Fake poisoning servents
 

I am running gtk-gnutella 1.1.9 as ultrappeer (UP) under Linux. I enjoy keeping an eye on Gnutella network. During March-May 2016 I noticed my UP cache approaching 0 servents and the number of UP connections very low (around 10/50).
At first I thought about issues with my internet provider doing some sort of filtering so that I could not connect or receive connections from other UPs. Lately I noticed that my servent was connecting to some strange servents with vendor string "PyGnutella/0.1". I did some research and found out that PyGnutella is an old and unmaintained Python library for Gnutella, not a working client. Then I noticed that all these PyGnutella connections were coming from a single group of IP addresses: 154.45.216.* (see screenshots). These servents had a very low uptime and kept connecting and disconnecting.
One day these PyGnutella servents were no longer in my network connections list and suddenly the number of UP connections was again higher and my UP cache filling up again.
I suppose that these PyGnutella are fake servents who try to disrupt Gnutella functioning, performing a sort of "cache poisoning attack".
Any idea?

From my own experience I can only give you a limited possible answer of what I know because I've been away for a month & won't return until end of the week.
I've seen PyGnutella before but I don't believe for quite some time.
From your snapshots, it does appear to be a BOT and possibly a browser based BOT that can switch program ID on the fly.

Have you checked your console connection logs to see if there's anything else odd about these PyGnutella connections and any messages they send?
You might need to cross-check their ip addresses to be sure it's the same host as they might identify in a different manner at various points in time.

If it were really such an old app, then we might assume it seeks GWC support. I'm only aware of one GWC that might support an app of that age.

I have been highly dubious about the 154. range. The original BearShare hostiles file had it completely blocked. Earlier in the year I unblocked a few small ranges as a test after finding some GTK-G. hosts within it (unless I'm confusing with the 104. range.) But what makes me suspicous about these hosts is that they all use the same connection port and all via the same internet service provider (I suspect it's not a standard public service provider), including one in the 108. range. But the GTK-G issue is a little off-topic. The 154 range also includes web service rentals. The 154 range is mostly USA with certain slithers of European ranges.

Hello, why do you think about a browser bot? Since all connections come from the same IP addresses group, could it be someone having access to a whole 0-255 addresses range (someone more than a common ADSL user)? If an IP sproofing occurred, why limiting to a single group of IP addresses?
Updating hostiles.txt looks like a good idea...
My current skills do not allow further analysis from my side...

There's various types of BOTs and that PyGnutella group are not necessarily browser-BOTs. Unless your GTK-G. has shown them to be browsing? Have you seen them try to download?
No idea what kind of BOT they are.

My first instinct is that they are BOTs. However, I have witnessed similar things with hosts downloading but not 100% certain they were download BOTs due to not being quite as aggressive to the task as the average download-BOT (for want of a better term.)

I have wondered if some wireless (possibly portable) devices/services can change ip on the fly, but that would make me wonder how the gnutella program could retain a connection to the network. Also, if there's more than one connected at one time then that appears to defeat that idea.

As far as the hostiles file goes, GTK comes with its own default hostiles file which is relatively small and also contains data I'm not so sure is still up-to-date because of some blocks that have been there since last decade but I haven't seen or can't find any evidence of it being a bad range over the past 4 to 5 years. With this in mind I have been gradually little by little reducing the blocks within the hostiles I work with. ip addressing has changed considerably since last decade; either new ISP owners (or even country); ip no longer rented out to proxy services or unused ip's from certain countries; changes to a dynamic ip status instead of static. I have nothing to do with updating the gtk hostiles file.

With GTK you can add your own blocks via the hostiles. You might even wish to try a hostiles I put together for GWCs as it's the smallest version I've worked upon. Also, ale5000 a GWC developer has developed a hostiles updating system, but GTK does not normally contact GWC's so that concept would need to be discussed between the GTK developers.

I haven't seen those PyGnutella downloading. That doesn't mean much since I share rare stuff (popular stuff works better on BitTorrent IMHO).
I just configured custom hostiles.txt including the range of PyGnutella, let's see...

Yes I detected this as a bad range 2 May 2014. I recorded 40 separate addresses from 140 to 200. The only one your snapshots show I didn't detect was 154.45.216.175.

Cogent Communications. For some reason two years ago I had it probably incorrectly listed as France Nantes Trident Mediaguard (I may have put this label next to the wrong ip group.) It is instead USA based.
OrgName: PSINet, Inc.
OrgId: PSI-2
Address: 2450 N Street NW
City: Washington

I detected these hosts via firewall log. Which is something I sometimes check if my program(s) appear to start struggling with connections (such as peers dropping below and struggling to get back to minimum peers whilst in UP mode.) Period of open log can range between 45 min to 2 to 3 hours though usually around an hour or less if I'm getting hammered. I sometimes check back to previous logs to see when they started to hammer. I share a lot of files and usually connect 24/7 which makes me a prime target for BOTs. When I recorded the hosts in question, there were also numerous other similar BOT ranges adding to the massive traffic.

The smallest hostiles file I work with has them blocked 154.45.216.128/25.

I don't normally record leaf connections, but no history of them connecting as peers over past 18 months with Phex at least.

I do not have any information as to what kind of BOT they might be (what their objective is.) But as happened with you, perhaps their objective is to disrupt standard connections and communications. It would not surprise me if they passed out fake information including fake hosts to connect to or other BOTs to connect to. But that's pure conjecture.

