Advisory: Phishing Site Warning “dcplusplus.org”

DON’T REGISTER OR DOWNLOAD FROM THE SITE MENTIONED IN THIS ARTICLE THE SOFTWARE COULD BE INFECTED ALSO IT LEADS TO SPAM MAIL.

dcplusplus.org is not affiliated with DC++ and we hereby want to warn our users to not be fooled by this site.

We here at DC++ project want to warn inexperience/new users about a phishing site that we have come across that wants users to register on their site to send spam mail to them. The site is affiliated with known spamming sites.

We advise all our users to not go to unknown sites and to download DC++ use Sourceforge (binary/source distribution) or Launchpad (source distribution) for downloading DC++ since these are our sites for distribution.

Here is the technical information on the phishing site for those that are interested in the information.

• Registrant Search: “S.H. INC” owns about 1,948 other domains
• Email Search: is associated with about 2,077 domains
• NS History: 3 changes on 3 unique name servers over 6 years.
• IP History: 182 changes on 22 unique name servers over 5 years.
• Whois History: 8 records have been archived since 2006-04-17.
• Reverse IP: 444,762 other sites hosted on this server.

Here is a list of related domains of the site, All of them seems to be plugged into spam  but we haven’t check them all.

• 2000Greeting.com
• 4040Club.com
• AllOffMp3.com
• AoOgle.com
• AresGalaxy.com
• AShanty.com
• AvrilLaVige.com
• AvrilLavign.com
• AvrilLaving.com
• BuyMyStock.com
• CeeKerala.org
• Cyclone2k.com
• DcPlusPlus.net
• EventId.org
• FileMiner.com
• GmailO.com
• GunItSoldier.com
• Kazzah.com
• Memegen.com
• MozilaFireFox.com
• Mp3-Records.com
• P2p-Freebie.com
• PrimeMinister.com
• RareJordans.com
• Ryhmezone.com
• Shareza.com
• SpywarBegone.com
• Switchborad.com
• WinLuck.com
• WwwSkype.com

DC++ pointing out the corrupted

One of the latest enhancements in DC++ is the hub referral on client-client connections, proposed by Jan Vidar Krey. The current bazaar trunk implements this mechanism and the next DC++ version that will be released soon will also have it. The purpose of this extension is to point out the corrupted hub that is sending the current client to a non DC client, with obvious malevolent purpose. This implies that the hub is either using exploitable software, or that it’s intentionally abusing the clients. Either way, the hubowners are solely responsible.

On connecting to the other party, DC++ will also send the hub URL that it used to connect to the hub sending out the CTM message. By packet inspection, an attacked party can figure out which is the corrupted hub (only a pointer is required, such that they have a point of reference ) . Another good part about this extension is that it works on both ADC and NMDC ( some workaround was found for NMDC: adding the url to the PK string since NMDC is not extensible nor flexible in this matter ) , with the least effort from the clients and it does not bother them in any way. A normal client should ignore the specific message ( I don’t find any particular usage for it ).

We strongly recommend all mods to inherit this extension and other clients out there to implement it so the CTM attacks impact on DC software will stop being so great.

DC++ CTM Proof

In a previous post I was wondering if the whole concept of centralization is obsolete or has major flaws. The problem that is bothering everybody in the last years is that clients can be used ( unwillingly ) as tools in distributed denial of service attacks. Jan Vidar Krey is proposing a hub refferal on c-c connections that can point to a source of CTM attacks via the messages that the client sends on first connection attempt. In this case an attacked entity can see the hub with problems/intentional flooding that is causing the attacks.

As a first step to prevent this kind of abuses in DC++, poy added a static IP protection for the major hublists that were attacked via the client. This kind of measure is just temporary since hublists can change IP anytime and it protects only them, not everybody else that can be attacked ( Also the fun part is that the hublist server is actually running a DC client and wants to download from other users, it can’t ! ) .  A second step was to dynamically resolve the hublist ip’s and block them for c-c connections.

The main idea that I considered is to practically check all the users on a specific hub to see if they actually are real. On CTM receive the client should not connect but send another CTM to see if that IP actually connects to them . This will make sure that the user is the actual owner of that specific IP address. Of course the biggest problem is if the user is passive, in which case it can’t send a CTM back. This could be against the protocol principles but it’s a solution to see if the other peer really exists. I don’t know if a RCM would do something good in this situation but it’s a start.

