Gnutella Forums  

Go Back   Gnutella Forums > Gnutella News and Gnutelliums Forums > General Gnutella / Gnutella Network Discussion
Register FAQ The Twelve Commandments Members List Calendar Arcade Find the Best VPN Today's Posts

General Gnutella / Gnutella Network Discussion For general discussion about Gnutella and the Gnutella network.
For discussion about a specific Gnutella client program, please post in one of the client forums above.


Welcome To Gnutella Forums

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, fun aspects such as the image caption contest and play in the arcade, and access many other special features after your registration and email confirmation. Registration is fast, simple and absolutely free so please, join our community today! (click here) (Note: we use Yandex mail server so make sure yandex is not on your email filter or blocklist.) Confirmation emails might be found in your Junk folder, especially for Yahoo or GMail.

If you have any problems with the Gnutella Forum registration process or your Gnutella Forum account login, please contact us (this is not for program use questions.) Your email address must be legitimate and verified before becoming a full member of the forums. Please be sure to disable any spam filters you may have for our website, so that email messages can reach you.
Note: Any other issue with registration, etc., send a Personal Message (PM) to one of the active Administrators: Lord of the Rings or Birdy.

Once registered but before posting, members MUST READ the FORUM RULES (click here) and members should include System details - help us to help you (click on blue link) in their posts if their problem relates to using the program. Whilst forum helpers are happy to help where they can, without these system details your post might be ignored. And wise to read How to create a New Thread

Thank you

If you are a Spammer click here.
This is not a business advertising forum, all member profiles with business advertising will be banned, all their posts removed. Spamming is illegal in many countries of the world. Guests and search engines cannot view member profiles.



           Deutsch?              Español?                  Français?                   Nederlands?
   Hilfe in Deutsch,   Ayuda en español,   Aide en français et LimeWire en françaisHulp in het Nederlands

Forum Rules

Support Forums

Before you post to one of the specific Client Help and Support Conferences in Gnutella Client Forums please look through other threads and Stickies that may answer your questions. Most problems are not new. The Search function is most useful. Also the red Stickies have answers to the most commonly asked questions. (over 90 percent).
If your problem is not resolved by a search of the forums, please take the next step and post in the appropriate forum. There are many members who will be glad to help.
If you are new to the world of file sharing please do not be shy! Everyone was ‘new’ when they first started.

When posting, please include details for:
Your Operating System ....... Your version of your Gnutella Client (* this is important for helping solve problems) ....... Your Internet connection (56K, Cable, DSL) ....... The exact error message, if one pops up
Any other relevant information that you think may help ....... Try to make your post descriptive, specific, and clear so members can quickly and efficiently help you. To aid helpers in solving download/upload problems, LimeWire and Frostwire users must specify whether they are downloading a torrent file or a file from the Gnutella network.
Members need to supply these details >>> System details - help us to help you (click on blue link)


Moderators

There are senior members on the forums who serve as Moderators. These volunteers keep the board organized and moving.
Moderators are authorized to: (in order of increasing severity)
Move posts to the correct forums. Many times, members post in the wrong forum. These off-topic posts may impede the normal operation of the forum.
Edit posts. Moderators will edit posts that are offensive or break any of the House Rules.
Delete posts. Posts that cannot be edited to comply with the House Rules will be deleted.
Restrict members. This is one of the last punishments before a member is banned. Restrictions may include placing all new posts in a moderation queue or temporarily banning the offender.
Ban members. The most severe punishment. Three or more moderators or administrators must agree to the ban for this action to occur. Banning is reserved for very severe offenses and members who, after many warnings, fail to comply with the House Rules. Banning is permanent. Bans cannot be removed by the moderators and probably won't be removed by the administration.


The Rules

1. Warez, copyright violation, or any other illegal activity may NOT be linked or expressed in any form. Topics discussing techniques for violating these laws and messages containing locations of web sites or other servers hosting illegal content will be silently removed. Multiple offenses will result in consequences. File names are not required to discuss your issues. If filenames are copyright then do not belong on these forums & will be edited out or post removed. Picture sample attachments in posts must not include copyright infringement.

