7057347 2001-09-06 12:52 -0400 /63 rader/ Robert Stoll <bob@esr.com> Sänt av: joel@lysator.liu.se Importerad: 2001-09-06 20:19 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19090> Ärende: Guntella Built-in DoS ------------------------------------------------------------ From: Robert Stoll <bob@esr.com> To: bugtraq@securityfocus.com Message-ID: <048763D6F76C9D489A69445D714839F00C38D4@exchange2> Hello all, I found what I believe may be a built-in DoS of sorts in Gnutella. For those of you who are not familiar with Guntella, it is a peer-to-peer file sharing system that popped-up a while back as one of the may alternatives to Napster. Gnutella is more of a protocol specification than an application so it has many different clients such as Gnotella, LimeWire, and BearShare among others. Once on the network, the Gnutella client connects to other hosts running Gnutella and starts exchanging lists of "up" hosts and search queries. This (at least on my machine) creates about 5-45k worth of background noise while the client is running. Additional bandwidth gets consumed when the user downloads files from someone else or vice versa. One of the many features of Gnutella is that it is firewall-aware and will allow the user to force the client to advertise a different IP address than is actually on his or her the machine to allow for any NAT that may be going on. The client will also allow the user to change the port that incoming clients will connect to as well. The problem is that the software has no way of verifying what values the user has set, which of course can lead to mischief. I can set the advertised IP address and port to arbitrary numbers and the result will be that the target machine will be bombarded with hundreds inbound tcp connections from Guntella clients looking for information. Do this with enough clients and you have a re-incarnation of the old Smurf attack. As of this writing, I have verified this with the Gnotella and LimeWire clients. I will be testing other clients as well but I am confident they will work the same way. Bob... -----BEGIN PGP PUBLIC KEY BLOCK----- mQGiBDkZl/IRBADnB0FEr2gi0lb6mVGCqGBssoomn2Nu9JggyZw9rrZpzk76oWAT Nal7w/+670rK14Fn7jPrSERhWc3yArfbRV3dueP5w5yhwDrVPxfOQJqNqnvhAf8I iT4qiCaeXuZQVFFw2i5jLHoI2yENx+kEvOnihKXIdwhg5QE5+zXFkrcnOQCg/z/U 9jz+OzvtVugq+KAxcRE3TlkEALN8cTU2bRiM4jfee8CHsttuKkzdc2ozyQFuVF6K dPU/vCt30VywpHWaXLQIiFIns2u0B5gI/Q7GM5Q3Kw/JPcVWOTBYbT8mVNS9JuGb R8LiVHjmxxdfhGHMCT13tV17yb1Ojt5UXlAJWTA3ouSv/jTwBzb+NqUWt7MJfRG+ 33VLA/wOMPkVva/nkG5XlBYZXa6J4vCJ9MYvQSggF9MWHRD5TqxXiIB30X+eZthi FcedaeCrwyRE8+m2k+zlvB60EcEmvFm77sY5y8lzJj/GwnvZ0yixaeW4Dsoa4xMZ FdFMkzyPMdLrTy7T+mFPWHuHgZz7mV9CNPRCl6DmsloG8kHseLQdUm9iZXJ0IEMu IFN0b2xsIDxib2JAZXNyLmNvbT6JAE4EEBECAA4FAjkZl/IECwMCAQIZAQAKCRDE dGCFFngO4joYAKC3NcDOOZpweW3xc9mm09f/kR5wWQCgkHDCl5JE/1TGr7sdWAHG rlt8FgS5Ag0EORmX8xAIAPZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65Szgg2gGn VqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvOmeFX klnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscBqtNbno2gpXI61Brwv0YAWCvl 9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhd ONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r 0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVekyCzsAAgIH/0rX1B6VQu53UPm7 MGxVU7CyCJ/Is3bezieyQvDjcPtUqZc3+tDXJH4a13+KFANm8S7wuiSw6kkllOcF 991yw1Lb15kSLoaSXmDj1dA0RX2ZtPRwQwdJUIy6vH/RXQQfIhgKQ2ZjsoMa1ga6 ij8QGQkUlAqbb2BCajfR0LCataNiRmLnxsCzu9UglAglMyytSExq7qMh1l3IRTcM vJtfNb4vj13JGDiBu757oQUCEkgOSCx1C+EXHRavQ0C/17da/IZuPhMD4kN//rYD KumIPYIiE5oMq+73S5Og981Dxs+ZMB0EGofKbmNviotaBZw9tkmgQmsK1kHIYG9v gLGxU2qJAEYEGBECAAYFAjkZl/MACgkQxHRghRZ4DuK48wCg3o17KpDCt2bZXEKs nqz74gC0iuQAnAysusc9AiVDz0/LuSpKL9KzDH4z =ERVJ -----END PGP PUBLIC KEY BLOCK----- (7057347) /Robert Stoll <bob@esr.com>/----(Ombruten) Kommentar i text 7058604 av Brian Smith <avalon73@arthurian.nu> 7058604 2001-09-06 16:05 -0400 /39 rader/ Brian Smith <avalon73@arthurian.nu> Sänt av: joel@lysator.liu.se Importerad: 2001-09-07 00:39 av Brevbäraren Extern mottagare: Robert Stoll <bob@esr.com> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19094> Kommentar till text 7057347 av Robert Stoll <bob@esr.com> Ärende: Re: Guntella Built-in DoS ------------------------------------------------------------ From: Brian Smith <avalon73@arthurian.nu> To: Robert Stoll <bob@esr.com> Cc: bugtraq@securityfocus.com Message-ID: <Pine.LNX.3.95.1010906155906.14262A-100000@camelot.arthurian.nu> On