Date: 13 September 2002
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-2002.07 AUSCERT Advisory
Gnutella Network Facilitates Anonymous DDoS Attack
13 September 2002
Last Revised: --
- ---------------------------------------------------------------------------
Overview
The Gnutella peer to peer file sharing network allows a malicious
Gnutella user to trivially and anonymously coordinate a
distributed denial of service (DDoS) attack against any computer
on the Internet. Other users of the Gnutella network unknowingly
participate in the DDoS attack against the victim computer.
Systems Affected
* Peer to peer file sharing programs which use the Gnutella
protocol. It is almost impossible to determine which
Gnutella programs are affected without vendor cooperation.
* All computers on the Internet are potential victims. There is
evidence that this issue is currently being exploited "in the
wild" and has caused web sites to be taken offline.
Description
The IP address and port number of Gnutella users is embedded in
several types of Gnutella packets which are propagated through
the Gnutella network. Gnutella programs extract these IP
addresses and corresponding port numbers from packets routed
through them to connect to these apparent peers on the Gnutella
network in an attempt to increase the number of searchable files
available to the Gnutella user.
A malicious user can coordinate an attack by specifying an
arbitrary IP address and port number in the packets which they
generate and route, resulting in the specified victim IP address
receiving numerous frequent connection attempts. The attack
coordinator can embed specific hop-count and time-to-live (TTL)
values inside the packets they generate in order to remain totally
anonymous.
Impact
The severity of the DDoS attack which the victim is subjected to
depends on the targeted service and port number. For example, if
the targeted port number is:
* 80 (http), the victim will consume bandwidth by sending a HTTP
error message to the Gnutella user.
* 21 (ftp), 23 (telnet), 25 (smtp email), 53 tcp (dns) or 110
(pop3 email), the victim will consume connection resources by
holding the connection open until either the Gnutella user or
the victim closes the connection once a timeout value has
elapsed.
* 22 (ssh) or 443 (https), the victim's logs will fill up with
error messages.
* a port with no service running on it, the victim just receives
a flood of TCP SYN packets.
Home Internet users typically do not run publicly accessible
services, and are only vulnerable (and will remain vulnerable) to
a flood of TCP SYN packets.
The Gnutella users who involuntarily participate in attacks suffer
minimal impact, since each user only sends a small amount of data
to the victim. This data is the connect string which can be:
GNUTELLA CONNECT/0.4\n\n
or
GNUTELLA CONNECT/0.6\r\n
depending on the version of the Gnutella protocol being used.
Note that the \n represents a line feed and \r represents a
carriage return.
Solution/Workaround
A long term solution may involve reviewing and modifying the
Gnutella protocol or changing the way in which Gnutella programs
learn about other peers on the network. However, immediate
workarounds can be implemented.
Most importantly, Gnutella users should upgrade to a version of
their Gnutella software which:
* does not connect to apparent Gnutella peers who use a port
number less than 1024 (or at least does not connect to port
numbers typically used by non-Gnutella services).
* has a small time out value to wait for the GNUTELLA OK\n\n
string to be returned to them. This string indicates that
the computer which the Gnutella user has connected to is
actually a peer on the Gnutella network.
Encouraging users to upgrade could be difficult since they are
just an accessory to attacks, and are not (necessarily) attacked
themselves. System administrators should consider:
* adding the string GNUTELLA CONNECT to their intrusion detection
system (IDS) software.
* minimising the size of HTTP error messages returned by their web
server.
* minimising the connection timeout value for their email server and
other servers running interactive services.
* reviewing the maximum number of simultaneous connections supported
by their email server and other servers running interactive
services.
* reviewing the amount of logging performed by services for
unsuccessful connections.
If your network infrastructure is currently being attacked,
realise that the attack is directed at the IP address of (for
example) your web server, not the name of your web site. Changing
the IP address of your web server (and updating your DNS records
appropriately) will allow your web server to regain functionality.
Note however that a determined attack coordinator can change the
IP address targeted as quickly if not quicker than you can change
the IP address of the target computer.
Vendor Status
Every reasonable effort has been made to contact vendors of
Gnutella-based software, including BearShare, Gnucleus, LimeWire,
Morphues, Phex, Swapper, XoloX, Gnewtellium, Gtk-Gnutella,
Mutella, Qtella, ToadNode, Gnotella, Mactella, Gnut, NapShare,
Cultiv8r, BadBlue, Hagelslag, OpenCola, Ziga, Agentella, Ares,
Suicide, Gnutellagentsia, J-Hop, Peercast, Phex, Shareaza, Sick,
ToadNode and U812. We have received the following responses.
BadBlue
It is unlikely that BadBlue is affected - all connection attempts
are cached and failed connections are held in the cache to prevent
reconnects.
Cultiv8or
Cultiv8or is affected by this problem. At this time there is no
solution, however the issue is being discussed with other Gnutella
Client vendors.
Hagelslag
Hagelslag is affected, but any attack through it would probably be
ineffective. Hagelslag is no longer under development at this time.
Gnewtellium
Gnewtellium is affected. A new version will be released shortly to
address the problem.
Credit
AusCERT would like to thank have2Banonymous for discovering the problem
while reviewing the Gnutella protocol.
Further Reading
Anonymously Launching a DDoS Attack via the Gnutella Network,
Written by have2Banonymous, 1st June 2002,
http://www.auscert.org.au/Information/Auscert_info/Papers/gnutddos.htm
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AusCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT
Advisories, and other computer security information.
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPYIAcyh9+71yA2DNAQGefgQAm37ywidf57gUAzAbWnG/CGUPUnqR7p3r
zN1jVNFkgZsZCbvALl36HTFyBdAeSx1RN1yqtZuygPPomzmjdZ/d2JeR2b++8m9O
N0Aqzvx4+wHowYxqcN2sYGjbcXvm1X8vQ/NUBSR0wvmjE47/rpF3YSZbxXbF9QhJ
i3/iBYJF8o4=
=2cfC
-----END PGP SIGNATURE-----
|