Another thing that should be done ( if not implemented already ) is that on c-c connections if the first attempt was unsuccessful then no further attempts should be done until the user at least reconnects or changes state ( passive/active ). Also the hubs should be trustworthy. In a previous post I suggested a way to make hubs trustful via a CA authority system, but most people were quite reticent about it. Perhaps this could be the only way to make hubs trustful. Warning messages will not help too much ( Strong DC implements such messages ) since most of the users either don’t read them or don’t care. We shouldn’t let users question this problem, but solve it for them. Continuous problems from the Direct Connect network might be a cause to mark DC software ( and DC++ ) as badware, which will definitely take down the network. It’s time to do something about it.

I’m hoping for more ideas how to make DC++ proof against CTM abuses and I’m waiting for opinions from you as well.

Are centralized networks doomed from the start ?

Recently I heard bad rumors around the DC network. Some malevolent person ( unknown ) has written several scripts for the most known DC hub software, that allow the hub owners to use their users in abusive forms of flooding, using the CTM feature of the protocol. These scripts have started to spread around and now “script kiddies” use it for flame wars and endless childish attacks.

Also, important sites that currently hold on the DC community like the major hublists OpenHublist or DCHublist and the ADC counterpart ADCHublist were attacked and were down for a long time. The major community for ADC , ADCPortal was also attacked ( ADCPortal also provide an alternative wiki to the one on the ADC Project ).

My first concern is that this problem can spread up to the centralized networks principle. In this case, the central node ( hub ) has the power to absolutely control the leaves that are connected, thus it can abusively send them in possible attacks at wish. This might be a serious problem for the centralized networks.

Secure policies have to be enabled in clients and hubs so that this kind of flaws do not affect the community. I don’t know yet if it’s possible in this current situation or the whole concept of centralization is flawed. I hope not, because the Direct Connect community has it’s advantages and there are a lot of people involved and which benefit from it every day.

My advice from the users: make sure you actually know what hubs you are using, and how your client can be abusively used for other purposes than the ones designed, and make sure you are using a proper firewall and perhaps package inspection to see if your computer is not part of a BotNet or similar flooding network.

And one last thing, Happy new year and all the best from the DC++ team.

The 0 downloads crisis

Recently, I heard some shocking news about the Direct Connect network. Probably having nothing better to do, people are inventing conspiracies over nothing but grain of salts.

What I’m talking about is the SourceForge migration process that is happening right as we speak. During this process, the statistics for projects hosted by SourceForge are not being showed anymore. (They are being collected, but because of the undergoing modifications, they are not being printed ). What does this mean ? New file releases ( the process is undergoing for a month or so ) appear as if they have 0 downloads. Don’t worry though, files are being downloaded just like before. And after the migration is done, the actual download number will be updated with the real one.

People have seen in this a conspiracy : “Software like StrongDC or DC++ has a trojan ! The developers have included spyware, exploits ! That’s why nobody downloads them anymore ! ” Such kind of imagination would be really funny if such kind of things wouldn’t affect the normal people.

I would say that even if all the people in the world would agree that nobody would download DC software, there would still be a large number that would do. So for a project that has 10000 downloads a day, it’s impossible to have 0 downloads for a whole month just like that, over the night !

Also, the AVG anti virus reported the last version of StrongDC infected with some kind of Trojan, but the latest version removed the threat warning. At least they have repaired the problem.

So, don’t worry about your favorite p2p program being malevolent, because it’s not the case. People are working really hard to make a good program for you, because this is free and nobody gets paid, they do this just for pleasure. Why would anyone want to be discredited by intentionally adding an exploit or virus to the one program that made them famous around the community ?

Eliminating Tiger dependencies in ADC

A previous post describes how ADC depends on the Tiger hash algorithm and suggests that such a rigid dependency should not exist. ADC refers to one specific hash algorithm that, despite current integrity, could lose such and would currently leave the broader protocol unacceptably broken. Other protocols, such as SSH and TLS, tend to parameterize over available cryptographic primitives, negotiating which to use during handshaking. By contrast, if Tiger is broken with ADC in its current state, it will likely be attacked, thus undermining the integrity of the DC network even more than Mediasentry has already attempted. To avoid this, one should change the hash primitive, for example to SHA2 or a future SHA3, depending on breakage timeline.

