|
Kad Ip/id Hijacking?
user459
Group:
Members
Posts:
1
Joined:
22-October 05
Posted 22 October 2005 - 02:15 AM
Within the last 2 days I've had the Kad Network"my ip" change to 202.98.20.194 or 202.38.14.250. And when I googled one of the ip another user has the same problem. It also changes the preferences irc and server, updates & turns on.
I have updated to 46c and reinstalled, problem returns in a hour.
With 46c i'm getting icmp like crazy.
0
euthymos
Group:
Members
Posts:
4
Joined:
23-August 06
Posted 23 August 2006 - 07:37 PM
I get the same problem. Please take this issue seriously. 
0
leuk_he
Group:
Members
Posts:
5975
Joined:
11-August 04
Posted 23 August 2006 - 07:40 PM
Problem is kad fakers, it does not matter what client you take.
At least some logging needs to be added who sends fak kad ip adresses.
Download the MorphXT emule mod here: eMule Morph mod
Trouble connecting to a server? Use kad and /or refresh your server list
Strange search results? Check for fake servers! Or download morph, enable obfuscated server required, and far less fake server seen.
Looking for morphXT translators. If you want to translate the morph strings please come here (you only need to be able to write, no coding required. ) Covered now: cn,pt(br),it,es_t,fr.,pl Update needed:de,nl
-Morph FAQ [English wiki]--Het grote emule topic deel 13 [Nederlands]
if you want to send a message i will tell you to open op a topic in the forum. Other forum lurkers might be helped as well.
0
moloko+
Group:
Members
Posts:
1209
Joined:
18-August 05
Posted 01 September 2006 - 09:57 PM
erm, these guys:
Cyberverse Online - Ed2k Antip2p:66.180.205.51-66.180.205.71
...from the openmedia.info IP filter.
...the reported GetIPAddress() returns a reversed IP like:
51.205.180.66
52.205.180.66
53.205.180.66
54.205.180.66
to
71.205.180.66
then they start pinging 66.180.205.51-66.180.205.71
they are IP filtered so they fail but they keep returning.
(disappeared for now) 
a good IP filter helps...
0
netfinity
Group:
Members
Posts:
1658
Joined:
23-April 04
Posted 01 September 2006 - 10:26 PM
I have also encountered this attack and I usually update my IP filter once a month. I think some bad client spam the network with KADEMLIA_FIREWALLED_RES and an IP of a not so nice client so that your mule will tell everyone to contact you at the bad guys IP.
I think the KAD network need to be secured so it doesn't accept response messages if there hasn't been a request recently to the given IP.
I bet there is some serious attempts to kill the KAD network that is going on because I so large number of nodes in the Contact list that have identical ID's. Currently the KAD network has no protection whatsoever as I can see against hash polution and other attacks.
So, I think it is time to start looking into validating all responses we get from the network and check any node lists we got and maybe implement some sort of blacklist system.
/netfinity
eMule v0.50a [NetF WARP v0.3a]
- Compiled for 32 and 64 bit Windows versions
- Optimized for fast (100Mbit/s) Internet connections
- Faster file completion via Dynamic Block Requests and dropping of stalling sources
- Faster searching via KAD with equal or reduced overhead
- Less GUI lockups through multi-threaded disk IO operations
- VIP "Payback" queue
- Fakealyzer (helps you chosing the right files)
- Quality Of Service to keep eMule from disturbing VoIP and other important applications (Vista/7/8 only!)
0
Some Support
Group:
Yes
Posts:
3669
Joined:
27-June 03
Posted 02 September 2006 - 10:08 AM
Will be fixed in the next version (at least this special case of IP spamming)
netfinity
Group:
Members
Posts:
1658
Joined:
23-April 04
Posted 07 September 2006 - 04:08 PM
Great! I haven't seen the problem with the IP address for a while but I'm not 100% sure as I haven't noticed any spamming either.
However I've noticed that fake nodes seem to be very spread as out of 4 KAD 2.0 response packets I've seen in my LAN capture I saw these strange entries. NOTE! The IP addresses are printed in reverse order as I didn't notice that KAD protocol uses reverse network order for IP addresses.
