Guntella Built-in DoS

[Robert Stoll <bob () esr com>]

Hello all,
   I found what I believe may be a built-in DoS of sorts in Gnutella.  For
those of you who are not familiar with Guntella, it is a peer-to-peer file
sharing system that popped-up a while back as one of the may alternatives to
Napster.  Gnutella is more of a protocol specification than an application
so it has many different clients such as Gnotella, LimeWire, and BearShare
among others.  Once on the network, the Gnutella client connects to other
hosts running Gnutella and starts exchanging lists of "up" hosts and search
queries.  This (at least on my machine) creates about 5-45k worth of
background noise while the client is running.  Additional bandwidth gets
consumed when the user downloads files from someone else or vice versa.
   One of the many features of Gnutella is that it is firewall-aware and
will allow the user to force the client to advertise a different IP address
than is actually on his or her the machine to allow for any NAT that may be
going on.  The client will also allow the  user to change the port that
incoming clients will connect to as well.
   The problem is that the software has no way of verifying what values the
user has set, which of course can lead to mischief.  I can set the
advertised IP address and port to arbitrary numbers and the result will be
that the target machine will be bombarded with hundreds inbound tcp
connections from Guntella clients looking for information.  Do this with
enough clients and you have a re-incarnation of the old Smurf attack.  As of
this writing, I have verified this with the Gnotella and LimeWire clients.
I will be testing other clients as well but I am confident they will work
the same way.


Bob... 
 
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGiBDkZl/IRBADnB0FEr2gi0lb6mVGCqGBssoomn2Nu9JggyZw9rrZpzk76oWAT
Nal7w/+670rK14Fn7jPrSERhWc3yArfbRV3dueP5w5yhwDrVPxfOQJqNqnvhAf8I
iT4qiCaeXuZQVFFw2i5jLHoI2yENx+kEvOnihKXIdwhg5QE5+zXFkrcnOQCg/z/U
9jz+OzvtVugq+KAxcRE3TlkEALN8cTU2bRiM4jfee8CHsttuKkzdc2ozyQFuVF6K
dPU/vCt30VywpHWaXLQIiFIns2u0B5gI/Q7GM5Q3Kw/JPcVWOTBYbT8mVNS9JuGb
R8LiVHjmxxdfhGHMCT13tV17yb1Ojt5UXlAJWTA3ouSv/jTwBzb+NqUWt7MJfRG+
33VLA/wOMPkVva/nkG5XlBYZXa6J4vCJ9MYvQSggF9MWHRD5TqxXiIB30X+eZthi
FcedaeCrwyRE8+m2k+zlvB60EcEmvFm77sY5y8lzJj/GwnvZ0yixaeW4Dsoa4xMZ
FdFMkzyPMdLrTy7T+mFPWHuHgZz7mV9CNPRCl6DmsloG8kHseLQdUm9iZXJ0IEMu
IFN0b2xsIDxib2JAZXNyLmNvbT6JAE4EEBECAA4FAjkZl/IECwMCAQIZAQAKCRDE
dGCFFngO4joYAKC3NcDOOZpweW3xc9mm09f/kR5wWQCgkHDCl5JE/1TGr7sdWAHG
rlt8FgS5Ag0EORmX8xAIAPZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65Szgg2gGn
VqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvOmeFX
klnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscBqtNbno2gpXI61Brwv0YAWCvl
9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhd
ONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r
0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVekyCzsAAgIH/0rX1B6VQu53UPm7
MGxVU7CyCJ/Is3bezieyQvDjcPtUqZc3+tDXJH4a13+KFANm8S7wuiSw6kkllOcF
991yw1Lb15kSLoaSXmDj1dA0RX2ZtPRwQwdJUIy6vH/RXQQfIhgKQ2ZjsoMa1ga6
ij8QGQkUlAqbb2BCajfR0LCataNiRmLnxsCzu9UglAglMyytSExq7qMh1l3IRTcM
vJtfNb4vj13JGDiBu757oQUCEkgOSCx1C+EXHRavQ0C/17da/IZuPhMD4kN//rYD
KumIPYIiE5oMq+73S5Og981Dxs+ZMB0EGofKbmNviotaBZw9tkmgQmsK1kHIYG9v
gLGxU2qJAEYEGBECAAYFAjkZl/MACgkQxHRghRZ4DuK48wCg3o17KpDCt2bZXEKs
nqz74gC0iuQAnAysusc9AiVDz0/LuSpKL9KzDH4z
=ERVJ
-----END PGP PUBLIC KEY BLOCK-----