2. Spamming and excessive advertising will not be tolerated. Commercial advertising is not allowed in any form, including using in signatures.

3. There will be no excessive use of profanity in any forum.

4. There will be no racial, ethnic, or gender based insults, or any other personal attacks.

5. Pictures may be attached to posts and signatures if they are not sexually explicit or offensive. Picture sample attachments in posts must not include copyright infringement.

6. Remember to post in the correct forum. Take your time to look at other threads and see where your post will go. If your post is placed in the wrong forum it will be moved by a moderator. There are specific Gnutella Client sections for LimeWire, Phex, FrostWire, BearShare, Gnucleus, Morpheus, and many more. Please choose the correct section for your problem.

7. If you see a post in the wrong forum or in violation of the House Rules, please contact a moderator via Private Message or the "Report this post to a moderator" link at the bottom of every post. Please do not respond directly to the member - a moderator will do what is required.

8. Any impersonation of a forum member in any mode of communication is strictly prohibited and will result in banning.

9. Multiple copies of the same post will not be tolerated. Post your question, comment, or complaint only once. There is no need to express yourself more than once. Duplicate posts will be deleted with little or no warning. Keep in mind a forum censor may temporarily automatically hold up your post, if you do not see your post, do not post again, it will be dealt with by a moderator within a reasonable time. Authors of multiple copies of same post may be dealt with by moderators within their discrete judgment at the time which may result in warning or infraction points, depending on severity as adjudged by the moderators online.

10. Posts should have descriptive topics. Vague titles such as "Help!", "Why?", and the like may not get enough attention to the contents.

11. Do not divulge anyone's personal information in the forum, not even your own. This includes e-mail addresses, IP addresses, age, house address, and any other distinguishing information. Don´t use eMail addresses in your nick. Reiterating, do not post your email address in posts. This is for your own protection.

12. Signatures may be used as long as they are not offensive or sexually explicit or used for commercial advertising. Commercial weblinks cannot be used under any circumstances and will result in an immediate ban.

13. Dual accounts are not allowed. Cannot explain this more simply. Attempts to set up dual accounts will most likely result in a banning of all forum accounts.

14. Video links may only be posted after you have a tally of two forum posts. Video link posting with less than a 2 post tally are considered as spam. Video link posting with less than a 2 post tally are considered as spam.

15. Failure to show that you have read the forum rules may result in forum rules breach infraction points or warnings awarded against you which may later total up to an automatic temporary or permanent ban. Supplying system details is a prerequisite in most cases, particularly with connection or installation issues.

Violation of any of these rules will bring consequences, determined on a case-by-case basis.


Thank You! Thanks for taking the time to read these forum guidelines. We hope your visit is helpful and mutually beneficial to the entire community.


Like Tree2Likes
  • 1 Post By Lord of the Rings
  • 1 Post By Lucio

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old May 22nd, 2016
Valued Member contributor
 
Join Date: May 18th, 2016
Posts: 5
Lucio is a great assister to others; your light through the dark tunnel
Default Fake poisoning servents

I am running gtk-gnutella 1.1.9 as ultrappeer (UP) under Linux. I enjoy keeping an eye on Gnutella network. During March-May 2016 I noticed my UP cache approaching 0 servents and the number of UP connections very low (around 10/50).
At first I thought about issues with my internet provider doing some sort of filtering so that I could not connect or receive connections from other UPs. Lately I noticed that my servent was connecting to some strange servents with vendor string "PyGnutella/0.1". I did some research and found out that PyGnutella is an old and unmaintained Python library for Gnutella, not a working client. Then I noticed that all these PyGnutella connections were coming from a single group of IP addresses: 154.45.216.* (see screenshots). These servents had a very low uptime and kept connecting and disconnecting.
One day these PyGnutella servents were no longer in my network connections list and suddenly the number of UP connections was again higher and my UP cache filling up again.
I suppose that these PyGnutella are fake servents who try to disrupt Gnutella functioning, performing a sort of "cache poisoning attack".
Any idea?
Attached Thumbnails
Fake poisoning servents-screenshot-11052016-22-43-40.jpg   Fake poisoning servents-screenshot-15052016-11-07-39.jpg  
Reply With Quote
  #2 (permalink)  
Old May 22nd, 2016
Lord of the Rings's Avatar
ContraBanned
 
