Is a feature such as this possible to implement into the new patch?

[achilles]

1.   The patch could contain a function which acts similar to an IDS / IPS used In common routers, and software Firewalls. A feature such as this could be used to detect known attack methods by matching preset signatures, and automatically adding the source IP to the block list. This IP would only be added for X amount of time so that the attacks from the source IP address would no longer have an effect on the network.  This would all be executed on the fly from within the patch using the IDS / IPS engine without needing any user intervention.
2.   A second function from within the patch would removed the attack IP addresses or  IP ranges from the block list after X amount of time so that the block list would never contain good IP  addresses that fruitful users may inherit over time.  This will prevent the blocking of good WinMx users from accessing the network, and only block attacks as they happen in real time. 
Example Below
Lets say for example that X attack has been detected from Source IP address 78.122.12.676. The known attack method would automatically be detected by matching a preset signature from within the  patch, and the source IP address 78.122.12.676 would then be added to the block list for  let say 1 hour (X=1 hour)  or what other value of time is deemed necessary to eliminate the attack .  A second function from within the patch would then remove that IP address from the block list after 1 hour.  IP addresses that were once used by malicious users, and have now been inherited by fruitful users would never accumulate in the block list. Only bad IP addresses in real time would be on the block list at any given time. The only exception to this would be IP addresses that have been obtained by other methods, and manually added to the block list as deemed necessary.  This should have no effect on this method which could be employed for added security.

I would suggest looking at some open source Code that is already out there that deals with IDS / IPS. Then modify the code to suit the needs of the patch.   I would think that the attackers couldn’t have no more than just a hand full of attack methods that can be employed against the network.  If the methods they are using can be identified, and a Signature can be produced to add to an IDS / IPS engine from within the patch then the attackers are going to hit a brick wall with nowhere else to go.  Snort may be a good place to start looking for Ideals.  I’m aware that such a feature comes at the cost of not being as light on CPU resources, and memory, but I believe the payoff would be huge.  http://www.snort.org/

Is this possible? Can a feature like this or similar be coded into the patch if the right coder is found?  I think this has potential to stop the cartel, and anyone else dead in their tracks.

[White Stripes]

um... well... when it comes to computers technically anything is possible but what you are asking for seems a bit overkill.... at least in the way you are asking it....

the patch wouldnt have to detect a specific attack persay for such a concept to work but rather see the incoming data as 'bad' or 'invalid' and drop such data..... after a ceartain amount then any data from that ip is considered 'invalid' .... uTorrent does this when it consistantly gets invalid data from an ip... first it blocks the ip then it will start blocking ranges in steps depending on whats coming in and from where....


detecting specific attacks are best done by standalone hardware devices like the barracuda.... or snort running on its own custom install and hardware due to the very reasons you cite of high cpu and memory requirements....

also dont forget... the 'patch' is a dll injection... that means its code is running as part of winmx.exe .... all things considered putting too heavy of a load on it may not be a good idea.... http://en.wikipedia.org/wiki/DLL_injection

[Bluey_412]

But how often is the blocklist referred to by patch or cache?
it would only need the IP detection be done by a single monitor or perhaps at the cache level...

[White Stripes]

But how often is the blocklist referred to by patch or cache?

IIRC 5mins (dont quote me on that tho)

it would only need the IP detection be done by a single monitor or perhaps at the cache level...

detection of bad ips exsist but not, afaik, using the method(s) achellies mentions...

shoot a PM at the... uh... higher ups...

[Bluey_412]

I think that they can monitor our discussion, but it IS just a 'kicking an idea around' episode, but maybe worth investigating...

[Bluey_412]

So maybe not the patch itself, Achilles, but the idea has merit, no matter how it might be implementd

[GhostShip]

The drawback of this method is in how it will become abused, when you have so called developers abusing their knoweldege to deliver spoofed packets that purport not to originate from their IP the method above fails and instead becomes a means to block inooncent users from the network.

[White Stripes]

I think that they can monitor our discussion, but it IS just a 'kicking an idea around' episode, but maybe worth investigating...

the higher ups can yes but so can anyone else coming across the forum so i was keeping mum on what i know and making a suggestion to pm for other questions/info....

