P2P Protocol Analysis and Blocking Algorithm

Sun-Myung Hwang

Department of Computer Engineering, Daejeon University, 96-3 Yongun-dong,

Dong-gu, Daejeon 300-716, South Korea
[email protected]

Abstract. P2P (Peer to Peer) technology provides methods for overcoming

many weak points of conventional client-server mechanism, and consequently,
many efforts in many fields are made to apply it. On the other side of the coin,
these strong points of the P2P technology have been used for bad purposes,
causing many problems and concerns. This paper proposes a method to block
P2P applications fundamentally in order to eliminate illegal data or files. We
use Ethereal, a reliable network packet analysis tool, and analyze the packets
receive and send when P2P applications run. Then, in this paper we examine
the packet architecture and characteristics of each P2P application, and propose
the algorithms that can block P2P applications. When being used for blocking
up P2P applications, these proposed algorithms can play important roles in re-
ducing excessive P2P traffic and illegal data sharing.

1 Introduction

Client-server based network solutions have been used most wide. This allows server
to make up for client's performance lack, and this solution has been used most wide.
For this client-server mechanism, a concept of file server storing clients' data has been
used for data sharing among clients. This concept has caused server to experience
overload. To solve this, a new network mechanism appeared. This concept is a P2P
technology negating the existence of server. This technology has become rapidly
popular.
Client-server based mechanism concentrates data into one system, and disables
data sharing when server is unable to provide services. The P2P technology eliminates
these problems by requesting data from connected clients (hereinafter "peers") so that
data can be shared even if some peers are absent. Additionally, the P2P technology
enables a part of data to be requested simultaneously from several peers in data
downloading. This enables faxter data sharing.
The P2P technology provides methods for overcoming many weak points of
conventional client-server mechanism, and consequently, many efforts in many fields
are made to apply it. On the other side of the coin, these strong points of the P2P
technology have been used for bad purposes, causing many problems and concerns.
Napster is a milestone for rise of P2P programs. Napster is a service designed to
provide sharing of mp3 files. The advent of Napster caused explosive growth of many
similar applications. Since Napspter allowed users to share music data, many music

O. Gervasi et al. (Eds.): ICCSA 2005, LNCS 3481, pp. 21 – 30, 2005.
© Springer-Verlag Berlin Heidelberg 2005
22 S.-M. Hwang

companies resisted the service, causing Napster to stop its service. Other applications
were also made for the purpose of data sharing. Legal restrictions cannot be imposed
on data sharing and websites providing data sharing cannot be closed forcefully. Con-
sequently, many problems were caused by these P2P applications.
There has not been enough studies on blocking P2P applications. Moreover, there
are not any commercially available applications for preventing use of P2P applica-
tions. Teenagers and even juniors use P2P applications to share data illegally. This
has become a social issue which has not encountered appropriate solutions.
This paper is to analyze the protocols used by popular P2P applications, to propose
the algorithms blocking the applications, to build the algorithms into blocking pro-
grams, and to ensure that the applications are blocked effectively by the blocking
programs.

2 P2P Technologies: An Overview

For P2P model, a peer receives services via other peers and in turn, provides services
for other peers. A peer has become able to perform more tasks than a conventional
client on client-server network. This is because of changes in internet environment.
Enhanced performance of PC and provision of sufficient bandwidth have made it
inefficient for a host on the internet to play only the role of client. Moreover, users'
demand on anonymity without server has increased.

2.1 P2P Models

Since the P2P model has no server, even if a peer is down or attacked, the whole
network is not affected much. Moreover, P2P model allows anonymity because a
peer cannot have information on all other peers. Each peer provides and accesses
services by sharing its own storage space, memory, computing capacity or band-
width.
The P2P model requires communication methods, which are different from those
of server-client model, in order to provide peer-to-peer communication. For exam-
ple, when peers provide file sharing services to each other, a peer should search for a
file it needs. In the server-client model, files are searched for and downloaded from
server. In the P2P model, a peer should know which peers have files it needs because
the files are in other peers. The P2P model's file searching method has been more
complex and many studies have been conducted on distributed search on the P2P
network.

2.2 Classifications of P2P

P2P applications are divided into two groups, depending on the characteristics of each
application.
A. Hybrid P2P programs
Hybrid P2P applications mean a concept of server added to original P2P model. Hy-
brid P2P applications search for data via server and the server delivers data lists to
 P2P Protocol Analysis and Blocking Algorithm 23

each peer. However, the server does not involve in data downloading. Hybrid P2P
programs enable server to manage peers efficiently, providing efficient data search.
When the server is overcrowded with traffic or goes down, no search is possible.

B. Pure P2P programs

Pure P2P applications provide P2P services without server in order to fit to the origi-
nal concept of P2P. The applications allow a peer to directly communicate with other
peers. Therefore, no server is required and data is searched in the way of broadcast.
Even if several peers are down, search or downloading can be done well. However,
these applications provide slower file search than Hybrid P2P applications.

