Official eMule-Board: Weird Kad Nodes Id - Official eMule-Board

Jump to content


  • (5 Pages)
  • +
  • 1
  • 2
  • 3
  • 4
  • Last »

Weird Kad Nodes Id

#21 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 08 March 2011 - 03:49 AM

Three more keywords found to be under attack: bitch, shit, japan.

The attackers are also using some IPs in the range (approximately) 58.17.146.xx - 58.17.154.xx.



[EDIT]
Two keywords in Chinese: 屁眼 , 肛门 . :thumbup:
Which according to wikipedia means:
pìyǎn 屁眼 - anal orifice, asshole
gāngmén 肛门 - anus (medical term), literally "door of anus".
http://en.wikipedia....inese_profanity

手淫 and 自慰 make it four

Quote

Male masturbation, at least, has several vulgar expressions, in addition to two formal/scientific ones that refer to both male and female masturbation (shǒuyín 手淫 and zìwèi 自慰)


ten more:

打手枪 = male masturbation (lit. "firing a handgun")
口交 = oral sex, blowjob
打炮 = to have sex (lit. to let off fireworks)
鸡巴 = cock
阴茎 = penis (scientific)
龟头 = turtle's head (glans/penis)
阴道 = vagina (scientific)
阴户 = vulva (scientific)
咪咪 = (literally cat's purring "meow meow") is a euphemism for breast
波霸 = woman with very large breasts
:shock:
[/EDIT]

This post has been edited by Nissenice: 08 March 2011 - 11:17 AM

0

#22 User is offline   Ejack79 

  • Splendid Member
  • PipPipPipPip
  • Group: Members
  • Posts: 155
  • Joined: 25-August 09

Posted 09 March 2011 - 12:27 AM

Oh, Nissenice, what you post is all porny Chinese words, very very bad...
:bounce:

If SOMEONE is attacking these keywords, it may be banning porny keywords in Chinese.
Who is doing these? The gunverment???

I am a shitizen inside the GreatFireWall...
0

#23 User is offline   fox88 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4974
  • Joined: 13-May 07

Posted 09 March 2011 - 08:24 AM

View PostNissenice, on 08 March 2011 - 06:49 AM, said:

The attackers are also using some IPs in the range (approximately) 58.17.146.xx - 58.17.154.xx.

I've seen 111.*, 180.* and (?)231.* IPs - all Chinese (don't remember very well all the numbers; no logs right now).

Ejack79,
yes, it looks like Great parental filter.
0

#24 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 09 March 2011 - 09:39 AM

View PostEjack79, on 09 March 2011 - 01:27 AM, said:

I am a shitizen inside the GreatFireWall...
:lol:

View PostEjack79, on 09 March 2011 - 01:27 AM, said:

If SOMEONE is attacking these keywords, it may be banning porny keywords in Chinese.
Who is doing these? The gunverment???

Either it is the government, but what I think is more likely is that it's the Chinese companys behind xunlei, vagaa, flashget etc... I have understood that they or at least some of them are censoring searches. Like porn for instance.
So how are they going to deal with the real eMule clients which are uncensored? One way I can think of is that they are attacking the quality of service for those not using the Chinese companys clients. For instance What would the gain be if you use the vanilla eMule client or one of its mods if you can't find what you are seaching or other peers cant find files you are sharing because they are prohibited to being published.

Anyway, I believe there are effective counterattacks and as far as I can see with just a little extra overhead.


View Postfox88, on 09 March 2011 - 09:24 AM, said:

View PostNissenice, on 08 March 2011 - 06:49 AM, said:

The attackers are also using some IPs in the range (approximately) 58.17.146.xx - 58.17.154.xx.

I've seen 111.*, 180.* and (?)231.* IPs - all Chinese (don't remember very well all the numbers; no logs right now).

Well, I've seen invalid IPs, bogon IPs and IPs from different part of the worlds. :) The question is are they real nodes or just random IPs.
As far as I can tell now there are nodes using protocol version 8 with approx 32-36 bits in common with the targeted ID. They seem to be all Chinese. When asked they either don't respond which happens if the serched ID is not equal or close enough to the attacked ID or they respond with more nodes of the same kind in the same IP ranges. At the end they repsond with Kad nodes claimed to be using protocol version 6 which all seem to be dead contacts. Question is if the protocol version 6 contacts are real or if they are all just made up... Why version 6?