Most of the dependencies, which largely lie in encoded hash length and areas constrained by namespaces, trivially coexist: for a few versions, ADC clients would support both, maintaining the old one for hash compatibility and the new one going forward, for future clients which would support only the new hash. Password verification and hashing PID to CID, by contrast, pose the most substantial barriers to such modification due to their occurring before any negotiation between hub and client save SUP can occur. Thus, adapting ADC to non-Tiger hashes would most felicitously involve adding explicit SUP strings for hash primitives.

Until the latest ADC specification change, BASE implied support for both the handshaking and message transfer as well as the Tiger hash primitive. It now solves the problem described by splitting out the latter as TIGR support. Thus, if Tiger must be depreciated, just as the dual namespaces would allow filelist addressing and other command parameters to support a transition period between hashes, so would support for TIGR and, for example, SHA2 smoothly support such a change.

Don’t forget that you can make topic suggestions for blog posts in our “Blog Topic Suggestion Box!”

Tiger dependencies in ADC

ADC 0.13 would have issues were Tiger, the hash primitive it uses, to be intentionally collided. Such an event, in general, regularly occurs, as attested to by the Hash Function Lounge listing effective attacks on many commonly-used cryptographic hashing functions. A reduced-round form of Tiger has been successfully attacked, so its future security is a plausible concern. With that in mind, this blog post simply lists areas the current ADC specification which contain a dependency on Tiger and associated constants.

• Safe; in namespaces amenable to new creation, dual support, & gradual obsolescence
  • 3.1. File names and structure”TTH/<root-base32>”, for example, </nowiki>locates a file in the share by TTH root rather than filename.3.3. File list”TTH” is the base32-encoded TTH root of the file.
  • 4.3.4. INFID base32 The CID of the client. Mandatory for C-C connections.
    PD base32 The PID of the client. Hubs must check that the Tiger(PID) == CID and then discard the field before broadcasting it to other clients. Must not be sent in C-C connections.
  • 4.3.6. SCHTR Tiger tree hash root, encoded with base32.
  • 4.3.7. RESClients must provide filename, TTH root, size and token
    TR Tiger tree hash root, encoded with base32.
    TD Tiger tree depth, index of the highest level of tree data available, root-only = 0, first level (2 leaves) = 1, second level = 2, etc…
  • 4.3.13. GETGET type identifier start_pos bytes
    BASE requires that clients recognize the types “file”, “tthl” and “list”

    “file” transfers transfer the file data in binary, starting at <start_pos> and sending <bytes> bytes.

    Identifier must be a TTH root value from the “TTH/” root. (twice)

• Nonideal (not trivially updateable, but not per se security-related.
  These generally are just aesthetic issues, where certain algorithms and constant values have been chosen for consistency with the hashes in use. Change the hash and they become ugly.
  • 2.1. GeneralSIDs, PIDs, CIDs and short binary data are sent as base32-encoded strings. Long binary data transfers should use the file transfer mechanism with named roots.
  • 2.4.1 Session IDThe hub may choose any SID for a connecting client apart from “0″ (“AAAA” in base32). “0″ represents the hub itself. SIDs are 20 bits and encoded using a 4-byte base32 encoded string.
  • 2.4.2. Private IDPIDs are 192 bits and encoded using a 39 byte base32 encoded string.
• Other
  Entries here are less easily adaptable via extension or other namespace mechanisms and are important to ADC security. These are the primary issues.
  • 2.2. Message syntaxencoded_cid ::= base32_character{39}
  • 2.4.3. Client IDClient IDs globally and publicly identify a unique client and underlie client to client communication. They are generated by hashing the 192 bit, unencoded PID with the Tiger hash algorithm. Hubs should register clients by CID. CIDs are 192 bits and encoded using a 39 byte base32 encoded string.
  • 3.2. HashesADC clients must share only files hashed using Merkle Hash trees, as defined by http://www.open-content.net/specs/draft-jchapweske-thex-02.html. The Tiger algorithm, as specified by http://www.cs.technion.ac.il/~biham/Reports/Tiger/ functions as the hash algorithm. A base segment size of 1024 bytes must be used when generating the tree, but clients may then discard parts of the tree as long as at least 7 levels are kept or a block granularity of 64 KiB is achieved. … The root must be encoded using base32 encoding when converted to text.
  • 4.3.10. GPAGet Password. The data parameter is at least 24 random bytes (base32 encoded), used to avoid replay attacks on the password.
  • 4.3.11. PASPassword. The password (utf-8 encoded bytes), followed by the random data (binary), passed through the Tiger hash algorithm (not TTH) then converted to base32. When validated, this transitions the server into NORMAL state.

