Official eMule-Board: Weird Kad Nodes Id - Official eMule-Board

Jump to content


  • (5 Pages)
  • +
  • « First
  • 3
  • 4
  • 5

Weird Kad Nodes Id

#81 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 09 February 2013 - 10:53 AM

More spotted IP-ranges used by the Chinese authorities in their attacking attempts against the Kad network ( ... and the free and glory world :respect: ) ... have been inserted in the IP-list.

http://forum.emule-p...dpost&p=1074192


Messages in the verbose log like the one below can most certainly be related to the Chinese attacking clients, especially if the IPs used are listed in the link above.

Error: Requested file not found (SendHashsetPacket) - while processing eDonkey packet: opcode=OP_HASHSETREQUEST  size=16; Client=xx.xx.xx.xx 'http://www.aMule.org' (aMule v2.2.6,None/None/None)

0

#82 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 24 February 2013 - 09:42 PM

The list with IP-ranges used to attack the Kad network has been updated - again. :hammer:

http://forum.emule-p...dpost&p=1074192







"The allegation that China supports hacking is groundless." - A Chinese foreign ministry spokesman

0

#83 User is offline   Enig123 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 553
  • Joined: 22-November 04

Posted 17 March 2013 - 10:41 PM

View PostNissenice, on 09 February 2013 - 03:53 AM, said:

More spotted IP-ranges used by the Chinese authorities in their attacking attempts against the Kad network ( ... and the free and glory world :respect: ) ... have been inserted in the IP-list.

http://forum.emule-p...dpost&p=1074192


Messages in the verbose log like the one below can most certainly be related to the Chinese attacking clients, especially if the IPs used are listed in the link above.

Error: Requested file not found (SendHashsetPacket) - while processing eDonkey packet: opcode=OP_HASHSETREQUEST  size=16; Client=xx.xx.xx.xx 'http://www.aMule.org' (aMule v2.2.6,None/None/None)


I've also got a lot of those error messages recently. Do you have any idea why those clients are doing like that, and what benefit would they get from?
0

#84 User is offline   tHeWiZaRdOfDoS 

  • Man, what a bunch of jokers...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 5630
  • Joined: 28-December 02

Posted 18 March 2013 - 06:19 AM

First of all, this packet would create quite some overhead. On the other hand, they might "fish" for clients that have files complete (releases/seeders).
0

#85 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 21 March 2013 - 05:37 PM

View PostEnig123, on 17 March 2013 - 11:41 PM, said:

I've also got a lot of those error messages recently. Do you have any idea why those clients are doing like that, and what benefit would they get from?

Well, no, not yet. I haven't looked into it much more than that these actions emanates from exactly the same IP-ranges used by the chinese cyber hackers attacking the Kad network. In some cases new observed IP-ranges first have been used to send OP_HASHSETREQUEST and later on used by their other attacking behaviour such as attacking node ID's, sending Kademlia requests and search source requests for the ID's they are attacking. So, there are absolutely no doubts who is responsible for this.

Even a client connected to Kad only with no shared or downloaded files is exposed to the same actions so it doesn't have to do anything with what files a client relates to.

Question is what files they are looking for when sending OP_HASHSETREQUEST. The most probable answer is the files they are attacking, but maybe they have something else in their mind... I haven't had time to look into that yet...

To add, there is an obvious synchronization when these requests are sent from different IP-ranges. Sometimes nothing happens for many hours and then suddenly TCP requests comes from all over the places almost at the same time. :)
0

#86 User is offline   Enig123 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 553
  • Joined: 22-November 04

Posted 21 March 2013 - 09:54 PM

View PostNissenice, on 21 March 2013 - 10:37 AM, said:

View PostEnig123, on 17 March 2013 - 11:41 PM, said:

I've also got a lot of those error messages recently. Do you have any idea why those clients are doing like that, and what benefit would they get from?

Well, no, not yet. I haven't looked into it much more than that these actions emanates from exactly the same IP-ranges used by the chinese cyber hackers attacking the Kad network. In some cases new observed IP-ranges first have been used to send OP_HASHSETREQUEST and later on used by their other attacking behaviour such as attacking node ID's, sending Kademlia requests and search source requests for the ID's they are attacking. So, there are absolutely no doubts who is responsible for this.

Even a client connected to Kad only with no shared or downloaded files is exposed to the same actions so it doesn't have to do anything with what files a client relates to.

Question is what files they are looking for when sending OP_HASHSETREQUEST. The most probable answer is the files they are attacking, but maybe they have something else in their mind... I haven't had time to look into that yet...

To add, there is an obvious synchronization when these requests are sent from different IP-ranges. Sometimes nothing happens for many hours and then suddenly TCP requests comes from all over the places almost at the same time. :)


Is it possible or useful to find a way on emule side to close the protocol hole? Apparently these attacks are not what nomal emule clients would do.
0

#87 User is offline   Some Support 

  • Last eMule
  • PipPipPipPipPipPipPip
  • Group: Yes
  • Posts: 3667
  • Joined: 27-June 03

Posted 22 March 2013 - 12:00 AM

View PostNissenice, on 21 March 2013 - 05:37 PM, said:

Question is what files they are looking for when sending OP_HASHSETREQUEST. The most probable answer is the files they are attacking, but maybe they have something else in their mind... I haven't had time to look into that yet...

