Preventing CTM attacks

Here is the sub forum used for talking about ideas, implementations and suggestions or typical guidelines.

Further info on extension or the protocol is found at our Wiki
Dj_Offset
Member
Posts: 53
Joined: 15 Sep 2008, 21:48
Location: adcs://adcs.uhub.org:1511
Contact:

Preventing CTM attacks

Post by Dj_Offset » 05 Jan 2009, 15:34

It is possible to carry out a CTM flood attack by a rogue hub or a rouge user on a buggy hub. This type of attack is hard to prevent, but we can perhaps make it evident that it is happening, and also perhaps provide information about who is performing the attack (pinpoint hub).

It is essential that the client performing the connection will send the hub reference initially, so that this can be logged by the attacker. Unfortunately this breaks the protocol somewhat, but nothing big.

In ADC:

Today, the client receives a CTM via hub, and tries to connect to the address and then send the initial handshake:
"CSUP ADBASE (...)"

Proposed change:
Add flag "RF" (Reference) to the SUP command.
Example:
"CSUP ADBASE (...) RFadc://hub.example.com:1234"

Result: the attacked party can if necessary figure out which hub(s) are causing the CTMs by looking at incoming packets.

In NMDC:

Today, client connect and send:
$MyNick <nick>|$Supports (...)|$Lock

Proposed:

$MyNick <nick>|$Supports (...)|$Ref dchub://hub.example.com:1234|$Lock
(Bonus; can even make the NMDC protocol a bit clearer).

Anyway, this is a trivial change for ADC clients, they simply need to accept another flag while parsing the CSUP message, and do not need to verify it (silent ignore).
In order to support it fully, the client also needs to set the RF-flag to point to the hub address whenever a CTM is received.

Even if not all clients does this. It will be evident to the attacked party which hub is generating the CTMs so that further actions can be taken against the hubs in question.

Comments?

Catalin
Junior Member
Posts: 12
Joined: 21 Mar 2008, 16:33
Location: Bucharest,Romania
Contact:

Re: Preventing CTM attacks

Post by Catalin » 05 Jan 2009, 17:34

Where will be the address read from? If it will be from hub_host it's easy to change it and put something fake or even adding the address of another hub. Even if my english is bad I hope I made myself clear

Toast

Re: Preventing CTM attacks

Post by Toast » 05 Jan 2009, 17:42

if point of origin can be ip then it would be sweet but a origin dns as a ref is also a good thing to have cause then a trace might be done

Dj_Offset
Member
Posts: 53
Joined: 15 Sep 2008, 21:48
Location: adcs://adcs.uhub.org:1511
Contact:

Re: Preventing CTM attacks

Post by Dj_Offset » 05 Jan 2009, 18:09

My initial thought is to use the address you used when you connected to the hub. That should be good enough.

Toast

Re: Preventing CTM attacks

Post by Toast » 06 Jan 2009, 09:35

[09-01-05][20:55:03] <jvk> it is closer to the Reference header in HTTP, but thats just nitpicking.
- [09-01-05][20:55:34] <jvk> alt for NMDC, add it to Supports in the same manner as ADC, and in that manner it does not break anything...
- [09-01-05][20:56:01] <jvk> $Supports foo bar Ref=hub.example.com:1234
- [09-01-05][20:56:40] <jvk> compliant clients understand the Ref= and ignore it. Non-compliant clients do not understand it and also ignore it.
- [09-01-05][20:57:02] <jvk> status quo kept, at the cost of a few initial bytes.
i just thought i include this part since offset didn't :)

Pietry
Senior Member
Posts: 328
Joined: 04 Dec 2007, 07:25
Location: Bucharest
Contact:

Re: Preventing CTM attacks

Post by Pietry » 07 Jan 2009, 08:28

The hub_host can't be included because the user doesn't know it. The user only knows the address it used for connecting to that hub, so that user should be used for the flag. Anyway , it's a pointer to the hub that is sending fake ctms.
Just someone


Pietry
Senior Member
Posts: 328
Joined: 04 Dec 2007, 07:25
Location: Bucharest
Contact:

Re: Preventing CTM attacks

Post by Pietry » 15 Feb 2009, 09:50

This feature is now called REF and it has been implemented in DC++ ( hopefully mods will inherit it ). Here is the link on the wiki
Just someone

Dj_Offset
Member
Posts: 53
Joined: 15 Sep 2008, 21:48
Location: adcs://adcs.uhub.org:1511
Contact:

Re: Preventing CTM attacks

Post by Dj_Offset » 30 Sep 2009, 11:43

Does anyone have any info about whether or not this has been an effective counter measure?

Toast

Re: Preventing CTM attacks

Post by Toast » 30 Sep 2009, 14:16

Think so since this site doesnt get frequent attacks and everything can be logged now so i guess only idiots use CTM DDoS we dont get that much blacklists on the hublist either :)

Post Reply