  Before being finalized, especially the last category should be explicitly handled.

  Don’t forget that you can make topic suggestions for blog posts in our “Blog Topic Suggestion Box!”

Defeating traffic shaping with encryption

Many ISPs now throttle P2P connections. The precise mechanisms vary, but rather than concentrate on an individual step in this iterative measure/countermeasure process, this post will attempt to skip several intermediate steps and assume ISPs interfere more than, in general, they currently do. Thus, the threat models of interest will be those ISPs which already implement deep packet inspection to examine not just the structure but the protocol-specific content of users’ traffic. The implementation of L7-filter demonstrates such products’ minimal capabilities; some traffic shapers can do much more.

Therefore, to evade even the level of traffic shaping l7-filter can provide, a P2P protocol must at least avoid regex-detectable patterns. Both NMDC and ADC, as widely implemented, currently fail this metric rather dramatically, leaving them trivially throttled. Importantly, even the initial connection setup must avoid leaking any fixed patterns unique to P2P whilst still allowing the two DC clients to communicate with each other. Satisfying this constraint requires that any extant plaintext be generic enough not to allow traffic shapers to pin it with much probability on DC. Sufficient opportunity exists within an operational DC network to render this much practical.

More sophisticated traffic detection can perform traffic analysis on the timing, number, frequency, and bandwidth usage pattern of connections which remains impervious even to countermeasures sufficient to defeat traffic shaping on the order of l7-filter. Numerous countermeasures, in turn, exist to respond to such analysis, though many of them are of limited utility in a P2P network that aims for bandwidth-efficiency. To the extent a primary goal of DC is to transfer data over a network from one computer to another, indeed, any countermeasure which renders that end more difficult becomes profitable only when the network environment becomes so hostile that protocols with less overhead can’t operate. Since that’s not yet largely the case, prematurely modifying DC to defeat traffic analysis risks instead backfiring and rendering it merely maladaptive.

Alternatively, an ISP might not even bother with such measures but instead effectively whitelist rather than blacklist traffic. Such a provider wouldn’t need to take any elaborate measures to preclude P2P traffic; instead, they would explicitly allow a limited number of approved and identifiable protocols and simply not include, say, DC in that set. Rogers of Canada, for example, has constructed such a system by throttling all encrypted transfers. Surviving under such a system would be difficult at best, but perhaps possible; it would essentially require network-borne steganography to simultaneously encrypt yet hide the very presence of encrypted data. Steganographic systems tend require enough overhead to fall prey to the probable maladaptivity already discussed and as such don’t fit well in the current merely moderately hostile network environment. Further, since as Michael Geist observes, such systems run false positive risks high such that they seem unlikely to long survive on any open or neutral network, they seem to serve more as reductios than sustainable systems.

The threat model this post addresses, then, is that of a network which performs deep packet inspection but allows unrecognized traffic through basically unmolested. This post concentrates on protocol obfuscation and encryption as counters to threats present under this model.

The DC++ mod BCDC++ briefly implemented minimal obfuscation in the form of an option to send ‘garbage commands’. However, its flexibility whilst retaining compatibility unmodified remote NMDC clients was limited. Simply prepending some structurally plausible yet syntactically incorrect NMDC commands to a client-client connection and leaving the rest of the connection unmodified, it could potentially fool simple-minded filtering machines, but even l7-filter could trivially detect it. This outcome was inevitable; NMDC structurally as commonly implemented is incapable of avoiding traffic shaping, though a nominally NMDC-based client willing to break compatibility can solve it. Not only does this protocol not support protocol encryption, but its server-party-speaks-first system strongly hinders attempts to negotiate such a system afterwards. NMDC, then, provides a poor base for avoiding traffic shaping.

