Exploiting the Security Weaknesses of the Gnutella Protocol
 [  Abstract  ::   Download Paper  ::   Reading & Resources ]
Print this Page   

Project by: Zeinalipour-Yazti Demetris.
Instructor: Chinya V. Ravishankar
Email: csyiazti@cs.ucr.edu
CS260-2 - Course Webpage: http://www.cs.ucr.edu/~ravi/cs260.html
Project Deadline: 21 March 2002

Peer-to-Peer (P2P) file-sharing systems such as Gnutella, Morpheus and Freenet have recently attracted a lot of interest from the internet community because they realized a distributed infrastructure for sharing files. Such systems have shifted the Web's Client-Server model paradigm into a Client-Client model. The tremendous success of such systems has proven that purely distributed search systems are feasible and that they may change the way we interact on the Internet. Beside the several advantages that have been uncovered by P2P systems, such as robustness, scalability and high fault tolerance various other questions and issues arise in the context of Security. Many P2P protocols are bundled along with an adequate amount of security mechanisms but are proprietary which makes their analysis difficult. The Gnutella Protocol on the other hand is an open protocol, which doesn't highlight security in the sake of its simplicity. Most security weaknesses of the Gnutella Protocol could be avoided if the protocol was taking into account that Peers may mis-behave. In this paper we provide an overview of the Gnutella Protocol Specification, decribe several of its weaknesses and show how they can be turned into Distributed Denial of Service Attacks, User's Privacy Violation and IP Harvesting. We present the weaknesses with experimental attacks that we have performed on the Gnutella Network. We finally evaluate how these attacks could be avoided and suggest in some cases improvements on the protocol.

Download Paper
"Exploiting the Security Weaknesses of the Gnutella Protocol" by Demetris Zeinalipour
Adobe Acrobat PDF (206 KB) Zipped Postscript, (298 KB)
HTML (latex2html version)

Reading & Resources
  • General P2P Papers & Specifications
    • "The Gnutella Protocol Specification v0.41" - Document Revision 1.2, (Download PDF).
    • "Security Aspects of Napster and Gnutella", Steven M. Bellovin, 9th Usenix Security Symposium Presentation, Denver, Colorado, August 2000. (Download PDF).
    • "Evaluating Security Mechanisms in Peer-to-Peer Applications", M. Parashar, M. Agarwal S. Arbeeny, V. Bhat, R. Chowdhury, Department of Electrical and Computer Engineering, Rutgers University. (Download PDF).
    • "FILE SHARING PROTOCOLS: A TUTORIAL ON GNUTELLA",, Vincent Berk and George Cybenko March 6, 2001, (Download PDF).
    • "Why Gnutella Can't Scale. No, Really.",Jordan Ritter, February 2001., (Visit Site).
  • Latest News
    • The Joke of the day, (Visit Site).
    • Symantec Security Response - VBS.Gnutella, (Visit Site).
    • Symantec Security Response - W32.Gnuman.Worm, (Visit Site).
    • "Morpheus' downfall: Bills weren't paid", John Borland, News.com article, March 2002, (Visit Site).
    • "Gnutella viruses weaker than email bugs, experts say", John Borland, Article, March 2002, (Visit Site).
    • "Reverse-engineered Napster Protocol Specification.", SourceForge, (Visit Site).
  • Attacks & Flaws
    • Kazaa / Morpheus Denial of Service Attack (Flood), (Visit Site).
    • P2P, OR NOT P2P?, Cover Story by BY AL BERG, (Visit Site).
    • Security Alert: Capturing Peer-to-Peer Applications, (Visit Site).
    • "Self-Replication Using Gnutella",Seth McGann, Security Focus Online, BugTraq Archive May 2000, (Visit Site).
  • JAVA - Open Source Clients
  • Others