I am seeing a lot of connections to some IP addresses with the same two starting numbers, like 216.34.XXX.XXX and they are ultrapeers using gnuc.
They connect for a little while and drop off, then I see another connection right after that for the same IP block, maybe with a different port number also and it goes on and on for a while.
We know who has the money and time to buy blocks of IPs to try to do this, it's some sort of DOS attack to try to shut down the network by making nodes think they are connected when they are not really.
The defense for this is easy, never connect to just one ultrapeer and check if it has good traffic or not by sending some test searches or something.
If the people who are doing this are who I think they are, then they are trying to shut down a perfectly LEGAL network and if they are tracked down (follow the money) they should be held accountable same as any other person doing a DOS attack to shut down an internet site or section of the internet. So beware!

Would you suggest then these addesses should be blocked?

I came across these: http://www.gnutellaforums.com/showth...threadid=17691

http://www.gnutellaforums.com/showth...hlight=216.%2A

I'm seeing..

64.15.174.*
64.14.210.*
64.14.225.*
66.128.227.*
216.114.64.*

and ports on these same IPs keep going up as you connect, like this:

64.14.225.xx:6358
64.14.225.xx:6359
64.14.225.xx:6360
64.14.225.xx:6361
64.14.225.xx:6362
64.14.225.xx:6363

Since this doesn't stay connected long I would say the reason for this is simply trying to tie up as many nodes as possible, thus reducing the size of the network. I call that a DOS attack!

All they do is seed the hostlist when you connect so your hostlist gets full of their crap.

Someone should track this down and trace it back to you know who and counter sue the crap out of those *******s!

please refrain from posting exact addys here...we should not be help responsible for your possible chicanery

Are they those broken Gnucleus 1.8.4 hosts or are they using a newer implementation? I see lot of Gnucleus spam results these days too.

Ciao

__________________
Liens d'intérêt /Links of interest:
Gnutellaforums en français /The House's rules you have to respect / First search the forum, then create a thread / Free software alternatives! - Logiciels alternatifs gratuits!/

As you can see from the many ports open at those addresses that this is a modified version of, well, anything. They could be saying it's gnuc but maybe it's not. it was like 2.0.6 or something like that but it could say joesbarandgrill 5.6.5

The point is that it plugs up your connections and you can't search.

For those of you running programs that don't show the connections, this will be hard to figure out. All you will know is for some reason you can't search but yet you seem to be connected to a lot of nodes, or one ultrapeer if that's the way your client developer programmed it.

I just started putting those addresses in my block list and it has pretty much stopped.

So if you have a block list, just add those in and watch your connections for a ultrapeer that just sits there doing nothing.

It would help us to know which client or version or variation of version of client you are using!?
Which client & version or variaton b/c it might just make a difference!!

This is a modified client, the SAME IP has many ports numbered in sequence.

6350, 6351, 6452, 6353, 6354

Isn't anyone else seeing this or do most of these clients hide the connection list?
If they do, then they are doing you a great disservice, because this attack will make it seem like you can't search for anything!

Checking into it further, it reports as Gnucleus 2.0.0.6, which icould easily be changed, any idiot can change a print statement. And the headers say GnucDNA 1.0.2.4

It then does all the GNUTELLA/0.6 OK stuff and then sends up to 30 small packets of who knows what and just sits there. It doesn't send any searches, which a normal client does do right away.

What makes me think this is a attack is the many port numbers at the same IP address.

Other versions of Gnuc connect just fine, as does bearshare, limewire etc.. so if it's ap roblem with this version of Gnuc, what changed to make it so incompatible?

It smells like an attack to me. Walks like a duck...

These nodes connect, send you some packets and do nothing else!
No searches, if you are connected to them they do not pass on searches and they respond to nothing, mp3, mpg, avi, a e i o u, fart, mega, big, kinky, homeless, more, less, and, the, at, me, run, dont, freak, and a whole lot of other words.
It's an attack.
Why aren't you people seeing this on your clients?
Does your client show you a list of connected nodes?
Have you ever had a lot of connections and then not be able to search for anything?
This is the reason!

We are seeing those spammers! I, for one, am too used to that spammed so I don't care anymore (never tried to dl a spam link too, they are so easy to spot ). I agree newbies are those who suffer by their inexperience with bogus results.

In future LW might include banning by sha1 (patch actually submitted by an open sourcer) and a confidence system (Credence or home brew).

We'll see, the attack is bearable for now

Ciao

__________________
Liens d'intérêt /Links of interest:
Gnutellaforums en français /The House's rules you have to respect / First search the forum, then create a thread / Free software alternatives! - Logiciels alternatifs gratuits!/

This is a CONNECTION issue, not a spam file issue, that's old and the files are easy to spot because they are small.

If you have a connection list, you will see a lot of connections to the same IP but different ports.

You will see a lot of connection attempts that will fail, and the list will show the same IP over and over with different ports going up in number sequence, or close to that.

These connections do not return search results at all, they "surround" your node and give you nothing! They prevent you from searching.

The attackers are counting on the fact that most of these "clients" out there hide the connection list because user's think it's booring to look at.

These nodes will drop off for lack of activity if your client does that, but then a bunch more on different ports come on and you are stuck.

You have to block these IPs and it's not easy.