Thu, 6 Sep 2001, Robert Stoll wrote: > The problem is that the software has no way of verifying what values the > user has set, which of course can lead to mischief. I can set the > advertised IP address and port to arbitrary numbers and the result will > be that the target machine will be bombarded with hundreds inbound tcp > connections from Guntella clients looking for information. Do this with > enough clients and you have a re-incarnation of the old Smurf attack. > As of this writing, I have verified this with the Gnotella and LimeWire > clients. I will be testing other clients as well but I am confident > they will work the same way. What you're saying is correct... it's something in the Gnutella protocol itself and, even if none of the clients out there let you specify an arbitrary IP address to advertise, you'd still have those out there that could write something to get into a Gnutella network and start falsely advertising itself. It wouldn't be that hard at all for someone who is familiar with the protocol. Any DoS that could result from this is kind of limited, though, since every Gnutella client is not going to connect to every other client's IP that it knows of... they usually keep a cache of client IPs that are out there and connect *up to* a certain, usually user-specified, number of other clients at a time. At least that's how it's worked in every Gnutella client that I've seen. With every client doing routing in the network, there's simply no need for everyone to connect to everyone else, so no one does that. ---------------------------------------------------------------------- Brian Smith // avalon73@arthurian.nu // http://www.arthurian.nu/ Software Developer // Gamer // Webmaster // System Administrator Friends don't let friends wear Speedos. Ever. (7058604) /Brian Smith <avalon73@arthurian.nu>/(Ombruten) 7058761 2001-09-06 18:26 -0400 /32 rader/ Walker Traylor <wtraylor@professionalsites.com> Sänt av: joel@lysator.liu.se Importerad: 2001-09-07 01:44 av Brevbäraren Extern mottagare: Robert Stoll <bob@esr.com> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19095> Ärende: Re: Guntella Built-in DoS ------------------------------------------------------------ From: Walker Traylor <wtraylor@professionalsites.com> To: Robert Stoll <bob@esr.com> Cc: <bugtraq@securityfocus.com> Message-ID: <Pine.BSF.4.30.0109061824510.17920-100000@biont.pair.com> Slightly more (and slightly old) info on using Gnutella in a DoS: http://www.aciri.org/vern/papers/reflectors.CCR.01/ --Walker > On Thu, 6 Sep 2001, Robert Stoll wrote: > > > Hello all, > > I found what I believe may be a built-in DoS of sorts in Gnutella. For <snip> > > The problem is that the software has no way of verifying what values the > > user has set, which of course can lead to mischief. I can set the > > advertised IP address and port to arbitrary numbers and the result will be > > that the target machine will be bombarded with hundreds inbound tcp > > connections from Guntella clients looking for information. Do this with > > enough clients and you have a re-incarnation of the old Smurf attack. As of > > this writing, I have verified this with the Gnotella and LimeWire clients. > > I will be testing other clients as well but I am confident they will work > > the same way. > > > > > > Bob... (7058761) /Walker Traylor <wtraylor@professionalsites.com>/ 7058867 2001-09-06 19:42 -0400 /17 rader/ Steven M. Bellovin <smb@research.att.com> Sänt av: joel@lysator.liu.se Importerad: 2001-09-07 02:42 av Brevbäraren Extern mottagare: Walker Traylor <wtraylor@professionalsites.com> Extern kopiemottagare: Robert Stoll <bob@esr.com> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19097> Ärende: Re: Guntella Built-in DoS ------------------------------------------------------------ From: "Steven M. Bellovin" <smb@research.att.com> To: Walker Traylor <wtraylor@professionalsites.com> Cc: Robert Stoll <bob@esr.com>, bugtraq@securityfocus.com Message-ID: <20010906234234.24B467BFD@berkshire.research.att.com> In message <Pine.BSF.4.30.0109061824510.17920-100000@biont.pair.com>, Walker Tr aylor writes: >Slightly more (and slightly old) info on using Gnutella in a DoS: > > http://www.aciri.org/vern/papers/reflectors.CCR.01/ > Also see http://www.research.att.com/~smb/talks/NapsterGnutella/index.htm --Steve Bellovin, http://www.research.att.com/~smb (7058867) /Steven M. Bellovin <smb@research.att.com>/