Slyck.com
 
Slyck Chatbox - And More

Decentralized network, can it be done and how?

A place for developers and programmers of file-sharing software to discuss issues.
Forum rules
PLEASE READ BEFORE POSTING: Slyck Forum Rules

Is it possible to make a COMPLETELY decentralized network?

Yes
28
90%
No
3
10%
 
Total votes : 31

Postby larytet » Mon Apr 11, 2005 2:07 pm

"Anything is possible be cause everthing"

Let's say that spoofing of IP address in TCP based protocols is technically possible, but can not be easily implemented in a portable way.

For example, leacher sends SYN to the bouncer, bouncer forwards the SYN (and all packets arriving to this port) to the seed. Seed processes SYN and sends ACK to the leacher. ACK contains (has to) in the header's IP source IP address of the bouncer and destination IP of the leacher.

Leacher thinks that PC talks with the bouncer and only with the bouncer, when in reality bouncer does not see half of the traffic - seed sends packets directly to the leacher.

I considered this approach. I will probably implement it as a non-portable plugin for Rodi. I am not aware of any project which trys to do this.

I do not think that it's possible to create single source code for such plugin. For example Windows XP, SP2 does not support raw sockets. Application will have to provide device driver for Windows XP, SP2.
Actually I failed even to create dummy IP interface in Windows XP, SP2 (see http://larytet.sourceforge.net/userManu ... sson%203.0
Rodi User manual, lesson 3.0). i guess i need two physical IP interfaces (two Ethernet cards).

It's easier in Linux, where you can open raw socket and send any packets you want.

Another point which is probably important or probably is not, that only seed (publisher) has to spoof IP address. And only bouncer and seed has to utilize raw sockets. Leacher's TCP/IP stack is regular TCP/IP you have on any PC and leacehr's client makes use of regular TCP sockets.
larytet
 
Posts: 73
Joined: Mon Jan 03, 2005 8:45 pm

Postby no_dammagE » Mon Apr 11, 2005 2:42 pm

Another point which is probably important or probably is not, that only seed (publisher) has to spoof IP address


The problem is that once you spoof a frame, you've managed to change packet's and frame's headers, but still you haven't achieved a lot.
A packet contains your logical address, the frame contains you physical address.
e.g. if you send something to a WAN host through a router, you first send your own frame containing LAN information and your router modifies it to fit the WAN needs (Class B networks in the range of 192.168 or 10.0 and so on are not suitable for WANs)(and the other way around when data is incoming).

The problem is: your ISP is also a router and it knows your logical address (and the physical one - but it will be irrelevant here). Once you spoof it, most ISP's gateways will correct your frames into proper form making spoofing impossible. You can modify your physical address in frames headers until you'll become blue, your application has to do the dirst work where actually TCP/IP is for. ISP's routers do that for you :)

That's why IP spoofing won't work anymore, there were times when it worked, but when everyone began to do that, ISPs understood that there's no need for such ones.

This data is only one-way data, a reply can't return if you spoof your logical (and possibly physical) address, that means that you still need to add a trailer to your data containing your real IP address...If spoofing would work ;)

It is just for some information.
Windows? Blah. Linux? Blah. BSD? Blah.
Just make sure you have a computer licence and I can open your fsckin files.
Vorbis | Theora | LaTeX | OpenDocument
User avatar
no_dammagE
 
Posts: 652
Joined: Sat Jul 05, 2003 9:37 am

Postby larytet » Mon Apr 11, 2005 3:14 pm

if you use cable modem you typically can not spoof, unless ISP does not configure CMTS properly. the same is true for DSLAM - it depends on DSLAM and router configuration.


