Brian Smith // avalon73@arthurian.nu // http://www.arthurian.nu/
Software Developer // Gamer // Webmaster // System Administrator
Friends don't let friends wear Speedos. Ever.