Bearshare DDOS'ing Webcaches

Neglacio · #1 (**permalink**) June 12th, 2008

Beacon GnutellaWebCaches (GWC's) like the one here are able to log floods and poisoning attacks, mostly performed by anti-P2P companies.

Beacon already has a DDoS security, but still one of them has fainted, and the others are under a heavy attack.
Why?

Well, out of nowhere, all clients with the Bearshare vendor (so not the iMesh clone) are crazily connecting to GWC's. This causes a lot of stress on them. I, myself, have a Beacon cache that doesn't have Gnutella enabled and only G2 (Yeah, sorry). Still, Bearshare's are vastly connecting to my cache.

This flooding really come out of nothing. Newer versions of Beacon will include a full block for Bearshare's until it is solved.

Why is this happening? Is it similar with the island Limewire "virus" from their developers a few months ago? Or is it an exploit found by the anti-P2P?
What are the stats of this on other GWC's and UDP caches?

Please, answer this. If such services fail to work, Gnutella may possible die down, because this is it's weak spot.

Peerless · #2 (**permalink**) June 12th, 2008

I just fired up BearShare, using PG2 and my firewall of course

, and have only connected to BearShare UPs....10 at this point and I'm going to end up at about 30 connections within an hour or so...I usually see only a few non-BS UPs and those are usually LW....been pretty slow finding good UPs to connect to lately, but that's probably because PG2 has been blocking so many attempts at connection for a while now....

in short I think you are seeing some of the mafiaa using BS as a client to spam the network...

Neglacio · #3 (**permalink**) June 12th, 2008

So you really think it's not something wrong in the settings or a copy of the "LW Island" """virus"""?

AaronWalkhouse · #4 (**permalink**) July 25th, 2008

The old hardcoded bootstrap sites are hostile now and the original
default web caches are outdated too. They are probably falling back on
the few they can find and there's your flood. At least it's a relatively
small flood. ;]

I updated my gwebcache.dat manually with new sites and put all the old
caches in HOSTS list a few years ago when Free Peers shut down. I'll
ask our BearDiag guy to add this minor housekeeping to his program.

Do you think the Spybot S&D guys would be willing to add some more
bad and missing sites to their HOSTS filters? That goes out only to
Windows machines, where BearShare works. The Bluetack guys have
already blocked the worst of them as anti-p2p so things should settle
down as the weaker users migrate to newer software.

AaronWalkhouse · #5 (**permalink**) July 25th, 2008

In the meantime, I'll scan the remaining BearShare nodes out there and see if the
versionless BEARs are any of the real versions.

coolg1026 · #6 (**permalink**) September 2nd, 2008

It seems a lot of the hits are Polish BearShare clients.
Overall, I get 6000-7000 hits top, which is perfectly normal.
Though I do find it weird 90% of the BearShare hits and requests are alone from Poland. O_o

BTW: My GWC is now at: Beacon Cache 0.7.2.3

Peerless · #7 (**permalink**) September 2nd, 2008

I have also noticed a preponderance of Polska BS clients....I've also noticed an increase in being DDOS'd after searches...the last one hit me a couple of days ago...over 1,000 hits on me in less than a minute!...though quite a few of the IPs traced to Canada of all places, not Poland...still, I wonder if there is a connection between Polska clients and these DDOS's...spam bot network in action?

AaronWalkhouse · #8 (**permalink**) September 3rd, 2008

I think the Polish users went independent after Free Peers went out of
business and have been supplying their own cache lists because most
of the built-in defaults are no longer online. This could explain heavy
traffic at some webcaches and no problems at others. Hopefully they'll
keep adding good caches to their own list, spreading the load a little
better. I wish I knew someone over there so I could ask because
Polish translation doesn't appear to be available online.

As for the search floods I don't know. I don't get DDOSed after searches.
I guess it depends on what you were searching for. It might be worth
experimenting on to see if it's deliberate or a software problem.

While I was checking this I found an anti-P2P company operating a
cache. It's going directly into a Bluetack list and my own. ;]

Peerless · #9 (**permalink**) September 3rd, 2008

searching for certain TV programs certainly garners an attack, that I noted a while back...so yes, there is a correlation between what one is searching for and being attacked...and sometimes one gets attacked just for being connected (most likely as an UP) to the network...I do notice the latter seems to have stopped after I contacted EFF about the subject...I mean really, it is obvious it would be against the law to DDOS a person simply because they are connected to the network (and I verified this by ONLY being connected yet was still constantly being hammered by MediaDefender)

Peerless · #10 (**permalink**) September 8th, 2008

hmmm...well I have suddenly noticed being slammed VERY hard for ANY search by:

Groupe iWeb|anti-P2P : 67.205.103.134

I guess they don't care that it is illegal to DOS a person when they aren't (or even if they are) breaking the law...