"You can modify your physical address in frames headers until you'll become blue, your application has to do the dirst work where actually TCP/IP is for."
please be more specific. Do you mean Ethernet address ? Routers ignore Ethernet address (source). you can write there whatever you want

"Class B networks in the range of 192.168 or 10.0 and so on are not suitable for WANs)(and the other way around when data is incoming"

I do not know what 192.168.0.0 network has to do with it. In most of the cases your cable modem has real unique IP address. trust me. this is your coporate router or router at your home is configured this way - to NAT IP traffic. even dialup modem will get unique 4 bytes IP address.

i will give you another interesting example. Imagine you are in Univ campus and your PC is connected to Univ LAN (this is the case of 192.168.0.0). Imagine that you have two PCs. Let's call one PC seed and the other bouncer. Suddenly we find out that spoofing is possible. for outside world there is only one PC - bouncer with IP address of Univ gateway and port the Univ NAT choose for the bouncer. In reality there are two PCs - one bouncer without even TCP stack and the other - actual seed. Not bouncer nor leacher in the outside world know what is going on. Bouncer sees only half of the traffic and leacher does not see seed's IP. Univ gateway is the only place where log can be collected to figure out what is going on in reality and it is not easy investigation, because all packets arriving from the seed are "signed" by bouncer's IP address. Even log on the bouncer will not help, because bouncer can duplicate requests for many different IP's or use multicast.

No to say that the system is completely immune. Let's say that mighty adversary controls bouncer. They start to remove IP address after IP from the bouncing table, unitl they find out IP address of the seed. Another way is sporadically disconnect segments of the network by disabling ports on the Ethetnet bridges and/or routers. Sooner or later seed will be found. Both procedures require intensive investigation and can not be done en masse. Attack against seed using IP sniffer on the edge of the network will fail completely.

Imagine another situation. You are a small ISP, really tiny ISP, resselling bandwith to 20 or 30 customers. you have a server with sensitive content, unique IP and T1 connection running FrameRelay. WAN - in our case Framerealy switch, does not care about paylod of the framerelay packets - IP frames. In the upstream direction Framerelay switch strips out framerealy header and forwards the packet to the router as is. In the downstream direction router looks destination IP and sends it to the framerelay swicth. framerelay switch adds DLCI from the table destIP/DLCI and sends it to your T1.

"This data is only one-way data, a reply can't return if you spoof your logical (and possibly physical) address, that means that you still need to add a trailer to your data containing your real IP address"

Indeed request contains real IP address, reply does not have to. request can be encrypted though using, for example, key you get together with "torrent" file.


"It is just for some information."
i liked this one.
Last edited by larytet on Mon Apr 11, 2005 8:39 pm, edited 2 times in total.
larytet
 
Posts: 73
Joined: Mon Jan 03, 2005 8:45 pm

Postby larytet » Mon Apr 11, 2005 8:28 pm

my English sucks to put it bluntly. i suggest to read http://board.planetpeer.de/index.php/to ... ml#msg3098
larytet
 
Posts: 73
Joined: Mon Jan 03, 2005 8:45 pm

Postby larytet » Thu Apr 14, 2005 7:43 pm

also this post (and thread) is interesting
http://www.zeropaid.com/bbs/showpost.ph ... stcount=10

Well, actually reports from ES5 PXP users (which does allow source address spoofing) indicate that many big ISPs in fact do not block spoofed source addresses. The biggest problem seems to be home routers and NAT that are not compatible with spoofing. The good side in spoofing compared to proxy-node-network is that it is direct upload thus no speed drop compared to conventional P2P.
larytet
 
Posts: 73
Joined: Mon Jan 03, 2005 8:45 pm

Postby thejynxed » Fri Apr 15, 2005 5:39 am

You mentioned ES5? ROFL. Their "spoofing" was a joke. It wasn't even real IP spoofing. Anyhow, they are full of crap. Any ISP worth it's money drops spoofed packets. They don't just block them, they filter them completely. For instance, try to spoof packets through Verizon and see if any actually get through :) Another reason spoofing packets won't work: firewalls. Sygate, Outpost, etc all block spoofed packets by default. Again, good luck with the spoofing, but it really won't work.
"FlickR is supposed to be weird, fun, experimental, way out-there -- oh no, wait, now that it's so close to being part of Microsoft, FlickR's supposed to bore people to death and empty their pockets while pretending to innovate." - Bruce Sterling
thejynxed
 
Posts: 1953
Joined: Mon Sep 06, 2004 12:22 pm
Location: In a Galaxy Far, Far Away....

Postby _eAgLe_ » Fri Apr 15, 2005 6:09 am

lol, wow, i thought this thread was long gone... :)]

Thanks for continuing it guys, I'll try to understand what your all saying, about 10 years from now lol ;)
User avatar
_eAgLe_
 
Posts: 1190
Joined: Wed Dec 22, 2004 2:06 am

Postby larytet » Fri Apr 15, 2005 12:51 pm

"They don't just block them, they filter them completely."
what is the difference between "just block" and "filter completely"


" Another reason spoofing packets won't work: firewalls."