1) Different KAD ID's but same IP/Port
eDonkey/eMule Protocol
eD2k Message
Protocol: Kademlia packed (0xe5)
Message Type: Response (Kad 2.0) (0x29)
Target ID: 424957874214385686F20AAC55C68921
Peer(s): 9
Size: 9
Kademlia Peer
Contact ID: 42495EEDFD9275B46EEFE1ECBAD16811
IP: 135.17.180.24 (135.17.180.24)
UDP Port: 9414
Port: 9395
Type: 1
Kademlia Peer
Contact ID: 42494E12B95810B474889DDBAE1B90EF
IP: 218.160.112.140 (218.160.112.140)
UDP Port: 4672
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 42491498CA6463F2340ACFAFAD71BBA2
IP: 66.116.98.202 (66.116.98.202)
UDP Port: 53
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424914BB98DEAD55F7545A5280EC8D8F
IP: 66.116.98.202 (66.116.98.202)
UDP Port: 53
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 42490492B95810B474889DDBAE1B90EF
IP: 20.175.99.202 (20.175.99.202)
UDP Port: 53
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 4249049F4279349CC5866DED0942C4AA
IP: 14.79.141.211 (14.79.141.211)
UDP Port: 1028
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424904B70BDFA630B617003DC81361FC
IP: 20.175.99.202 (20.175.99.202)
UDP Port: 53
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424904CD9E187846AD14B74C88210674
IP: 20.175.99.202 (20.175.99.202)
UDP Port: 53
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424904DD5597F21820EF36E05CB2B7DF
IP: 20.175.99.202 (20.175.99.202)
UDP Port: 53
Port: 4662
Type: 1
2) Almost identical KAD ID's but different IP/Ports
eDonkey/eMule Protocol
eD2k Message
Protocol: Kademlia packed (0xe5)
Message Type: Response (Kad 2.0) (0x29)
Target ID: 424FF78E5B7DC11271597FF94346D480
Peer(s): 8
Size: 8
Kademlia Peer
Contact ID: 424FF31C3E370E630D0939444D6F2111
IP: 52.205.180.66 (52.205.180.66)
UDP Port: 4672
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424FF1283E370E630D0939444D6F2111
IP: 213.195.186.66 (213.195.186.66)
UDP Port: 4672
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424FF0513E370E630D0939444D6F2111
IP: 63.205.180.66 (63.205.180.66)
UDP Port: 4672
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424FFE159F7A0FB7FBDD8475AC8A8794
IP: 130.247.134.219 (130.247.134.219)
UDP Port: 5154
Port: 5144
Type: 1
Kademlia Peer
Contact ID: 424FFC373DFA23C5362DE2E034541F49
IP: 228.173.134.213 (228.173.134.213)
UDP Port: 4672
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424FFB7A9503A0A23EAA34EB0A50335E
IP: 209.90.129.220 (209.90.129.220)
UDP Port: 4672
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424FFAB76E46AF0ACECCB8CCE1D44376
IP: 61.148.64.82 (61.148.64.82)
UDP Port: 41
Port: 40
Type: 1
Kademlia Peer
Contact ID: 424FFAE33E370E630D0939444D6F2111
IP: 222.195.186.66 (222.195.186.66)
UDP Port: 4672
Port: 4662
Type: 1
3) Was completly as one would expect, so no need to look at that one.
4) Same thing as number 2, but worse
eDonkey/eMule Protocol
eD2k Message
Protocol: Kademlia packed (0xe5)
Message Type: Response (Kad 2.0) (0x29)
Target ID: 424C2D0E4D959FB5AA637235716106AF
Peer(s): 9
Size: 9
Kademlia Peer
Contact ID: 424C29503E370E630D0939444D6F2111
IP: 66.205.180.66 (66.205.180.66)
UDP Port: 4672
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424C2B703E370E630D0939444D6F2111
IP: 64.205.180.66 (64.205.180.66)
UDP Port: 4672
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424C3474DAFDC54FA0248971FF037CB8
IP: 12.46.44.83 (12.46.44.83)
UDP Port: 4672
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424C349C3E370E630D0939444D6F2111
IP: 215.195.186.66 (215.195.186.66)
UDP Port: 4672
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424C34B83E370E630D0939444D6F2111
IP: 58.205.180.66 (58.205.180.66)
UDP Port: 4672
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424C36A13E370E630D0939444D6F2111
IP: 212.195.186.66 (212.195.186.66)
UDP Port: 4672
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424C31463E370E630D0939444D6F2111
IP: 213.195.186.66 (213.195.186.66)
UDP Port: 4672
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424C33993E370E630D0939444D6F2111
IP: 66.205.180.66 (66.205.180.66)
UDP Port: 4672
Port: 4662
Type: 1
Kademlia Peer
Contact ID: 424C325DA9B47C34CB878296D6A6C24A
IP: 28.4.26.85 (28.4.26.85)
UDP Port: 4672
Port: 4662
Type: 1
Did you notice that all the suspicious nodes comes from the 66.180 or the 66.186 IP ranges?