This post has been edited by Nissenice: 09 March 2011 - 09:58 AM

0

#25 User is offline   fox88 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4974
  • Joined: 13-May 07

Posted 09 March 2011 - 10:47 PM

View PostNissenice, on 09 March 2011 - 12:39 PM, said:

The question is are they real nodes or just random IPs.

Hard to tell if you cannot connect to it.
I was displeased seeing yellow KAD arrow (Open UDP but Firewalled), recheck does not help much. Log showed repeatedly cancelled firewall check for 123.144.160.98. After adding it to IP filter the arrow is green again.
0

#26 User is offline   zz0fly 

  • Splendid Member
  • PipPipPipPip
  • Group: Members
  • Posts: 179
  • Joined: 22-August 08

Posted 11 March 2011 - 02:35 AM

Hello everybody,

I think I found who did it.
They are a research group of Institute of Computing Technology of Chinese Academy of Sciences, and Graduate University of Chinese Academy of Sciences, and BeiJing Computing Center.
They use a spider called Rainbow to collection information of KAD.
Their purpose is detect the distribution of porn files. Their research started in May, 2009 and finished in July, 2010.
Maybe someguys (or themselves) continue this research, so the attack continues.
I can't find any English articles about this research.
Enlish abstract of their paper.

Quote

Title: Peer ResourceMeasurement and Analysis in Kad Network
Abstract: In Kad network, there are hundreds of millions of shared resources, among which a considerable part can be rated as questionable information. In order to understand the characteristics of resources, especially questionable ones, in Kad network, the file resources of peers are measured and analyzed using the Kad-network crawler Rainbow . We find that: 1) both the popularity of files and the number of filenames co rresponding to a file approximately fit Zipf distribution; 2) the severity of questionable files can be judged more accurately using co-o ccurrence words in multiple filenames corresponding to the same file-content-hash; 3) the questionable resources only occupy 6.34% of random samples, and 74.8% of which are video files.

From intuition, I think their spider may based on another spider called Blizzard.
some articles about spider Blizzard:
http://portal.acm.or...=1665840&dl=ACM


Greetings,
zz_fly

This post has been edited by zz0fly: 11 March 2011 - 03:20 AM

0

#27 User is offline   Enig123 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 553
  • Joined: 22-November 04

Posted 11 March 2011 - 03:02 AM

Could you please paste the English abstract of the article here? I think it will be of much help.
0

#28 User is offline   DarkRanger1227 

  • Newbie
  • Pip
  • Group: Members
  • Posts: 1
  • Joined: 11-March 11

Posted 11 March 2011 - 10:04 AM

Hello everyone,

I heard about this topic today. Then I've downloaded the paper mentioned above, "Peer ResourceMeasurement and Analysis in Kad Network".

It was written in Chinese. Although I could try to translate it into English, but... to be frankly I don't think this is a good idea, since I almost know nothing about P2P technique. Neither am I a expert on computer science. The last reason is that my English is not that good.

I think it could be better if I shared the paper to you. And hope somebody familiar with P2P or computer tech could translate it into English.

However I have no idea how to upload an attachment here. Or is it disallowed in this forum?

If anyone has interest of this paper, please send me a message in the forum with your email address. Or... maybe you can simply reply this post if you don't care everybody get your email address? ^_^

I will email the paper to you in PDF version.
0

#29 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 11 March 2011 - 11:09 AM

View PostDarkRanger1227, on 11 March 2011 - 11:04 AM, said:

However I have no idea how to upload an attachment here. Or is it disallowed in this forum?

If anyone has interest of this paper, please send me a message in the forum with your email address. Or... maybe you can simply reply this post if you don't care everybody get your email address? ^_^

I will email the paper to you in PDF version.

Hello there. Perhaps you can upload the paper to a sharing site and share the link here. I remember a person helped me out once with a paper I was looking for by uploading it to ***********.***. It's free and you don't need to register. Just tried it myself. :)
Erm.. or maybe not. After reading the forum rules once again, I'm not so sure it's a good idea. :unsure:


Looks like the attack has stopped for the moment. Just some traces of their nodes is left behind in the kad network, some of the kad clients using protocol version 4 seem to keep dead contacts in their routing tables for many hours.