Actually i can spoof if i behind firewall. nothing could be easier.
read http://www.slyck.com/forums/viewtopic.p ... 851#136851
you can spoof if you are connected to the LAN. just try it. add dummy IP interface, bind socket and send UDP packet. i did it on Linux and Windows XP (not SP2) and it works

you apparently did not read Rodi documentation.
for example, try this page http://larytet.sourceforge.net/rodiAnonymity.shtml

"Again, good luck with the spoofing, but it really won't work."
Did you try it ? or you just heard from someone who knows how it works. if later is the case, why you believe that someone and not me ?
Last edited by larytet on Fri Apr 15, 2005 5:13 pm, edited 1 time in total.
larytet
 
Posts: 73
Joined: Mon Jan 03, 2005 8:45 pm

Postby larytet » Fri Apr 15, 2005 4:05 pm

it causes many questions and i think there is lot of misunderstanding regarding how IP spoofing can work behind NAT/firewall. i hope this diagram can help.
Image

back to ES5 - i did not try the program. i avoid non-open source non-free applications.


more diagrams related to IP spoofing and Rodi bouncers
Code: Select all



Mode A
Image
Code: Select all



Mode B
Image
Code: Select all



There are applications and cases where and when IP spoofing is possible and a viable option.
One of the examples is protection against DDoS attacks.

For example, seed (publisher) can spoof source IP port (not address, but port). Let's say that publisher stamps packets with IP port 31100. Publisher advertise bouncer's IP and port. Publisher asks ISP to drop (filter out) all packets arriving to any other port, but 32200. Bouncer forwards all arriving packets to the publisher port 32200. Bouncer protects the publisher's server against flood attack. Think about bouncer as an intelligent traffic shaper.
From time to time publisher rotates the ports.

Adversary considering attack against the publisher should figure out port of the publisher - one among 65535 possible ports. If adversary does not know port number it has to run attack against all ports simultaneously. Adversary can attempt to run attack port by port, but than it reuqires some reliable feedback. and publisher can always switch the port. Only bouncer and ISP know what port is open on the publisher at this specific moment.
Adversary can attack the bouncer flooding the advertised by the publisher connection. Publisher can respond by using/advertising multiple IPs or even IP ranges. and rotating them from time to time.
This is a game, where IP port spoofing is just another tool.

Rodi publisher never advertise IP address, but always range of IPs. and most likely this is bouncer's IPs.
For example, publsher can advertise 0.121.12.0 0.255.255.0 port 31100(this is NOT IP subnet/mask) - 64K IP space. Leachers/customers/downloaders are expected to scan (you read it right - run IP scan) the range and find actual IP publisher/bouncre uses now.
larytet
 
Posts: 73
Joined: Mon Jan 03, 2005 8:45 pm

Postby carpefile » Fri Apr 15, 2005 11:08 pm

We did some testing with rodi tonight and successfully spoofed my ip, and utilized bouncers at the same time.
His explanation above shows how it was done, I'm just here to say it really works! :D

We used mode b. This thing has mad potential.
User avatar
carpefile
 
Posts: 109
Joined: Wed Nov 10, 2004 1:52 am

Postby larytet » Sat Apr 16, 2005 1:26 pm

IP address in LAN was spoofed.
we did not attempt to check ISP's router, because both peers were NATed.

Actual test setup was as follows:
2 PCs Bouncer and Seed in the same network 192.168.1.x behind NAT with external IP in the network 68.x.x.x

Leacher in the network 192.168.18.x behind NAT+Firewall with external IP 63.x.x.x

(Leacher) and (Publisher+Bouncer) are in 1,000+ miles from each other and subscribers of different ISPs.

Seed spoofed IP address - used 192.100.x.x network to send packets. the rest is as on the diagrams above - case B.
larytet
 
Posts: 73
Joined: Mon Jan 03, 2005 8:45 pm

Previous

Return to Developers Forum

Who is online

Users browsing this forum: No registered users and 2 guests

© 2001-2008 Slyck.com