View Single Post
  #2 (permalink)  
Old September 26th, 2002
cultiv8r cultiv8r is offline
Connoisseur
 
Join Date: August 9th, 2001
Location: Philadelphia, PA, USA
Posts: 358
cultiv8r is flying high
Default

In my opinion, the biggest issue is that Gnutella developers are too busy trying to figure out how to get more results to searches, while at the same time reducing bandwidth consumption. But now its going into a "Microsoft Syndrome" where all the focus is on "better" interfaces, better results, more features with snazzy names, etc. Until someone decides to exploit the problems with Gnutella.

It's pretty much the day MS Outlook (Express) started to receive VB scripts, and renamed .exe files in your mail, containing worms and virii, and the HTML pages that automatically zipped you to another site, forced you to upload/download things that were personal, etc. THAT is where Gnutella is going at this rate of development. Most developers that talk on the GDF have their heads in the sand. Security is their lowest priority (with an exception of a small number).

For example, AusCERT (Australian department of CERT) recently sent most Gnutella developers a letter that they were planning to publicize a document, that states that Gnutella can be used for a DDoS attack. This issue is already know among many people, and it has been so for over a year. No one has touched that topic often enough to be resolved. Even when AusCERT sent out that letter, it was discussed for about 3 weeks, with all kinds of interesting ideas, and then it sizzled down into nothingness, replaced by another discussion.

In meantime, all the Gnutella clients are capable of launching a DDoS with little effort. Simply send a Pong with the wrong IP address/port to as many nodes you can. The Ping/Pong caching will also ensure that wrong IP address will remain around for a while to come. A temportary solution? Check Pongs with a Hop count of 0, against the actual IP address of that connection. Is any Gnutella client doing that yet? Perhaps two out of the 2-dozen. A long term solution? Don't trust every node on the network, by accepting their messages at all times.

Now what does this have to do with the end user experience? Currently, the network is filled with bogus of faulty network messages, because everyone is trusted. Everyone, including those organizations you may speak of in dismay. The more bogus and faulty messages around, the less quality messages can be exchanged. The best example would be bogus Query Hits (results to your search). Instead of coming from a file sharer that actually owns that file, it might be "produced" on the fly and leads to nowhere. All downloads for these results will fail, and thus degrading the quality of your search results. Or how about someone tracking your download habits? That "produced" Query Hit might well point to an IP address that happily creates a list of files attempted to be downloaded, with IP, timestampt and all - leading straight to your frontdoor (* although most people cannot be held accountable for 'attempting to download' -- yet). So as the end result, your search results may filled 1/3rd with bogus Query Hits, another 1/3rd of Query Hits no longer valid, while the remainder is flooded with download requests, leaving no spot for you.

The point here? Gnutella developers need to focus more on security. Not only does this prevent Gnutella to be abused against itself or other services, but it will also increase the overall quality of the network. At that point, one can start worrying about getting more search results and reducing bandwidth whereever possible.
Reply With Quote