Technology Notebook

Network::Security::More on Peer to Peer File Sharing Clients

(There is lots of great info at http://www.oofle.com )
From: http://www.oofle.com/iptables/filesharing.html
KaZaA Media Desktop and Grokster
Built on the FastTrack filesharing technology, KaZaA has been one of the most popular applications in the world, especially after many Morpheus users came to KaZaA after the Morpheus changeover to Gnutella. I first saw KaZaA a little over 2 years ago, and thought that it was a "decent" implementation as far as how well it worked, but I saw that there weren't very many users on it at the time. Then, a little application called Morpheus came along that was better than the KaZaA client and made the FastTrack network very popular, and made more files available to KaZaA users.
Connection Behavior:
KaZaA and Grokster have pretty much the same connection behavior. First off, as in the case of most file sharing clients, they connect up to a centralized server. Then, this gives you the search functionality in the client, and once you have searched for a client to download your file from, it creates a connection on TCP port 1214 of the remote host (sometimes your port 1214 and takes an incoming connection), and starts sending/receiving the file. Blocking access to the KaZaA amd Grokster networks and to port 1214 will dump all access to them. I'm working on a way to try to do this without a port block, but it's not looking too good so far. Another potential is to allow connections from ports 80 and 53 to 1214, but not allowing any other connections to 1214. This would at least remove the chance of a web connection or DNS connection landing on 1214 and being dumped.
AudioGalaxy
AudioGalaxy is an interesting sort of file sharing program. First off, the application with which you download files from the AudioGalaxy network does not contain a search function. It is, I believe, the only major application that is built this way currently. Instead of searching within the app and bloating things, AudioGalaxy chooses to have users log in to their webpage, and then do search functions within the web, and download files from there. AudioGalaxy is pretty much all around a little different compared to it's competitors, and that's why it, for a while and still in some places, has been a huge problem. AudioGalaxy still generates a lot of the filesharing traffic on the internet, and is the lone major competitor to Morpheus and KaZaA.
Connection Behavior:
AudioGalaxy is a bit different of a file sharing application when it comes to connections. There is one main similarity in this app and the rest of the apps, but even in this similarity there is a difference. First off, the similarity is the fact that the AudioGalaxy client, called a Satellite, connects to central servers on AudioGalaxy's networks, 64.245.58.0/24 and 64.245.59.0/24, or collectively 64.245.58.0/23, but the way it connects is a little interesting. AudioGalaxy chooses an interesting port to have their servers listen on, port 21, commonly associated with FTP. I assume the reasoning behind this, is 1.) hide the connections to the servers, and 2.) make it so that a user cannot block server connections without dumping vital services. Well, this is somewhat the case, but there is another interesting thing about AudioGalaxy, that is, the ports that it chooses to transfer files over. This app chooses to, instead of having one static port for connections, or a few commonly used ports (i.e. 6699 and 6698, etc. on Napster), has one wide range of available ports. But, there is a little hope in this, as this range of ports is quite a high range although a large number. The range AudioGalaxy uses is ports 41000 through 41999, or one thousand ports. The serving client will choose a port in this range, contact the server, and the server will tell the downloading client where to find this awaiting machine and port at to start the download. So, if we want to block AudioGalaxy, it is actually very simple. Stop the users from reaching the AudioGalaxy network, not only do we stop the connections to the servers, but we stop search functionality and every other portion of the AudioGalaxy operation.