WPN - Rogue Node Detection Techniques

This page has been created to explain the basic underlying theory used to locate both Secondary and Primary nodes that damage or otherwise disrupt the WPN Network.

A range of tools have been designed and utilised to gather monitoring data within the WPN network itself both Primary and Secondary, however this is not a discussion of how every selection of data was obtained specifically but is a wider discussion on what the data means within its context as this will allow us to use such data validly to base blocking decisions on.

If we  view data that is gathered and look also at the the network control rules the WPN client employs we can extrapolate from observing normal and "rogue" Node traffic some significant differences and those differences are the key to exposing the malicious activity and its origination.

Lets break this down into a simple set of sub-topics as that allows us to rule out some of the more wider mechanisms that are not relevant to our needs.




The primary network poses a serious problem in detection as many of the previously unknown to the general public security mechanisms are now in the public domain, this has allowed for the introduction of fake primaries and the injection of malicious or criminally targetted traffic.

How we go about detecting such nodes requires some knowledge of how the network operates, I'll try to keep this as brief as possible but these are the key points you will need to understand so your able to judge the value of any data presented to you.



Below is a small diagram that shows the travel of packets across the network, as they pass across each primary we call each pass a "hop", this is important as the lower the hop count the nearer to the originator of the packet we are.







Each time a WPN client connects to another or even one of the Peer Caches it has to complete a "handshake" routine which consists of swapping a specially created number back and forth to confirm that each client is at the IP address it claims to be, this is a strong method of security but it cannot stop a fake client created simply to pass this test and then add malicious traffic into the network.
One of the other security measures that used to hold such traffic from propagating across the network was in having the ability to reverse a special key that is sent with each primary packet (this is not the normal network key but a hithertoo secret one), a seed generator for this key existed but no one had access to the method to reverse this key until some users you might know called Piney, Hollow and Josh pooled forces to reverse it, once that was done the network was able to be poisoned as there was no longer a method to validate the traffic, obviously it stands to reason that one of those three has delivered the means to attack the network to someone unscrupulous, however its unlikely we will ever know who did the dirty deed.

On the positive side, at the end of each set of primary to primary exchanges a quantity of nodes are exchanged (from responder to originator), this mechanism is called "node discovery" and we can check these nodes to see if they are genuine or bad, that alone would not get us far but combined with being able to count the hops a packet has travelled we can state without fear of being wrong that if a nodes packet is received from a hops "0" and its delivering bad node addresses we have found one of the "Malicious Primaries".



The Secondary half of the network presents little in the way of real obstacles to detection of malicious activity, tools exist to monitor both data mining and fake data presentation and these are able to target such nodes directly.



To deal with data mining (multiple searches for material in ABC fashion is normal) a specially modified patch is utilised. The key limitation for data mining detection specifically is with the deployment of such a secondary "sniffing" patch as its unwise to deliver such tools to network users for obvious legal and moral reasons, this then limited the detection abilities to the small pool of flooder detection team folks until an encrypted version of this tool was produced that left the end user oblivious to what was being logged, this requires sensible co-operative users and a management structure to oversee the traffic material.

Fake data presentation is able to be detected directly using a modified Patch that substitutes the status field in search results for the secondary and primary IP addresses, this then is simple to undertake and a single operator is able to scan the whole network to detect such traffic and screenshot the results to pass to the blocklist team.