FREE Internet Security & Privacy Enforcement Resources
brought to you by Gibson Research Corporation


Internet Security Considerations
for Napster and Gnutella Users


(And any other Windows Peering Services)

You probably don't need to be told that Peer-to-Peer technologies like Napster and Gnutella are extremely cool and very powerful. Among other things, peer-to-peer systems embody the anti-establishment spirit that was once the soul of the Internet  . . . but which is being threatened by increasing commercialism, the interests of big business, and "big brother's" need for control.

Decentralized peer-to-peer systems are
returning a lot of power to the people.

But there's a "dark side" to the freedom created by peering services: Malicious Internet hackers see tremendous opportunities for exploiting unsuspecting users of peering technologies. The use of peering technologies creates two potential vulnerabilities:


IP Address Advertising:
Any use of the Internet requires each endpoint in a dialog to have the IP address of the other in order to exchange data. Since the IP addresses of public web, ftp, mail, and other Internet servers must be well known for them to be found and used, high-visibility Internet servers have been the favorite targets of malicious hackers.

By comparison, the typical Internet user has an IP address which is never "broadcast" and is not generally known to anyone other than the Internet server at the other end of the connection. Even so, malicious hackers are continuously "scanning" the Internet to locate machines which might not be secure and whose resources can be exploited for their malicious purposes.

But users of Napster and Gnutella are especially vulnerable. . .

In order to function, peering networks dynamically collect, distribute, and broadcast the IP addresses of their active peers. Malicious hackers have figured this out and now use special "IP Address Harvesters" to collect the Internet addresses of active, online, peering clients and servers. These machines are then targeted by their IP addresses for direct attack.



Connection Acceptance:
By now, everyone has heard of "Denial of Service" (DoS) and "Distributed Denial of Service" (DDoS) attacks. These attacks are launched against Internet servers by exploiting the fact that an Internet server "accepts a connection" from any Internet client. A traditional Denial of Service attack brings down an Internet server by creating thousands of fake connection requests, each of which the server must assume is valid, and each of which the server must allocate some local resources to honor and service. At some point the server becomes so overloaded that it either cannot accept additional connections, valid or not, or it simply crashes.

For an extensive description of TCP Protocol, Denial
of Service attacks, and a working scheme for their
prevention, please see my "No More DoS" page.

Most individual users of the Internet are simply "clients" making queries of remote Internet servers, requesting web pages, images and files. In other words, their computers are anonymously requesting Internet connections from remote servers which must accept those anonymous connections. Since the typical personal computer never needs to serve files to other machines, they never need to accept unknown connections and they are therefore not vulnerable to Denial of Service attacks.

But, again, users of peering services such as Napster and Gnutella do accept connections from other unknown machines and are therefore temporarily acting as Internet servers which are similarly vulnerable to direct attacks.

What Can You Do?
Should you just give up and unplug your computer? No way! Don't let the malicious hackers scare you away from the future of the Internet and the tremendous growing resource of peering services! There are many things you can do to make your computer very secure without spending a dime! Here is the minimum you should do to secure your computer:

Take responsibility and get yourself informed!
Since you are reading this page, you have already taken the big first step. You are learning about the problem  . . . taking responsibility and action! Nothing good will happen until you do.

Get your ShieldsUP!
Since most of the danger from having a "known IP address" comes from the vulnerability of Windows' file sharing, you should use the completely free "ShieldsUP!" facility to button-down your Windows OS and make sure that no one can access the contents of your hard drives or print to your printers. If your computer is not already secure you will find complete, detailed, and very clear instructions for securing it. It's clear, simple, and free.

Add a free Firewall!
One of the best software firewalls in the industry, Zone Alarm, is 100% free and very good. (Zone Alarm just won PC Magazine's Editors Choice from among ALL firewalls!) A software firewall is an absolute MUST HAVE for any user of Internet peering technologies. You can spend some money for one like Zone Alarm Pro, Norton's Internet Security, or BlackICE Defender if you want  . . . but you MUST get some sort of good firewall (there are crappy ones too, but the one's I have mentioned here are all good) if you are going to safely use Internet peering services.