Join Date: June 30th, 2004
Location: Middle of the ocean apparently (middle earth)
Posts: 656
Lord of the Rings has a distinguished reputationLord of the Rings has a distinguished reputationLord of the Rings has a distinguished reputation
Default

From my own experience I can only give you a limited possible answer of what I know because I've been away for a month & won't return until end of the week.
I've seen PyGnutella before but I don't believe for quite some time.
From your snapshots, it does appear to be a BOT and possibly a browser based BOT that can switch program ID on the fly.

Have you checked your console connection logs to see if there's anything else odd about these PyGnutella connections and any messages they send?
You might need to cross-check their ip addresses to be sure it's the same host as they might identify in a different manner at various points in time.

If it were really such an old app, then we might assume it seeks GWC support. I'm only aware of one GWC that might support an app of that age.

I have been highly dubious about the 154. range. The original BearShare hostiles file had it completely blocked. Earlier in the year I unblocked a few small ranges as a test after finding some GTK-G. hosts within it (unless I'm confusing with the 104. range.) But what makes me suspicous about these hosts is that they all use the same connection port and all via the same internet service provider (I suspect it's not a standard public service provider), including one in the 108. range. But the GTK-G issue is a little off-topic. The 154 range also includes web service rentals. The 154 range is mostly USA with certain slithers of European ranges.
Reply With Quote
  #3 (permalink)  
Old May 23rd, 2016
Valued Member contributor
 
Join Date: May 18th, 2016
Posts: 5
Lucio is a great assister to others; your light through the dark tunnel
Default

Quote:
Originally Posted by Lord of the Rings View Post
I've seen PyGnutella before but I don't believe for quite some time.
From your snapshots, it does appear to be a BOT and possibly a browser based BOT that can switch program ID on the fly.
Hello, why do you think about a browser bot? Since all connections come from the same IP addresses group, could it be someone having access to a whole 0-255 addresses range (someone more than a common ADSL user)? If an IP sproofing occurred, why limiting to a single group of IP addresses?
Updating hostiles.txt looks like a good idea...
My current skills do not allow further analysis from my side...
Reply With Quote
  #4 (permalink)  
Old May 23rd, 2016
Lord of the Rings's Avatar
ContraBanned
 
Join Date: June 30th, 2004
Location: Middle of the ocean apparently (middle earth)
Posts: 656
Lord of the Rings has a distinguished reputationLord of the Rings has a distinguished reputationLord of the Rings has a distinguished reputation
Default

There's various types of BOTs and that PyGnutella group are not necessarily browser-BOTs. Unless your GTK-G. has shown them to be browsing? Have you seen them try to download?
No idea what kind of BOT they are.

My first instinct is that they are BOTs. However, I have witnessed similar things with hosts downloading but not 100% certain they were download BOTs due to not being quite as aggressive to the task as the average download-BOT (for want of a better term.)

I have wondered if some wireless (possibly portable) devices/services can change ip on the fly, but that would make me wonder how the gnutella program could retain a connection to the network. Also, if there's more than one connected at one time then that appears to defeat that idea.

As far as the hostiles file goes, GTK comes with its own default hostiles file which is relatively small and also contains data I'm not so sure is still up-to-date because of some blocks that have been there since last decade but I haven't seen or can't find any evidence of it being a bad range over the past 4 to 5 years. With this in mind I have been gradually little by little reducing the blocks within the hostiles I work with. ip addressing has changed considerably since last decade; either new ISP owners (or even country); ip no longer rented out to proxy services or unused ip's from certain countries; changes to a dynamic ip status instead of static. I have nothing to do with updating the gtk hostiles file.