This post has been edited by Nissenice: 11 March 2011 - 11:29 AM

0

#30 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 14 September 2011 - 06:23 PM

Those Kad attackers have moved to a different set of IP-ranges. Here's the new IP's to block:

58.22.20.0 - 	58.22.23.255, 		0, 	CHN_Kad_Attack
61.241.220.0 - 	61.241.223.255, 	0, 	CHN_Kad_Attack
112.111.12.0 - 	112.111.15.255, 	0, 	CHN_Kad_Attack
112.111.36.0 - 	112.111.39.255, 	0, 	CHN_Kad_Attack
112.111.52.0 - 	112.111.55.255, 	0, 	CHN_Kad_Attack
124.162.72.0 - 	124.162.79.255, 	0, 	CHN_Kad_Attack
175.42.8.0 - 	175.42.11.255, 		0, 	CHN_Kad_Attack
220.249.164.0 - 220.249.171.255, 	0, 	CHN_Kad_Attack
220.250.40.0 - 	220.250.43.255, 	0, 	CHN_Kad_Attack


see also: http://forum.emule-p...howtopic=153765
0

#31 User is offline   Ejack79 

  • Splendid Member
  • PipPipPipPip
  • Group: Members
  • Posts: 155
  • Joined: 25-August 09

Posted 15 September 2011 - 12:36 AM

View PostNissenice, on 15 September 2011 - 02:23 AM, said:

Those Kad attackers have moved to a different set of IP-ranges. Here's the new IP's to block:

58.22.20.0 - 	58.22.23.255, 		0, 	CHN_Kad_Attack
61.241.220.0 - 	61.241.223.255, 	0, 	CHN_Kad_Attack
112.111.12.0 - 	112.111.15.255, 	0, 	CHN_Kad_Attack
112.111.36.0 - 	112.111.39.255, 	0, 	CHN_Kad_Attack
112.111.52.0 - 	112.111.55.255, 	0, 	CHN_Kad_Attack
124.162.72.0 - 	124.162.79.255, 	0, 	CHN_Kad_Attack
175.42.8.0 - 	175.42.11.255, 		0, 	CHN_Kad_Attack
220.249.164.0 - 220.249.171.255, 	0, 	CHN_Kad_Attack
220.250.40.0 - 	220.250.43.255, 	0, 	CHN_Kad_Attack


see also: http://forum.emule-p...howtopic=153765


Most of which locate in Fuzhou, Fujian Province.
Or faked IP.
0

#32 User is offline   fox88 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4974
  • Joined: 13-May 07

Posted 15 September 2011 - 08:27 AM

View PostEjack79, on 15 September 2011 - 04:36 AM, said:

Most of which locate in Fuzhou, Fujian Province.

Location information is not reliable anyway.
0

#33 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 15 September 2011 - 10:56 PM

Well, I don't think the IP's are fake, but I have no proof for it. It's just a hunch. :D


At the moment the chinese words in post #21 are not attacked. But the attacking nodes signature is the same as before. 2-4 nodes using protocol version 8 and sharing their first 8-9 hex digits in their ID are gathering around an attacked ID and I assume this is the first 8 digits of the attacked ID as well.
The ed2k-links below shows some of the attacking nodes ... well ... if they don't stop running now again. They will not be shown in the Kad-graph if they are blocked by IPfilter.