ADC, by contrast, not only contains a nascent, standardized secure extension exist in the form of ADCS (section 6.5 of the draft specification) but the connecting client speaks first in a connection. Effort to render DC resistant to traffic shaping is thus better directed towards ADC-based clients than NMDC-based clients. Again, the options of obfuscation and more substantial encryption emerge. Whilst these categories blend into each other, mere obfuscation has the weaknesses of providing barely more protection against traffic shaping than plaintext. In effect, it encourages man-in-the-middle attacks by network operators since, lacking a notion of actual privacy against outside interference, an eavesdropper need merely keep enough state to decode an ongoing DC connection. Although this does appear beyond the ken of l7-filter, stateful inspection, which can perform such attacks, is technically feasible and likely in use.

Given this potential, defeating traffic shaping should not rely just on obfuscation but rather on full-fledged encryption. Man-in-the-middle attacks can affect encryption connections as well, but so long as both sides can communicate out of channel, they can be avoided. For example, the necessary setup for a client-client connection’s encryption to avoid MITM interception could be performed in the client-hub connection from which it spawned.

Having shown at least the otherwise most viable alternatives to implementing true encryption in ADC would fail, at least two more disclaimers remain necessary: first, that because this cryptosystem can be defeated by simply logging on to a hub as an ordinary user, one should be clear that it protects not against RIAA/MPAA-style attacks of searches for files and then reporting the users who return search results, but merely meddlesome network operators; that would be some computational overhead, but for all but 100Mbit+ users or those with ancient computers, it remains relatively unobtrusive CPU-wise; and that one should not under any circumstances use homegrown cryptosystems, because they’re almost certainly insecure, lacking extensive peer review. Using openly documented, widely employed, and extensively analyzed protocol such as TLS or SSH2 not only ensures the similar plaintext as non-P2P protocols towards which ISPs might not be so hostile but also avoids most of the aforementioned pitfalls of cryptosystem implementations, and therefore should be strongly preferred. To further avoid side channel attacks, one should prefer not just such a protocol but a well-developed implementation of that protocol.

Though neither NMDC-based clients nor those merely relying on obfuscation would likely work for long, then, an ADC-based client employing encryption should allow a DC user to evade many mechanisms of traffic shaping.

Don’t forget that you can make topic suggestions for blog posts in our “Blog Topic Suggestion Box!”

TLS disabled, failed to generate certificate

“TLS disabled, failed to generate certificate:” followed by “Failed to load certificate file” is probably something you’ve seen. Most people, almost frantically, think that DC++ is somehow broken. Well, it’s not.

The short answer to all this is; Ignore the message. If you don’t know what it means, just ignore it.

The medium length answer to all this is; Ignore the message. The message concern TLS, which is encryption on DC. I’ve in the past written about it (though, I’m not sure how outdated that post is). The TLS will only work on ADC hubs, which there are few of. And you’re most likely not on one of them. (Unfortunately, I might add.) So, you aren’t likely to need this anyway. Just ignore it.

The long answer to all this is; Ignore the message, unless you know what you’re doing. The first message come when DC++ tries to see if you have any certificates file entered in the settings for DC++. If you don’t have entered anything in the “Security Certificates” window, in the box “Private key file” or the “Own certificate file” box. (Or if they aren’t in their default DC++ folder, which they’re likely not when you’ve just installed DC++.) The second message come when you haven’t entered anything in the “Own certificate box”, or when there occur an error when using what’s inputted. (There’s a couple of things that could go wrong – I’m not confident to talk about any of them.) (The different messages are there because they mean different things.)

Don’t forget that you can make topic suggestions for blog posts in our “Blog Topic Suggestion Box!”

Edit: I feel that I need to edit this post. The message have no effect on your ability to download or search. Consult the FAQ for such inqueries.

Hub Bandwidth management

Balancing hub bandwidth between users requires triage of messages such that no individual user can monopolize hub bandwidth. Repeatedly I have observed a temptation to implement such an idea by limiting different messages differently. Whilst such an idea fails somewhat for NMDC, ADC is an open-ended protocol which separates message types from message contents, leading to more significant design failure.