With GTK you can add your own blocks via the hostiles. You might even wish to try a hostiles I put together for GWCs as it's the smallest version I've worked upon. Also, ale5000 a GWC developer has developed a hostiles updating system, but GTK does not normally contact GWC's so that concept would need to be discussed between the GTK developers.
Reply With Quote
  #5 (permalink)  
Old May 24th, 2016
Valued Member contributor
 
Join Date: May 18th, 2016
Posts: 5
Lucio is a great assister to others; your light through the dark tunnel
Default

I haven't seen those PyGnutella downloading. That doesn't mean much since I share rare stuff (popular stuff works better on BitTorrent IMHO).
I just configured custom hostiles.txt including the range of PyGnutella, let's see...
Reply With Quote
  #6 (permalink)  
Old May 26th, 2016
Lord of the Rings's Avatar
ContraBanned
 
Join Date: June 30th, 2004
Location: Middle of the ocean apparently (middle earth)
Posts: 656
Lord of the Rings has a distinguished reputationLord of the Rings has a distinguished reputationLord of the Rings has a distinguished reputation
Default

Quote:
Originally Posted by Lucio View Post
... all these PyGnutella connections were coming from a single group of IP addresses: 154.45.216.* (see screenshots). These servents had a very low uptime and kept connecting and disconnecting ...
Yes I detected this as a bad range 2 May 2014. I recorded 40 separate addresses from 140 to 200. The only one your snapshots show I didn't detect was 154.45.216.175.

Cogent Communications. For some reason two years ago I had it probably incorrectly listed as France Nantes Trident Mediaguard (I may have put this label next to the wrong ip group.) It is instead USA based.
OrgName: PSINet, Inc.
OrgId: PSI-2
Address: 2450 N Street NW
City: Washington

I detected these hosts via firewall log. Which is something I sometimes check if my program(s) appear to start struggling with connections (such as peers dropping below and struggling to get back to minimum peers whilst in UP mode.) Period of open log can range between 45 min to 2 to 3 hours though usually around an hour or less if I'm getting hammered. I sometimes check back to previous logs to see when they started to hammer. I share a lot of files and usually connect 24/7 which makes me a prime target for BOTs. When I recorded the hosts in question, there were also numerous other similar BOT ranges adding to the massive traffic.

The smallest hostiles file I work with has them blocked 154.45.216.128/25.

I don't normally record leaf connections, but no history of them connecting as peers over past 18 months with Phex at least.

I do not have any information as to what kind of BOT they might be (what their objective is.) But as happened with you, perhaps their objective is to disrupt standard connections and communications. It would not surprise me if they passed out fake information including fake hosts to connect to or other BOTs to connect to. But that's pure conjecture.
Reply With Quote
  #7 (permalink)  
Old May 28th, 2016
Valued Member contributor
 
Join Date: May 18th, 2016
Posts: 5
Lucio is a great assister to others; your light through the dark tunnel
Default

Very interesting to see that you recorded the same attack about 2 years ago. I am very curious to understand how these bot works and what is the aim of those who run them for such a long time. I am pretty sure that these bot perform some sort of cache poisoning, spreading fake addresses/ports in order to prune off connections and hamper Gnutella functioning. Maybe they are persistently run by RIAA fellows?
For sure this IP range should be included in hostiles.txt
Reply With Quote
  #8 (permalink)  
Old November 10th, 2017
Lord of the Rings's Avatar
ContraBanned
 
Join Date: June 30th, 2004
Location: Middle of the ocean apparently (middle earth)
Posts: 656
Lord of the Rings has a distinguished reputationLord of the Rings has a distinguished reputationLord of the Rings has a distinguished reputation
Default

I realise this is now an old thread and last reply 18 months ago but feel a growing desire to point out some issues. I've been putting together custom host files for some of the gnutella apps since the start of the decade (if not earlier.) I discovered some issues early on that still appear to be an issue now. I find this every time I put together a fresh host file (these days generally six monthly.)

