Re: [p2pi] FYI - "Inside the Attack that Crippled Revision3"

"Robb Topolski" <robb@funchords.com> Sun, 01 June 2008 20:37 UTC

Return-Path: <p2pi-bounces@ietf.org>
X-Original-To: p2pi-archive@ietf.org
Delivered-To: ietfarch-p2pi-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AAE9D3A6E91; Sun, 1 Jun 2008 13:37:39 -0700 (PDT)
X-Original-To: p2pi@core3.amsl.com
Delivered-To: p2pi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D7E333A6D3A for <p2pi@core3.amsl.com>; Sun, 1 Jun 2008 13:33:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EyVINczPDjdv for <p2pi@core3.amsl.com>; Sun, 1 Jun 2008 13:33:11 -0700 (PDT)
Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.172]) by core3.amsl.com (Postfix) with ESMTP id 3AC4C28C6D3 for <p2pi@ietf.org>; Sun, 1 Jun 2008 08:51:06 -0700 (PDT)
Received: by wf-out-1314.google.com with SMTP id 27so572604wfd.31 for <p2pi@ietf.org>; Sun, 01 Jun 2008 08:51:06 -0700 (PDT)
Received: by 10.143.1.12 with SMTP id d12mr3119740wfi.297.1212335465760; Sun, 01 Jun 2008 08:51:05 -0700 (PDT)
Received: by 10.142.186.7 with HTTP; Sun, 1 Jun 2008 08:51:05 -0700 (PDT)
Message-ID: <3efc39a60806010851n44d26110i39e09a9b5a1bcdf1@mail.gmail.com>
Date: Sun, 01 Jun 2008 08:51:05 -0700
From: Robb Topolski <robb@funchords.com>
To: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <3603DD00-748E-48EF-9E9B-CBBDB39D7C1C@icsi.berkeley.edu>
MIME-Version: 1.0
References: <mailman.1848.1212007894.2345.p2pi@ietf.org> <90D8CEF754D7D9448BA11172BB5044320896CDE8@orange.brnets.int> <483e84f1.0913c00a.2f7b.76ce@mx.google.com> <6FA8D5A0-12DC-4CCD-98A7-CA63134F7E74@voxeo.com> <E9A2E1E5-2210-4916-8D38-691CD9FAA158@icsi.berkeley.edu> <DE8853D60B7D4F6C8A979E3303EA7A6C@mshome.net> <3603DD00-748E-48EF-9E9B-CBBDB39D7C1C@icsi.berkeley.edu>
Cc: p2pi@ietf.org
Subject: Re: [p2pi] FYI - "Inside the Attack that Crippled Revision3"
X-BeenThere: p2pi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: P2P Infrastructure Discussion <p2pi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/p2pi>, <mailto:p2pi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/p2pi>
List-Post: <mailto:p2pi@ietf.org>
List-Help: <mailto:p2pi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/p2pi>, <mailto:p2pi-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0043951709=="
Sender: p2pi-bounces@ietf.org
Errors-To: p2pi-bounces@ietf.org

I think you're right -- MD was tracking those who were exploiting
Revision3's open tracker -- and/or they were putting their own fake torrents
there.

However, the behavior of several torrent clients I've used do not respond
the way that MD did when the tracker throws an error (e.g. "Not
Registered").  They will either to stop the task and wait for the user to
start it again, or, wait for a minimal interval (which doubles on each
attempt) and then ask the tracker again.  This is not by specification, but
by common programming practices with networking applications experiencing an
error.

With the above in mind, if they were tracking a number of different hashes,
most clients I've used would attempt at least once per hash.  The error
response thrown for a single infohash query attempt would not apply to
different infohash queries using the same tracker.  Individual clients don't
do enough simultaneous tasks to matter.  But if MD tracks thousands upon
thousands of hashids on a single tracker, they would be well advised to add
some anti-hammer code to prevent hammering even though the infohashes
differ.

Robb Topolski

On Fri, May 30, 2008 at 3:17 PM, Nicholas Weaver <nweaver@icsi.berkeley.edu>
wrote:

> Actually, it sounds like MD was tracking those who were exploiting
> Revision3's open tracker.
>
> They were set up to agressively monitor, and when they found a hash in the
> open tracker that was being used to host questinable material, they kept on
> it.  And when all those hashes all got removed at the same time, their
> monitor went bonkers as it tried to reconnect to every single hash all at
> once.
>
> At least, thats what I'd be doing.
>
>


-- 
Robb Topolski (robb@funchords.com)
Hillsboro, Oregon USA
http://www.funchords.com/
_______________________________________________
p2pi mailing list
p2pi@ietf.org
https://www.ietf.org/mailman/listinfo/p2pi