[achilles]

Gs, are you referring to someone launching attacks from behind an exit node like Tor or another similar anonymous service. Then all users using that exit node pay for someone else's actions.

[White Stripes]

The drawback of this method is in how it will become abused, when you have so called developers abusing their knoweldege to deliver spoofed packets that purport not to originate from their IP the method above fails and instead becomes a means to block inooncent users from the network.

....didnt think of that angle.... damn...

Gs, are you referring to someone launching attacks from behind an exit node like Tor or another similar anonymous service. Then all users using that exit node pay for someone else's actions.

not just the tor node but any spoofed address... yours, mine, anyones....

[achilles]

I actually had already considered that. Other anonymous users would be blocked in the beginning but the attackers would quickly run out of ip addresses to attack from. Their attacks would be a waste of time if this method worked so why would they continue to attack? So in the beginning some good users would be temporarily blocked, but over time those numbers should dwindle away.

[White Stripes]

I actually had already considered that. Other anonymous users would be blocked in the beginning but the attackers would quickly run out of ip addresses to attack from. Their attacks would be a waste of time if this method worked so why would they continue to attack? So in the beginning some good users would be temporarily blocked, but over time those numbers should dwindle away.

the addresses of the tor exit nodes rotate constantly.... there would be no way to block it...


to get a better picture of that.... 'the great firewall of china' -- the chinese government cant shut down tor.... theres no way it could be blocked from the wpn....

[achilles]

How many IP addresses are we talking about within any given hour? How many exit nodes are there?

[White Stripes]

How many IP addresses are we talking about within any given hour? How many exit nodes are there?

how many total per hour? or how many change within that hour? .... its really not possible to get a solid list since once youve got one its already out of date....

[RebelMX]

In order to advise you on this, yes it CAN be done but NO it shouldn't be.
Basically a spoofed address can be made of ANY ip you can think of.  Therefore it is simply not possible to detect those ip's that are real and those that are attackers.  That's the reason for the difficulty in developing a patch to date!  Therefore like GhostShip has mentioned, what is there to stop someone spoofing every single ip range on the network, which would then add every ip range into the blocklist, and therefore essentially lock out every user from the network?  That is more worrying to me than the issue we have now.  Driving users away < Locking every ip between 1.0.0.0 and 255.255.255.255 IMO

On top of this is the fact that the "attacks" are technically not attacks in the general sense of the word.  For example the "attacks" on the searches.  They are genuine search results being sent to a user without limiting the results to the original search request.  That cannot be seen as an "attack" using this "on the fly" system, as the packets are real the contents are valid but they are just not what the user wants to see!  Only once you understand that what you are trying block is not really an attack, can you understand how best to protect from it.

[achilles]

Well, after researching IP spoofing more it does appear that could become a problem since the data being sent is valid. It appears that a protocol level rewrite is best solution to this problem. I wish I could be of more help, but I only know just a little C++. Maybe in a couple of years I will be of more use to the community since I'm learning more everyday.

[GhostShip]

We all face the same challenges Achilles, I'm no code expert but like you suggest I am teaching myself as fast as I can and learning much throughout the last year or two about coding and other aspects of supporting winmx.

Some parts of the WinMX protocol are alrady resisitant to many ofthe attack methods in use however not all of the packet types are so protected for one reason or another , add to that the release of the secret key algorithm that mx uses to "sign" its packets and prevent fraudulant nodes receiving attention and this all turns into an enormous challenge, we are maintaining and supporting the effort to meet that challenge and whilst there is a theoretical method to defeat these attackers our efforts are tightly directed towards creating its practical implementation.

[achilles]

I'm getting ready to start going back to school again for a second degree.  I have a degree in Spanish which is of little help here.  Do to my limited time I will have to do many of my classes online.  I was thinking of joining a coding forum since I keep running into questions without answers.  I'm not sure how patient members of coding forums are with newbies to coding.  I'm going to give it a try. Luckily the internet has everything online for free that one needs to learn a coding language.  I didn't really know if there was any hope taking up coding at the age of 35, but there are so many people in their teens and 20's that have already achieved so much with coding.  If they can do it in such a short time then so can I.  Good luck with a solution Rebel!

[White Stripes]

good luck wrapping your mind around the win32/64 api

[Bluey_412]

Pessimist!