Whenever I check the gnutella.net file used by all of the LIME code based programs there are numbers of hosts that are between 4 to 8 months old. How can I be sure that they are this old? One clue is them using dynamic ip addressing which expires after 3 or 6 weeks in cases of some ISP's. When I check the last time either WireShare or Phex have connected to the host it shows that suggested age of many months. What's alarming about this is that the hosts are often listed up around the top (or bottom should I say where the most recent hosts are added ~ within about the bottom 20 hosts.) My WireShare is used 24/7 with sessions lasting between one to three weeks.

How can a host not seen for 6 months be considered for sharing to other hosts? There might be more than one reason. I suspect the built-in system (GTK, LIME, etc.) sharing of hosts might be flawed. What happens if a host that has not used the network for half a year becomes an ultrapeer after an hour or few hours? Is it only sharing hosts recently discovered or is it also sharing hosts from a back-log of 6+ months ago?

I am aware GTK dates DHT hosts. I've also seen transactions where a host was dated as being between one to six days of age (though I don't know if the age of a host was due to GTK or WireShare's process or both.)

I first started working on the BearShare host file in 2011 and after a year or two I started to discover old hosts being added to the BearShare host file that had not been seen for over a year or even up to 3 years. Even at that time I had become aware of some ISP's that either used highly dynamic ip or relatively short-term Sticky Dynamic ip addressing of 3 or 6 weeks. I saw examples of the same hosts being included on the host file between 6 to 10+ times with different addresses. Again, some not seen for over a year or two. I originally wondered/suspected if one or more GWC's were at fault.

45.63.110.*:41481,86400,1497359030241,,15089234184 07;1508809867708;1508664928045,en,,0,ACTIVE,, (connection dates: 25 May 2017 to 13 June 2017)
Listed 9th on WireShare's gnutella.net host file yet not on hostiles & only ever sighted twice. None of the 7 Phex host files from 25 Sep-8 Nov lists this host. Nor any of the 6 files from 23 Aug-24 Sep. A host is distributing incorrect/out-of-date data or is this host really active?
Also 88.151.72.*:63667,86400, gtk-gnutella not sighted since 21 May & only seen since 15 May. Host address is Austria ISP Mag. Erwin Leitner & is a dynamic range. Another, 91.64.242.*:28049,86400, gtk-gnutella last sighted 14 Aug, first sighted 25 July. Germany Vodafone Kabel Deutschland & is dynamic. Their ip’s only last a few weeks from memory. So why is this and many other hosts being listed so high up the G file list & listed as 24/7.

Examples:
Code:
88.151.72.*:63667,86400,1495681316639,,1508933411336;1508719732959;1506572085087,en,,0,ACTIVE,1, (20 May) (Mag. Erwin Leitner - Dynamic)
91.64.242.*:28049,86400,1502918026837,,1508923985831;1508664996939;1506572268360,en,,0,ACTIVE,, (14 Aug) (Vodafone Kabel Deutschland - Dynamic)
133.218.*.*:15079,86400,1496181869553,,1508923453829;1508809986063;1506572042733,ja,,0,PASSIVE,, (connected to on & off between 21 Jan-5 July 2017)
172.76.165.*:10978,86400,1495406533334,,1508923413511;1508664818817;1504159857914,en,,,,, (never connected to ~ though might be recent, shows how dynamic ip addressing can cause out-of-date caching.)
172.76.174.*:10978,86400,1495393650331,,1508923482354;1508661777310;1506572124135,en,,,,, (never connected to ~ though might be recent, shows how dynamic ip addressing can cause out-of-date caching.)
24.0.*.*:53219,79569,1501091127350,,1508927017210;1508809911001;1508665008756,en,,0,ACTIVE,, (connected to on & off between 27 June to 15 July 2017)
2.29.21.*:42175,71765,1495636758996,,1508923514413;1508664699736;1506572064230,en,,0,PASSIVE,1, (connected to on & off between 15 to 24 May 2017; I’m not aware of many ip addresses starting with 2. as long-lifespan.)