Ignore the IBR!
What's IBR? Any user of any "reporting firewall" knows that there is an amazing amount of junk randomly flying around the Internet. Some of it will just naturally (statistically) land on your IP address. But that means NOTHING (it does NOT mean you are being "attacked"). Malicious hackers are scanning IP address ranges all the time, ISP's are continuously scanning their own customers looking for news servers and other "bad things" which consume bandwidth, and peering systems are pinging each other. The Internet is so full of this completely meaningless noise that I coined the term "Internet Background Radiation" (IBR) to help remind people that random packets hitting your machine HAVE NO MEANING!  . . . It's just "background radiation" being created by all the traffic flowing across the Internet.

Firewalls eagerly prove "how good they are" by alerting
their users to all of this background radiation, but
mostly those warnings are just annoying.

Some users send off "hack attack" eMail to the ISP's of every "attacker", but those eMails are never even read. Using a good firewall and completely ignoring the noise — and turning off the annoying pop-up notices! — is the best solution for security and peace of mind.

Tell Your Friends!
Since most users of Internet peering services are also members of social communities of friends sharing stuff, be sure that your friends are aware of the responsibilities which go hand-in-hand with the use of these very cool Internet peer-to-peer services.

Together we can have fun, share our resources, and make this work!

Peer-To-Peer Resources:

Gnutella News: (http://www.gnutellanews.com) This great site has news, articles, and links which will be of interest to Gnutella users. It also keeps a quick-reference list of connectable Gnutella Hosts and Servers.
Gnutelliums: (http://www.gnutelliums.com/) The Gnutelliums site maintains a comprehensive directory of Gnutella downloads/clients for Windows, Linux/Unix, Java, and Macintosh.
Hosts Cache: (http://www.hostscache.com/) HostsCache.com is a network of sites working together to provide IP addresses for Gnutella and other distributed/peer to peer networks.
Clip2: (http://www.clip2.com/) Clip2 is a peer-to-peer "techie site" which may be most interesting to developers of peering systems, but it also contains articles of more general interest.

FAQ - Frequently Asked Questions:

I ran a Gnutella program for the first time tonight, and I've gotta say I like it very much. However, several hours after I shut it down my software firewall is still reporting a lot of inbound activity to port 6346 (which the Gnutella client was using). If I trace this back, I find users and servers I was connected to on the Gnutella network many hours ago.

How the heck can I kill these constant port probes from those machines? Or will I have to live with it for days until those users log off?
There is no perfect solution to this problem, but at least it's nothing to worry about. While you were using Gnutella, your computer's IP address was actively participating in a peer-to-peer network which widely distributed your machine's IP. (Similar things happen with Napster and all other peering systems.) Until your IP is removed from the active network, many machines will check to see if it might still be valid.

If you really want to prevent this, the only real solution would be for you to somehow change your IP address.  If you are a dial-up user, simply disconnect from your ISP and reconnect. You will receive a "clean IP" which only has the "typical" level of background IP noise.  If you are a cable modem or DSL user with an automatically assigned IP, you might be able to force a change of IP by requesting a new "IP and lease" from your ISP. The Windows "WINIPCFG" program (use the Run... option in the Start menu) can be used to make this request.  Finally, if you intend to use peering services frequently and you want to prevent the exposure of your IP, you can usually request a second IP from your ISP for a modest additional charge. You could then use your secondary IP only for peer-to-peer networks, then switch to your "clean IP" for everything else.

Another (not free) solution is to hide your machine behind a Linksys (or other) NAT router (street price as low as $120). NAT routers are "natural firewalls" since they completely ignore unsolicited inbound traffic. In fact, you will need to deliberately configure your NAT router to ALLOW peer-to-peer system to connect to your computer. So, once you're finished with a Gnutella or Napster session you can remove the "openings through the NAT" to close your system and your firewall won't raise a single alert! It's not a free solution, but a NAT router makes an EXTREMELY good hardware firewall.

The best free solution would be for you to simply train your firewall to completely ignore (and not bother you about) inbound connection attempts to port 6346. Since these are not "attacks" against your system, ignoring them makes the most sense.

I sincerely hope that you will find the Internet security and privacy resources I have created here at GRC.COM to be valuable and useful.

This special "Peer To Peer" page will always be here, and I will update it to reflect the availability of more specific "peer-to-peer" resources as I become aware of them, or create them myself.

All my best wishes!


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2022 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Feb 22, 2008 at 10:01 (5,206.91 days ago)Viewed 0 times per day