In theory this request would be a viable packet for a DDoS on the upload bandwidth, as they are some of the biggest packets you can request without any preconditions, but as you describe it that doesn't seems to be the case here. Otherwise there isn't any interesting about those other than the hashsets and you can't use them to phish shared files neither as eMule has a flood protection against this (per IP of course).

Quote

To add, there is an obvious synchronization when these requests are sent from different IP-ranges. Sometimes nothing happens for many hours and then suddenly TCP requests comes from all over the places almost at the same time. :)

Might be just the time. Like every x minute of the day.

View PostEnig123, on 21 March 2013 - 09:54 PM, said:

Is it possible or useful to find a way on emule side to close the protocol hole? Apparently these attacks are not what nomal emule clients would do.


I don't see a protocol hole at thise point.

#88 User is offline   Enig123 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 553
  • Joined: 22-November 04

Posted 28 March 2013 - 04:25 AM

I have digged a little bit of the warning logs and finally found the solution by ban clients who are trying to probe any hashset without hurting normal clients, please refer to http://forum.emule-p...howtopic=156354 for details.
0

#89 User is offline   VasiliyRus 

  • Member
  • PipPip
  • Group: Members
  • Posts: 35
  • Joined: 07-January 09

Posted 28 March 2013 - 01:19 PM

I am note sure my question is related to thread' s theme but it's about its subject.

Sometimes i see zero node ID in Kad tab like on screenshot below:
Posted Image

Why it is 0000... ? Is there anything wrong with it ?

This post has been edited by VasiliyRus: 28 March 2013 - 01:21 PM

Updated and Legit Emule Server Lists are available here:
www.emule-security.org/ and shortypower.org
You can also enable options for updating server list from a connected server and clients
in order to have all currently available servers listed in your Emule software.
0

#90 User is offline   xilolee 

  • eMule 0.50b BETA1 user
  • PipPipPipPipPipPipPip
  • Group: Italian Moderators
  • Posts: 7983
  • Joined: 20-August 08

Posted 29 March 2013 - 06:41 PM

I saw it too in these years (and we are not the only ones).
Search the forum, there are about 10-20 topics on that. ;)
INCONCEIVABLE! - You keep using that word. I do not think it means what you think it means.
come ottenere aiuto italian guides - guide della sezione italiana
italian support - sezione italiana scaricare la lista server
ottenere id alto impostare le porte nel router
recuperare file corrotti i filtri ip
Sembra talco ma non č serve a darti l'allegrIa! Se lo lanci e poi lo respiri ti dā subito l'allegrIa! Immagine Postata
0

#91 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 29 March 2013 - 09:13 PM

View PostVasiliyRus, on 28 March 2013 - 02:19 PM, said:

I am note sure my question is related to thread' s theme but it's about its subject.

Sometimes i see zero node ID in Kad tab like on screenshot below:
Posted Image

Why it is 0000... ? Is there anything wrong with it ?

It's quite normal common to have a contact with Kad ID = 000000..0000 among your contacts. And no, I haven't found any direct relationship with the Chinese attackers. But for some reason they show some interest in exactly that ID and others very close to it, like 000000..0000001F023BE31 or something similar. They do this occasionally by sending kademlia requests and asking for the closest 31 contacts to that ID. A normal node only asks for 2, 4 or 11 contacts depending on the request.

There is one another group IIRC abusing the network with spam which occasionally also is interested in about almost the same space. Surprisingly they too asks for 31 contacts, but that's the only connection I've seen between these two groups. This second group which has been around for several years is hosted in U S A and normally they can be identified by the habit of using UDP port 17770. ^_^

This post has been edited by Nissenice: 29 March 2013 - 09:17 PM

0

#92 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 29 March 2013 - 09:43 PM

View PostSome Support, on 22 March 2013 - 01:00 AM, said:

In theory this request would be a viable packet for a DDoS on the upload bandwidth, as they are some of the biggest packets you can request without any preconditions, but as you describe it that doesn't seems to be the case here. Otherwise there isn't any interesting about those other than the hashsets and you can't use them to phish shared files neither as eMule has a flood protection against this (per IP of course).

If that's the case then it's probably the DDoS effect they are interested in, in the end. One has to remember that their main targets are Chinese peers living in China and/or sharing/downloading censored files. And as I do neither maybe what I see is not represantative to what I had experienced as a Chinese citizen.

Some Support said:

Might be just the time. Like every x minute of the day.

Probably that too, but it's easy to get the impression there is a central instance which instructs each node/client what, when and from where it should start to perform its actions. It seems particularly clear when kademlia and search requests are sent.

This post has been edited by Nissenice: 29 March 2013 - 09:48 PM

0

#93 User is offline   fox88 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4974
  • Joined: 13-May 07

Posted 30 March 2013 - 08:17 AM

View PostNissenice, on 30 March 2013 - 12:43 AM, said:

One has to remember that their main targets are Chinese peers living in China and/or sharing/downloading censored files.

Take a look at this piece of code. It would be trivial to add dumping File ID to the log, and then use server <ed2k::FileID> search to get what it is.
Unfortunately, it's not simple to have that kind of search in KAD (a while ago I even made a FR for that).

This post has been edited by fox88: 30 March 2013 - 08:18 AM

0

  • Member Options

  • (5 Pages)
  • +
  • « First
  • 3
  • 4
  • 5

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users