ed2k://|file|3320DF55|1|3320DF55000000000000000000000000|/
ed2k://|file|38537126|1|38537126000000000000000000000000|/
ed2k://|file|3A1D5CDD|1|3A1D5CDD000000000000000000000000|/
ed2k://|file|3F38D2F5|1|3F38D2F5000000000000000000000000|/
ed2k://|file|4192693F|1|4192693F000000000000000000000000|/
ed2k://|file|4845DC4D|1|4845DC4D000000000000000000000000|/
ed2k://|file|564C5E71|1|564C5E71000000000000000000000000|/
ed2k://|file|6018349A|1|6018349A000000000000000000000000|/
ed2k://|file|60646543|1|60646543000000000000000000000000|/
ed2k://|file|68DCE887|1|68DCE887000000000000000000000000|/
ed2k://|file|776772ED|1|776772ED000000000000000000000000|/
ed2k://|file|85EE0CA3|1|85EE0CA3000000000000000000000000|/
ed2k://|file|8680FD67|1|8680FD67000000000000000000000000|/
ed2k://|file|8B325CE8|1|8B325CE8000000000000000000000000|/
ed2k://|file|8B32D5F6|1|8B32D5F6000000000000000000000000|/
ed2k://|file|A853EE22|1|A853EE22000000000000000000000000|/
ed2k://|file|AA72342E|1|AA72342E000000000000000000000000|/
ed2k://|file|ADBB39FF|1|ADBB39FF000000000000000000000000|/
ed2k://|file|B9DC281B|1|B9DC281B000000000000000000000000|/
ed2k://|file|D653E585|1|D653E585000000000000000000000000|/
ed2k://|file|DD6309F7|1|DD6309F7000000000000000000000000|/
ed2k://|file|E56659A0|1|E56659A0000000000000000000000000|/
ed2k://|file|F3278756|1|F3278756000000000000000000000000|/
ed2k://|file|F436A24E|1|F436A24E000000000000000000000000|/

This post has been edited by Nissenice: 15 September 2011 - 11:13 PM

0

#34 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 16 September 2011 - 09:15 AM

View PostNissenice, on 16 September 2011 - 12:56 AM, said:

Well, I don't think the IP's are fake, but I have no proof for it. It's just a hunch. :D

Ok, I think this screenshot, just taken of eMule v0.50a/eMuleFuture v1.1, can be considered as a proof. :)


Posted Image
0

#35 User is offline   Some Support 

  • Last eMule
  • PipPipPipPipPipPipPip
  • Group: Yes
  • Posts: 3667
  • Joined: 27-June 03

Posted 16 September 2011 - 01:42 PM

IPs cannot be faked for nodes within your routing table, because Kad does a threeway-handshake to avoid just this. IPs in routing request can be fake of course.

#36 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 16 September 2011 - 02:03 PM

Yeah, I know, that's why I posted the screenshot... :angelnot:




I have written down what I think is a reasonable scenario of what is going on. Actually, there is nothing new here, but anyway:


The attackers is targeting a set of keyID's representing keywords and/or a set of fileID's representing files.

Nodes with an ID close to a targetID will, after some uptime, have their routing tables updated with 2-4 attacking nodes for each targetID they are close to. I say after some uptime because for more than a few hours they are acting as dead contacts. At least to new nodes with a new clientID.

When a search is done with an ID close to (but not identical with or not too close) a targetID the attacking nodes will probably act as dead contacts if the searching node's clientID is distant from the targetID.
If on the other hand the searching node has the attacking nodes alive in it's own routing table they might respond with new nodes of protocol version 6. Actually, I wonder if these new version-6-nodes are real or could it be that their IP:port's are just random IP's and UDP port numbers on the internet?

I find it possible that If a search is done with a keyID or fileID identical to a targetID the attacking nodes will respond with new nodes of protocol version 6. (I don't know a complete target ID yet so I can't test this).
I also find it possible that the attacking nodes will try to inject themselves in the searching node's routing table so that a search for targetID thereafter can be hijacked from start.

Now assume nodes/peers which is searching for many targeted ID's. For each ID the searching node's routing table will be presented 2-4 attacking nodes which respond with 2 faked nodes each. I guess that after a while there wont be much room left for valid nodes/peers in the searching node's routing table.

This post has been edited by Nissenice: 16 September 2011 - 02:10 PM

0

#37 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 17 September 2011 - 01:52 AM

达赖 = Dalai (as in Dalai Lama) is one of the attacked keywords.



[EDIT]:

毛泽东 = Mao Zedong. Is another one.
温家宝 = Wen Jiabao according to google translation.
天安门 = Tiananmen Square.
中宣部 = Propaganda, isn't actually attacked, but seems to be under surveillance by three nodes (IP belongs to blocked IP range and port number is of 36xxx).

