next up previous
Next: Other UDP applications Up: Filtering out reflector replies Previous: HTTP

Other TCP applications / Gnutella

There are a vast number of different TCP-based applications, and certainly some of them will provide some form of relaying, implicit or otherwise, that can be exploited by an attacker to serve as a reflector (e.g., SMTP relays [Po82]; FTP servers and PORT directives [PR85]).

For nearly all of these, however, the same limitation applies as stated above for HTTP reflectors: triggering the reflection requires a non-spoofed connection from the slave to the reflector, which then exposes the slave to traceback.

An exception, however, is Gnutella [Gn00]. As explained in [Be00b], Gnutella includes a ``push'' facility analogous to an FTP PORT directive that instructs the server to connect to a given IP address and port in order to deliver the Gnutella item. However, the key difference between this form of reflection and that for FTP is that the Gnutella ``push'' directive can first propagate through the Gnutella network, becoming separated from the client (in our case, the slave) that injected the request. Thus, while the victim can readily trace back to the Gnutella server that is attempting to connect to the victim, the next step of tracing back to the slave is essentially impossible: the request has lost its origin, and there is no information that the Gnutella server can log, other than its immediate neighbor who passed along the request. While in principle with enough logging one could trace back the chain from neighbor to neighbor to (eventually) the requesting client, it seems certain that this will prove administratively impossible. The only apparent fix would be to modify the protocol to include propagation path information with ``push'' directives.

Finally, other large overlay networks (IRC, distributed games) may have similar functionality that can be exploited.

Summary: Gnutella could be a major problem.


next up previous
Next: Other UDP applications Up: Filtering out reflector replies Previous: HTTP
Vern Paxson
2001-06-26