Might be worth to look into as I would say that 3 out of 4 packets containing possibly fake nodes is a bit worrying!
/netfinity
eMule v0.50a [NetF WARP v0.3a]
- Compiled for 32 and 64 bit Windows versions
- Optimized for fast (100Mbit/s) Internet connections
- Faster file completion via Dynamic Block Requests and dropping of stalling sources
- Faster searching via KAD with equal or reduced overhead
- Less GUI lockups through multi-threaded disk IO operations
- VIP "Payback" queue
- Fakealyzer (helps you chosing the right files)
- Quality Of Service to keep eMule from disturbing VoIP and other important applications (Vista/7/8 only!)
0
moloko+
Group:
Members
Posts:
1209
Joined:
18-August 05
Posted 08 September 2006 - 01:16 PM
netfinity, on Sep 8 2006, 02:08 AM, said:...
NOTE! The IP addresses are printed in reverse order as I didn't notice that KAD protocol uses reverse network order for IP addresses.
...
doh! me too... 
i guess it's another range for the IP filter (66.186).
Another circumstance is where the remote client continuously changes UDP port but i don't know how this would be so if only 3 clients are accepted per IP...
the range this occurs in is:
Swipnet Staff, ES:83.180.160.0-83.180.191.255
...i don't have the original logs (purged every month) as i've since blocked that range.
0
netfinity
Group:
Members
Posts:
1658
Joined:
23-April 04
Posted 08 September 2006 - 05:01 PM
Well, all these IPs are in the IP filter but not everyone uses the IP filter or update it regularly.
I have made some changes to Kad in my mod that eMule would probably slow down the propagation of fake nodes.
1) Only accept bootstrap responses if we sent an bootstrap request (copied the firewall check code)
Bootstraps are not filtered otherwise and therefore fair game for an attacker.
2) Only accept node search responses if we actually searched for the target node (using AlreadySearchingFor func.)
This stoppes some spamming of nodes.
3) Only accept 1 node per IP range (20 bit networks) for each node search response
This reduces the number of fake nodes that can be propagated in one go.
4) Only update node on a hello response and never add one
Hello requests are always sent to known nodes so the response should always be known. If not that node is probably fake using alot of different ID's, so better not trying to store it then.
There is a lot more that can be done to deal with these kind of offenders.
1) Only allow 1 node per IP address (this can be a bit messy to implement, but not impossible)
It appears that the fake Kad nodes are using multiple ID's to increase the chance of getting targeted by search requests.
2) Limit the number of hello requests accepted from a single IP
This would make node spamming via this method less efficient.
/netfinity
eMule v0.50a [NetF WARP v0.3a]
- Compiled for 32 and 64 bit Windows versions
- Optimized for fast (100Mbit/s) Internet connections
- Faster file completion via Dynamic Block Requests and dropping of stalling sources
- Faster searching via KAD with equal or reduced overhead
- Less GUI lockups through multi-threaded disk IO operations
- VIP "Payback" queue
- Fakealyzer (helps you chosing the right files)
- Quality Of Service to keep eMule from disturbing VoIP and other important applications (Vista/7/8 only!)
0
dvader
Group:
Members
Posts:
10
Joined:
28-June 03
Posted 07 February 2007 - 11:41 AM
Am I percepting something wrong, but from what I saw, everytime client is successfully connected with a client KS_CONNECTING_FWCHECK, state is changed to KS_CONNECTED_FWCHECK and each time KS_CONNECTED_FWCHECK is detected KADEMLIA_FIREWALLED_ACK_RES is sent and each KADEMLIA_FIREWALLED_ACK_RES increase firewalled counter?
(责任编辑:)
|