This post addresses hubs for which the limiting resource is upload bandwidth. Those hubs limited by CPU or RAM have separate issues and those limited by their own download bandwidth are effectively under DoS attack. Within this constraint, the cost to a hub of a user’s message is the uploaded data triggered for the hub by that message. Therefore, broadcast-type messages should generally dominate hub bandwidth; empirical data bears this out. To a first approximation, then, one can ignore non-broadcast messages, as well as INF, which must be specially handled by a hub regardless.

Both merely large numbers of users and a smaller required quota of actively hostile users can strain a hub’s upload bandwidth. Because the former is subsumed by the latter and a hub should be able to withstand the latter whilst retaining service, the rest of this post will focus on an attack model of actively malicious users only. If a hub can maintain usability for non-malicious users proportional to the the bandwidth available per user given that a certain portion of users do maintain that hostile stance, then the hub will also be able to handle merely large numbers of non-malicious users whilst rationing resources such that each user will have access to a fair amount of bandwidth.

One tactic for selecting messages to forward towards such an end depends on treating different broadcast messages differently. However, any scheme which does this ends up merely requiring an attacker to maximize his damage via usage of multiple messages, preferentially those messages relatively least accounted for. For example, if MSGs is preferred over RES over active SCH over passive SCH, an attacker must merely concentrate his attacks as much through MSG as other constraints allow, then via RES, then, finally through the SCH variants in order. The net result isn’t necessarily less hub bandwidth usage, just bandwidth usage with different content.

Some messages do occur in different temporal distributions and a competent hub bandwidth management system should be able to handle those. Such a case plausibly (I don’t have data on this) occurs with TTH searches versus filename searches, wherein the former might tend to be more uniformly distributed than the latter due to the formers’ occurring through auto-search. In such circumstances, a hub can instead calculate which messages to drop based on a historical moving average bandwidth over time measure.

Only when such a distribution fails to smooth out to less than a hub’s total available upload bandwidth must a hub pull back from merely delaying or queuing some messages, amortizing over an overall low average bandwidth, to outright dropping messages. Importantly, precisely these same considerations and arguments apply to any message, SCH or otherwise, due to the assumption of a hostile user seeking the most efficient exploit mechanism.

SCH might still appear special due to its often automatically triggering RES messages. Rather than specially count RESes, instead one may simply account for them to the user which actually sends them, rather attempting to do so via the user which sent the search to which they’ll often respond. Again, SCH and RES are less unique than they might appear: not only could another such pair of messages appear in a non-DC++ client, but RESes don’t actually have to come in response to any SCH, even given the search token in ADC. Not only cannot a hub keep track of all searches in progress, including some that clients might take a while to respond to and thus be in the somewhat distant past, unless it maintains a greater history than might be desirable, but even were it to attempt to do so, it might miss searches it’s not involved in forwarding from one user to another. In principle, it cannot reliably associate searches with search responses, and therefore should credit search responses to those users sending them. Otherwise, once more assuming a hostile adversary, users could just switch to spamming with RESes.

This system, which has been proposed to be at least three separate times by three separate hub developers, contains conceptual flaws that merely promote its being gamed. Certainly a hub developer or hub owner can respond in an arms-race fashion and adjust the relevant heuristics, but this is a suboptimal, unstable outcome.

Instead, a hub which merely accounts for how much bandwidth any given user’s message, regardless of content but dependent on type (broadcast or non-broadcast, as well, in ADC, as which features it specifies), will consume on broadcast and accounts to that user that amount of bandwidth. Each user then has a specified amount of bandwidth available to him, dependent on the number of users on the hub at that time. Whether or not a message is forwarded, queued, or blocked will then depend purely on non-gameable factors – if the dominant cost is upload bandwidth (see initial assumption), and the hub actually does decide whether to forward a message based on upload bandwidth, the heuristic matches the actual cost so cannot be gamed, regardless of hostility of users.

Therefore, instead of the flawed message-dependent bandwidth shaping, hubs should aim for a message-agnostic bandwidth management system. Note that this allows as well for unknown messages in ADC, for which my previous, linked blog post argues. The result is a more effective, more robust file-sharing system.

Don’t forget that you can make topic suggestions for blog posts in our “Blog Topic Suggestion Box!”