李洪志 = Li Hongzhi.
刘晓波 = Liu Xiaobo.
鮑彤 = Bao Tong. [edit] Wasn't attacked 24h later, so maybe it never was? [/edit]




Posted Image

[/EDIT]

This post has been edited by Nissenice: 18 September 2011 - 10:33 AM

1

#38 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 18 September 2011 - 03:47 AM

Four more attacked keywords identified:

朱镕基 = Zhu Rongji.
文革 = Cultural Revolution.
教師 = Teacher.
医生 = Medical.



Here is probably a copy of the list which is the source from where the attacked keywords are chosen from. The quoted part below is a translation by google. All except two of the keywords that have been identified so far is part of the list, even the english words attacked in January and March. I have had time to check just a few, but not all words in the list is attacked in KAD. If I would guess I would probably say that around 200 ID's are attacked atm. The two keywords which can't be found in the list is 手淫 from post #21 and 鮑彤 from post #37. It's possible that I've made one or two misstakes there... :unsure:

Quote

Saturday, October 17, 2009
Letters: For Guizhan the "CCAV shield verycd keyword keyword compare" article (with eMule VeryCD Mod 091015 beta filter keyword list)

Thank enthusiastic letters from readers!


On Haiwei Xi (VeryCD) company based on the official eMule modified eMule VeryCD Mod updated on October 15 to 091 015 beta. Which comes with a clear search keyword filter list file wordfilter.txt. Includes political and sexual themes with related keywords 2763.


Located on mainland China Hai Weixi (VeryCD)'s not really the official e Mule (eMule / eDonkey), nor is eMule (eMule / eDonkey) Chinese official. Official eMule supports 52 languages, including Simplified and Traditional Chinese, But that is not VeryCD who translated. Modified according to the official eMule VeryCD company produced two commercial eMu le modified version (ie eMule Mods) - eMule VeryCD Mod and EasyMule. Both eMule Mods a search keyword filtering, and in addition, the real official eMule ( EMule / eDonkey) and most other eMule Mods did not search for keyword filtering.

VeryCD company claiming to "eMule official" or "official eDonkey." Company to two people to promote their software, refer to "eDonkey", " eMule ", resulting in confusion, to fool people. He's misleading propaganda makes many users think that "VeryCD equal to eMule" , "EMule a search keyword shield." So please do not help companies fooling VeryCD publicity, Use of these two software "eMule VeryCD Mod" and "EasyMule" of the title, but should not directly call for " eMule "," electric mule "," eDonkey. " Also suggest that you do not use VeryCD Both companies have search keyword filtering The eMule Mods. No search keyword filter eMule plenty.

The following is eMule VeryCD Mod 091015 beta key words all search filter (2763) list:

This post has been edited by Nissenice: 18 September 2011 - 03:53 AM

0

#39 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 18 September 2011 - 01:57 PM

Here is an image of the beginning of the list with 2763 blacklisted key words. The words are listed in their original order. I have just separeted the words to make them more easily spotted.
The key words that was attacked earlier this year is marked by a blue colour. The one's that is marked by a yellow colour have been detected as attacked in the last previous posts. The orange coloured have been found attacked today:
[EDIT]
护士 = Nurse.
天安门 = Tiananmen Square. (Actually not new. It's a dublette in the list! Should be coloured yellow.)
书记 = Secretary.
文字狱 = Literary inquisition.
温家宝 = Wen Jiabao. (Actually another dublette... Should also be coloured yellow, not orange.)
[/EDIT]

Key words typed in red have been tested today.


Posted Image



Well, imo it's not much to doubt about. This list, or a newer version of it, is the source where the words are chosen from. Simply too much of a coincidence for me.

This post has been edited by Nissenice: 18 September 2011 - 03:02 PM

0

#40 User is offline   Enig123 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 553
  • Joined: 22-November 04

Posted 18 September 2011 - 06:04 PM

It seems that the Chinese Government are helping us improve the reliability of our kad network. I mean who else has those resources to do the research and implementation so hard?
0

  • Member Options

  • (5 Pages)
  • +
  • 1
  • 2
  • 3
  • 4
  • Last »

3 User(s) are reading this topic
0 members, 3 guests, 0 anonymous users