What is wrong in LimeWire. Constant HTTP-knocking!!!
 

I run gtk-gnutella, and I also have Apache HTTP-server for other uses. There is contant flood from LimeWire gnutella-clients trying to access some **** like:
"5B37561A495D3730073C897A1099EB315B37561A495D37300 73C897A1099EB31"

[07/Jan/2004:16:22:18 +0200] (68.4.59.73 68.4.59.73) - - -> "GET /uri-res/N2R?urn:sha1:4R4VM2DXDTEMWEW3BIU6TEH42VHJLDSZ HTTP/1.1" - <- 404 1045B 0s "LimeWire(Acquisition)/100.2" "-" 1018

Is this some kind of DoS attack using gnet or what?

1455 26450 267332 /tmp/access_log.LimeWire.2004-01-07

1455 attemps today already.

Did gtk-gnutella run on the same port as your httpd does now?
In that case, there is just some other host still sending the address of your httpd as alternate location.

And please, 1455 connection attempts within a couple of days is by far not a DoS attack.

No. I have never run gtk-gnutella or any other gnutella servant on any other port but 6346/tcp.

Well, yesterday there was ~2000, and today there is still several hours left. Maybe someone is just trying to flood httpd-logs so partition /var will be full and it WILL cause a DoS. Fortunately I audit these things automaticly pretty good, but someone else may not.

Any ideas why LimeWire clients do this? I haven't yet notice any other servants but LimeWire. I myself have never used LimeWire or any GWebCache. Also the IP-address hasn't changed so it cannot be someone else's servant who previously was listening in 80/tcp.

The three latests:

[07/Jan/2004:18:02:28 +0200] (68.83.173.148 68.83.173.148) - - -> "GET /uri-res/N2R?urn:sha1:4R4VM2DXDTEMWEW3BIU6TEH42VHJLDSZ HTTP/1.1" - <- 403 405B 0s "LimeWire(Acquisition)/103.4" "-" 27740

[07/Jan/2004:18:07:44 +0200] (68.83.173.148 68.83.173.148) - - -> "GET /uri-res/N2R?urn:sha1:4R4VM2DXDTEMWEW3BIU6TEH42VHJLDSZ HTTP/1.1" - <- 403 405B 0s "LimeWire(Acquisition)/103.4" "-" 27741

[07/Jan/2004:18:19:08 +0200] (68.117.42.170 68.117.42.170) - - -> "GET /uri-res/N2R?urn:sha1:4R4VM2DXDTEMWEW3BIU6TEH42VHJLDSZ HTTP/1.1" - <- 403 405B 0s "LimeWire/3.5.8 (Pro)" "-" 27742

If you never have run a gnutella client on port 80 it may be some kind of attempt to use the Gnutella network as a tool to launch a DDoS attack but I still have my doubts.

LimeWire at least will never request a file twice from a host that has sent a 404, nor will LimeWire send the address of a host as alternate location unless it has successfully tried that host (and got a 200).

There seems to be at least one non-LimeWire host (or a modified LimeWire host) that is apparently still sending alternate locations for your http server. Are there other computers using the same address? You might want to check if someone else is using the same IP and propagates port 80 as listening port for some reason (some people seem to do that because they believe they might get around firewalls that way).

I have noticed similar behaviour as well. I also run gtk-gnutella on a high port number. My firewall however, detects on average one to two connection attempts on port 80 per hour. On forwarding the port and using netcat to gain a data snapshot it turns out to be Limewire (or Limewire varients) attemption to do a file transfer from my port 80. Often times it appears to be Limewire clients running behind a NAT (the handshake return address is a reservered non-routable net). It may happen from other non Limewire clients though, it has never bothered me enough (once I found out what it was) to actually take a large enough data sampling to try and solve it.

I am sure I have never run any gnutella on port 80.
I have static IP-address, which has been the same for over two years, so unless someone has hacked my machine, which I doubt, noone should have used this IP-address and port 80 with any gnutella client.

I also asked on gtk-gnutella mailing list, if it could be a bug in it. Seems like now after few hours I shut the gtk-gnutella down, those requests in 80/tcp port becomes more seldom.