I could keep going through the host file but feel I've made my point.
(ip addresses edited with * for privacy purposes.)

What is possibly alarming is that a very large number of these hosts are GTK-Gnutella hosts. But this is probably coincidental.

Question is, is this purely due to the possibility of PyGnutella or other reasons?
At least the PyGnutella ip ranges you listed are on the WSHR/LIME hostiles I use so in theory no direct contact should be possible.

One thing I like about the Phex host file management system is it caches around 95% of connected ultrapeer hosts to file, updating every 5 minutes. So it does give a good snapshot of a small section of the network at any given time.


Off-topic:
I often used to see GTK-Gnutella struggle to download files (from an observation point of view as an uploader.) But GTK versions since at least early 2016 I suspect might have fixed this issue because the only occasions I've seen it since are those using older GTK versions of a few years ago.

I recall last decade the upload topography might change every day or two. One day it might be mostly audio files, day or two later video or image files, etc. Presently I share 46% audio files but without exaggeration 5% or less of my uploads are audio. Has something changed?
sleepybear91 likes this.
Reply With Quote
  #9 (permalink)  
Old November 19th, 2017
Valued Member contributor
 
Join Date: May 18th, 2016
Posts: 5
Lucio is a great assister to others; your light through the dark tunnel
Default

Hello, since I cannot answer your questions, I forwarded your post to ram, the main developer of GTKG. Unfortunately he is currently unable to access the forum.
He answers: "regarding the hostiles, I think banning IP is wrong, unless there is an *expire* time put on the ban and periodic re-checks are made. Second, regarding the file sharing itself, the code has not changed in GTKG. The only thing that I changed recently in 1.1.13 was fixing an old QRP (Query Routing Protocol) bug."

From my point of view I noticed that now using GTKG version 1.1.13 the host cache for leaves and ultrapeers fills up reaching a steady level after a few days. Using the bugged version 1.1.12 instead the regular hosts (leaves) cache gradually emptied, while the ultrapeers cache filled up to the limit. This gave me the (probably) false impression that Gnutella network had too much ultrapeer nodes.
sleepybear91 likes this.
Reply With Quote
  #10 (permalink)  
Old November 19th, 2017
Lord of the Rings's Avatar
ContraBanned
 
Join Date: June 30th, 2004
Location: Middle of the ocean apparently (middle earth)
Posts: 656
Lord of the Rings has a distinguished reputationLord of the Rings has a distinguished reputationLord of the Rings has a distinguished reputation
Default

Thanks for the reply and for the effort to have ram give a response.

As for forum accessibility, there's a chance it's due to the site being flagged in browser or computer security. Several years back this occurred due to dubious advertisement(s) that had issues. I guess putting gnutella forum on the safe list might be attempted, though ram probably doesn't need to visit here very often.

I understand the arguments against re: hostile ip blocking. Though some people feel safer using something of that nature. In my experience this decade I have come across investigative hosts (police from various parts of the world) via connections or either way browsed or downloading from me and frankly some people would prefer not to come into contact with them if they could avoid it. I'm not going to list all the pro reasons. At least with GTK-Gnutella a person can disable the ability for others to browse them which blocks out browse-bots. Other bots can potentially be blocked by pseudo version they might use. Such as LimeWire/4.21.1 (rc), specifically LimeWire 4.16 (no sub-version), etc. Though that obviously does not count for all of them.
Reply With Quote
Reply

Tags
cache, fake, poisoning, pygnutella, ultrapeer


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 05:50 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.

Copyright © 2020 Gnutella Forums.
All Rights Reserved.