Protection Team Operating Manual

Important Notice
This page has been created for members of the WinMX protection team and will explain the basic tools and underlying theory for their usage. These special tools are not on the site here and will only ever be given out in person so if you have come to this page by accident then please don't bother asking for these tools they are not available to anyone outside of the protection team.


We have a range of tools available for monitoring the network and most of them are custom made for a specific purpose so lets break the tools up into the areas they can help us locate issues of network concern.

1) Network Query/Search Result Flooding : Your all I hope familiar with this aspect of attack on the network but if not a refresher course can be read here, suffice to say this activity steals users bandwidth and in extreme cases can cause serious network disruption by overburdening network primary connections.

2) Network Data Mining : This area of activity is where systematic searches are made to index the contents of users shared file folders for unknown purposes, however we regard users privacy and security to be in danger from this activity.  

3) Network Buffer Overflow Attacks : These are the attacks that are usually undertaken behind a proxy and are illegal in most countries, however we have seen such attacks in 2005/06 and we cannot rule out their usage for the future but should such attacks appear the first order of the day is to gather evidence to pass on to the authorities as this is a reportable crime.  

4) Denial Of Service Attacks : As above these attacks are in most cases made using proxies or by the combined effort of multiple persons and in many cases often done so without there knowledge or permission, once again the role here is evidence gathering for possible crime reporting.
One form of a more sedate denial of service is to block as many secondary "slots" on network primaries as they can to deny them to real network users and also to aid in their general disruption efforts.

Ok so we can see from the above the main threats we face now lets look into our arsenal of tools to see what we have that can even up the odds a little.



For case one we have a special version of the connection patch that relies on some of the protocol rules for ensuring that a fast and accurate check of suspected flooders can be undertaken, this is what it looks like.



This tool relies on two key concepts, these are simply that all query results use the same protocol packet and thus have a common format that we can extract the data from as regards originating node and also that the flooders are only able to join the network as secondaries and can thus only be genuine if they appear on a single primary client, any secondary appearing on more than one primary is usually suspicious and appearing on more than 2 is 100% a non genuine client and thus should be added to the blocklist.

We can check if the tool is correct if we need to by using the Nushi sniffer that can be found here and will deliver the same information albeit in a more complex fashion, only by watching and logging such traffic can the skill of understanding the Nushi tools output be gained.
Another helpful side effect of locating a flooder is that their "pretend" files can be observed and will often be found to overlap with the fake files list found on other flooders and so provide a list of flooded titles to work from (search for) for the next week or two as locating flooded titles is not always as easy as it sounds.



Detecting data mining of the network poses a different set of problems than those seen in case one, and more powerful tools have been created to deal with something that is generally considered an undetectable activity, however using these more powerful tools effectively allows us to once again use the networks architecture to aid in detection of such threats.

There are 3 tools that cover this area of threat and lets start off with the "primary spy" tool, this tool provides a general indication of network health by monitoring the speed of the viewed traffic as well as delivering both the unprotected primaries IP and the term searched for by its secondary connections.
This tool allows for us to gather a list of potential "flooded" titles to search for to locate flooders in case one and also to gauge the effectiveness of the blocklist by any reduction in the systemic search traffic that it displays. Lets look at a picture of this simple tool in action.

 

Its important to note that the IP addresses shown are not those of the actual searching client but those of the primary client its connected to, this mistake in interpretation has in the past led to folks demanding certain primaries should be blocked when the reality is they are acting as unwitting agents for the attackers who join as secondaries and who's IP is not shown with this tool.


The second tool is once again another modified connection patch. Its purpose in this form is to create a log of secondary search and connection traffic, we refer to this version of the patch as a "honeypot" as it can sit on many folks machines doing its work and they can deliver the logs of activity to the protection team organisation for checking at daily or bi-daily intervals, to ensure such data retains its privacy two versions of this tool exist, one for protection team members and one for handing out to general users. The general users issue encrypts the log so user privacy is maintained, protection team memebers of course will have a special tool to decrypt such logs.

Here is an actual log and we can see how this is useful in detecting new "slot blocking" activity, new flooders and previously unknown data miners from their search patterns.

 


The third and most powerful analysis tool is based on a modified WPN client feeding a database, it allows for a much more detailed analysis of network data mining and traffic specifics and due to its large size is not deployed amongst the general protection team but held by two members only. Here is a picture of its capabilities, because it can take a lot of resources to operate its not used a great deal.  



As you can see the normally secret actions of each attacker are now on full display and we can be confident that there is no confusion as to which primary they are routing their attacks through.



This sort of attack used to be common about 5 years ago but has been mostly relegated to obscurity by the newer WinMX client types such as 3.53 and especially 3.54b4, which is the best version of the client to operate if such attacks are to be resisted. Its always a good policy to recommend this version over all others for this reason.

The attack itself consists of sending malformed or extended packets that are longer than they are supposed to be, most modern coding methods ensure such exploits are not able to be carried out but older clients like 3.31 and 3.52 are potential victims to such an attack style.




Denial of service attacks are illegal attacks that try to swamp and overload a WPN client with a stream of fast and port agile traffic to render them inoperational, usually the targets are primaries to gain slots by forcing off other existing connections. The TCP viewer should be employed to gather data on such attacks and a logging TCP viewer of some description is a worthwhile tool to have in the tool-box.
A common side attack method we often see is to simply block the free socket "slots" of primary users by requesting a secondary slot login and thus simply denying its usage to genuine users, this activity can be detected by employing a TCP viewer (found here) and observing that more than one connection seems to come from an adjacent IP address or range eg: x.x.x.23, x.x.x.99, these IP addresses should also be added to the blocklist.



Flooders will be detectable by the simple TCP method above in most cases if your operating as a primary for a fast check as they take up the free slots to upload their fake file index to the primary clients and as above often appear on the same IP ranges.