Am I under a Gnutella denial of service attack ?

For the last couple of days I appear to have been under some sort of attack. I occasionally use the Shareaza P2P client. I was using it for 24 hours or so around the time that the "attack" started.

Shareaza is a Gnutella and eDonkey client.

Shareaza is not currently running and hasn't been running for the last two days.

The machine that I run Shareaza on also runs a webserver, although the server in question normally sees almost zero traffic. I am seeing dozens of requests to port 80 on that Shareaza machine every second, from hundreds of different IP addresses.

The requests are for

/uri-res/N2R?urn:sha1:CAKQAE6EK3LPHJ6DFVOVUQDJ7IN66OMM

where the hash value at the end varies (although there are lots of repeated requests for the same hash value)

I am puzzled as to why these requests are coming to port 80 as that is not the standard Gnutella port. All the requests appear to be coming from either BearShare, LimeShare or Shareaza clients (though 99% of them are BearShare).

If I leave the webserver enabled sending out the resulting 404 pages fills my 256kb outgoing DSL line. My daily IIS log before I noticed what was happening was over 150Mb in size...

For the moment I have just had to shutdown the webserver so that my DSL line is usable.

Has anyone seen this before, if so is there anything I can do about it ?

I don't know about the attack, but one thing you could do to keep your webserver running is to reduce the size of your 404 page to a very simple:

<HTML>404 Not Found</HTML>

Or something like that.

Looks like one of those networks decided you were a "supernode". Guess you shouldn't have kept it running for so long, I imagine it will clear out soon though.

I don't know about the attack, but one thing you could do to keep your webserver running is to reduce the size of your 404 page to a very simple:

Yeah, but if he's getting enough of them, even with a 0 length 404 response body, I could see the overhead of the underlying HTTP and TCP traffic filling up a DSL line. Once his upload bandwidth is filled up with all that junk, the download bandwidth gets starved.

I changed my 404 page as Tony suggested and things have improved a lot. However I don't think it was improved by reducing the size of the page, it looks like the frequency of the "attacks" is just falling off.

Even with the slim line 404 page I still get a peak with my up stream bandwidth maxed out every few minutes for 10 seconds or so as a couple of clients decide to pound on me.

I did wonder about that, but that can't be the cause. My Gnutella client should never have advertized itself as being available on port 80.

Doing some searching I have found some articles that talk about attacks that you can make on people using Gnutella by falsifying search results in such a way that large amounts of traffic are directed at a choosen port on a machine of you choice.

I guess someone must have done this to me. I have no idea why they picked me though.

Things have quieten down now, I am only getting about half a dozen requests a second now.

I've now discovered that my main web server (which has never run any P2P clients) is being attacked by Morpheus clients. In this case the traffic is a lot lower and there are only three source IP addresses, so I have just blocked them at the firewall.

Very strange.

your caught up in a p2p conspiracy

My Gnutella client should never have advertized itself as being available on port 80.

Well, that's not necessarily true.

An article on Network Magazine's site says:

"As for the untimely demise of perimeter defenses: P2P products are designed to defeat firewalls and get around NAT devices. While it makes networks less secure, it's necessary for P2P products to work in most environments, whether home, small business, or enterprise. Most P2P programs get around these devices by using HTTP on port 80, either as a default or a tunneling protocol. Groove, from Groove Networks (www.groove.net), can tunnel its proprietary protocols inside HTTP."

We had a similar sort of "DDOS" in one of our offices after someone installed a P2P package. They have an OC3 in the basement of their building, and get 100 mbps for about the cost of SDSL, but they're billed by the MB. I'm sure everyone wanted to download from them, and boy did they try!

-jk

Yes, but my Gnutella client could never have been resident on port 80, my web server was already using it. Neither are these "attackers" trying to contact my machine on the standard Gnutella port and then falling back on some sort of default on port 80 (there is not traffic on the normal Guntella port).