unexpected asf files in search results- anyone else?
 

I'm seeing a pattern of results when I search for certain rare files. I'll get no results, except for either 6 or 12 .asf files, three of which are named "!!_", with size 301KB. Try it yourself with an obscure movie name or something. Try it a few times, it is not consistent. Is anyone else experiencing this?

mystery files
 

yup - experienced something very similar except the files had a slightly different name - it seems someone is being a nuisance - I blocked the source host and haven't had the problem since (and it was happening EVERY search) - I blame Hilary Rosen myself

bad_vlad

Altough that malicious client renames the file every time it gets a query it should be easy to block .

If we just had a feature to block files with a certain hash ...
Even if they rename the file , the hash stays thesame .
Knowing this , you can start building "blocklists" .

I have found it useful to (in addition to filtering the IP) also filter files with the unique string in them such as as !-! and !!_ that way I don't get the same files from other users who have inadvertantly left them in their shared folder. I actually filter out ASF all togther as I have never downloaded one that had the content I wanted.

Isnt it possible to simply block the host?

We need a fail-proof system .
Blocking by hash is one solution until they start to mutate the content of files .

Well, I have thought about that problem (fake files) too..
If *they* (no idea who I mean) think a bit further *they* could code a client which sends queryhits to all queries with some better filenames like:
Query = gescheiterten existenzen vogel
Queryhit = "Gescheiterten_Existenzen - Vogel.mp3

You just have to set up a database of the artist or program name to do so.

Then *they* could just let *their* servent send 000000s
till the size of the file is reached. (Usually a mp3 song is about 4 mb big, so send a file with size = 4 mb + - Random value which has only 0s in that file.

Hashing wouldnt stop that either because the hash is different if you add some more bytes to that file, or am I wrong?

You are right . But most of these clients only change the filename .

Good, I'm glad other people have noticed these anomalous search results. I blocked the IP, as bad_vlad suggested, and problem is solved, for now. It is interesting to note that blocking only one IP solved the problem (*IP address removed*) and that that IP address ia associated with a web hosting firm in Los Angeles.

It is possible to design a malicious attack based on the strategy of responding to every search string (a la Paradog) that is much more effective than what we are seeing now (assuming this is a malicious attack, of course). If this is an attack on the gnutella network, it is then reasonable to assume that it is just a trial run to debug, test expected bandwidth, etc., and that more sophisticated attacks will follow shortly. More IPs, more sophisticated file naming schemes, random file sizes, viruses, etc.

I read something a few weeks ago about some proposed legislation in the U.S. that would make this kind of malicious attack legal for "content owners" or something... does anybody have a link for more info on that?

OTOH, maybe it is not an attack, maybe someone is testing their new, poorly designed gnutella client.

I have also blocked that IP because it was returning results for any query (fakes, of course). But later I have added a filter to block IPs in the Firewall, this way I block IPs from potentially unsafe IPs (Cyveillance, Warner, Media Force), this way I have protected every P2P prog that I may use :D . I keep the list of blocked IPs updated, just in case...