Very interesting to see that you recorded the same attack about 2 years ago. I am very curious to understand how these bot works and what is the aim of those who run them for such a long time. I am pretty sure that these bot perform some sort of cache poisoning, spreading fake addresses/ports in order to prune off connections and hamper Gnutella functioning. Maybe they are persistently run by RIAA fellows?
For sure this IP range should be included in hostiles.txt

I realise this is now an old thread and last reply 18 months ago but feel a growing desire to point out some issues. I've been putting together custom host files for some of the gnutella apps since the start of the decade (if not earlier.) I discovered some issues early on that still appear to be an issue now. I find this every time I put together a fresh host file (these days generally six monthly.)

Whenever I check the gnutella.net file used by all of the LIME code based programs there are numbers of hosts that are between 4 to 8 months old. How can I be sure that they are this old? One clue is them using dynamic ip addressing which expires after 3 or 6 weeks in cases of some ISP's. When I check the last time either WireShare or Phex have connected to the host it shows that suggested age of many months. What's alarming about this is that the hosts are often listed up around the top (or bottom should I say where the most recent hosts are added ~ within about the bottom 20 hosts.) My WireShare is used 24/7 with sessions lasting between one to three weeks.

How can a host not seen for 6 months be considered for sharing to other hosts? There might be more than one reason. I suspect the built-in system (GTK, LIME, etc.) sharing of hosts might be flawed. What happens if a host that has not used the network for half a year becomes an ultrapeer after an hour or few hours? Is it only sharing hosts recently discovered or is it also sharing hosts from a back-log of 6+ months ago?

I am aware GTK dates DHT hosts. I've also seen transactions where a host was dated as being between one to six days of age (though I don't know if the age of a host was due to GTK or WireShare's process or both.)

I first started working on the BearShare host file in 2011 and after a year or two I started to discover old hosts being added to the BearShare host file that had not been seen for over a year or even up to 3 years. Even at that time I had become aware of some ISP's that either used highly dynamic ip or relatively short-term Sticky Dynamic ip addressing of 3 or 6 weeks. I saw examples of the same hosts being included on the host file between 6 to 10+ times with different addresses. Again, some not seen for over a year or two. I originally wondered/suspected if one or more GWC's were at fault.

45.63.110.*:41481,86400,1497359030241,,15089234184 07;1508809867708;1508664928045,en,,0,ACTIVE,, (connection dates: 25 May 2017 to 13 June 2017)
Listed 9th on WireShare's gnutella.net host file yet not on hostiles & only ever sighted twice. None of the 7 Phex host files from 25 Sep-8 Nov lists this host. Nor any of the 6 files from 23 Aug-24 Sep. A host is distributing incorrect/out-of-date data or is this host really active?
Also 88.151.72.*:63667,86400, gtk-gnutella not sighted since 21 May & only seen since 15 May. Host address is Austria ISP Mag. Erwin Leitner & is a dynamic range. Another, 91.64.242.*:28049,86400, gtk-gnutella last sighted 14 Aug, first sighted 25 July. Germany Vodafone Kabel Deutschland & is dynamic. Their ip’s only last a few weeks from memory. So why is this and many other hosts being listed so high up the G file list & listed as 24/7.

Examples:
(ip addresses edited with * for privacy purposes.)

What is possibly alarming is that a very large number of these hosts are GTK-Gnutella hosts. But this is probably coincidental.

Question is, is this purely due to the possibility of PyGnutella or other reasons?
At least the PyGnutella ip ranges you listed are on the WSHR/LIME hostiles I use so in theory no direct contact should be possible.

One thing I like about the Phex host file management system is it caches around 95% of connected ultrapeer hosts to file, updating every 5 minutes. So it does give a good snapshot of a small section of the network at any given time.


Off-topic:
I often used to see GTK-Gnutella struggle to download files (from an observation point of view as an uploader.) But GTK versions since at least early 2016 I suspect might have fixed this issue because the only occasions I've seen it since are those using older GTK versions of a few years ago.

I recall last decade the upload topography might change every day or two. One day it might be mostly audio files, day or two later video or image files, etc. Presently I share 46% audio files but without exaggeration 5% or less of my uploads are audio. Has something changed?

Hello, since I cannot answer your questions, I forwarded your post to ram, the main developer of GTKG. Unfortunately he is currently unable to access the forum.
He answers: "regarding the hostiles, I think banning IP is wrong, unless there is an *expire* time put on the ban and periodic re-checks are made. Second, regarding the file sharing itself, the code has not changed in GTKG. The only thing that I changed recently in 1.1.13 was fixing an old QRP (Query Routing Protocol) bug."

From my point of view I noticed that now using GTKG version 1.1.13 the host cache for leaves and ultrapeers fills up reaching a steady level after a few days. Using the bugged version 1.1.12 instead the regular hosts (leaves) cache gradually emptied, while the ultrapeers cache filled up to the limit. This gave me the (probably) false impression that Gnutella network had too much ultrapeer nodes.

Thanks for the reply and for the effort to have ram give a response.

As for forum accessibility, there's a chance it's due to the site being flagged in browser or computer security. Several years back this occurred due to dubious advertisement(s) that had issues. I guess putting gnutella forum on the safe list might be attempted, though ram probably doesn't need to visit here very often. :D

I understand the arguments against re: hostile ip blocking. Though some people feel safer using something of that nature. In my experience this decade I have come across investigative hosts (police from various parts of the world) via connections or either way browsed or downloading from me and frankly some people would prefer not to come into contact with them if they could avoid it. I'm not going to list all the pro reasons. At least with GTK-Gnutella a person can disable the ability for others to browse them which blocks out browse-bots. Other bots can potentially be blocked by pseudo version they might use. Such as LimeWire/4.21.1 (rc), specifically LimeWire 4.16 (no sub-version), etc. Though that obviously does not count for all of them.