(a) Hybrid Type P2P (b) Pure Type P2P

Fig. 1. Hybrid Type and Pure Type P2P

2.3 Types of P2P Applications

The table below shows the usage of P2P in Korea. Especially, Soribada and E-
Donkey are most commonly used. Moreover, E-Donkey has taken increasingly higher
share since many similar applications have appeared.

Table 1. P2P application trands in korea

P2P Application Use rate (%)

Soribada 60.6
Gru-Gru 14.6
E-Donkey 11.9
Win-MX 6.4
V-Share 2.2
Etc 4.3

A. E-Donkey
This is the most popular P2P application. There are many similar applications of
which protocols are modified versions of E-Donkey protocol(Emule, Overnet, etc.).
Since it is very popular, the characteristics of its protocol are well known. E-Donkey
is a typical hybrid P2P application that is dealt most intensively by this paper.
24 S.-M. Hwang

Fig. 2. An example of E-Donkey applicaton

B. Gnutella
Gnutella is a typical pure P2P application. There are many similar applications which
use the same format of protocol as Gnutella protocol. The applications use modified
versions of Gnutella protocol, making it difficult to analyze them.
C. Soribada
Soribada is a P2P application made in Korea, which takes a much different approach
from conventional P2P applications. Since it has server, it is a hybrid applicaion.
Unlike other P2P applications downloading a part of file from several peers in file
download, Soribada chooses a peer from which file is to be downloaded and lets the
whole file to be downloaded from the selected peer. Strictly, Soribada cannot be clas-
sified as a P2P application. Since it is used most wide at home and abroad, this paper
will address it.

3 Analysis of P2P Protocols

This study analyzed P2P protocols by using Ethereal, which is a network packet
analysis tool. This study tried to establish P2P connection with network, used Etherea
to capture data packets on the network, and examined the characteristics of each P2P
application that existed inside the packets.

3.1 E-Donkey
A. Architecture of E-Donkey packet
E-Donkey protocol has following architecture.
The first 1 byte is the protocol ID. It judges E-Donkey, Emule extension module
and if compression is done. The following 4 bytes indicate the size of data area. The
third 1 byte shows the signature indicating which command the present packet issues,
and actual data is contained in the following data area.
 P2P Protocol Analysis and Blocking Algorithm 25

SIZE 4 byte
PI SIZE S DATA

PID 1 byte Signiture 1 byte

Fig. 3. Protocol structure of E-Donkey class

Table 2. Protocol id of E-Donkey class

protocol ID description
0xe3 Orignal E-donkey protocol
0xc5 Extend protocol in E-mule
0xd4 Data compression protocol

Table 3. Signature in E-Donkey class

Signature no.
Instruction
╏⋮‖G Emule
Description

hello 0x01 0x01 ㍲⻚㦮G㫊㨂㡂⿖G䢫㧎G

hello answer 0x4c 0x02 ㍲⻚G㫊㨂㡂⿖㦮G䢫㧎㠦G╖䞲G㦧╋G
Req-Slist 0x14 0x14 ㍲⻚Ⰲ㓺䔎✺㦚G䟊╏G㣪㼃䞲┺UG
Rep-Slist 0x32 0x32 ◆㧊䎆㠦G㍲⻚GⰂ㓺䔎G䙂䞾G
Req-SState 0x96 0x96 G㍲⻚㦮G㌗䌲⯒G㣪㼃䞲┺UG
◆㧊䎆㠦G㥶㩖㑮SG䕢㧒GṲ㑮SG㾲╖㌂㣿Ṗ⓻G㥶㩖㑮Ṗ
Rep-SState 0x97 0x97
䙂䞾OṗṗG[G⹪㧊䔎PG
Req-Sinf 0xa2 0xa2 G㍲⻚㦮G㩫⽊⯒G㍲⻚㠦G㣪㼃䞲┺UG
Rep-Sinf 0xa3 0xa3 G㍲⻚G㩫⽊✺㦚G⽊⌎┺UG
◆㧊䎆㠦GỖ㌟Gⶎ㧦㡊G₎㧊GY⹪㧊䔎㢖G⁎G⛺㠦GỖ㌟
Req-Search 0x16 0x16
ⶎ㧦㡊㦚G䙂䞾G
Rep-Search 0x33 0x33 Ỗ㌟㠦G╖䞲G㦧╋GlT”œ“Œ㦖GⲪ㔲㰖G㞫㿫G
Req-Source 0x19 0x19 G㏢㓺⯒GṖ㰖ἶG㧞⓪G䞒㠊✺㦮GⰂ㓺䔎⯒G㣪㼃䞲┺UG
Rep-Source 0x42 0x42 ◆㧊䎆㠦G㏢㓺⯒GṖ㰖ἶG㧞⓪G䞒㠊㦮GⰂ㓺䔎G䙂䞾G
Req-File 0x58 0x81 G䕢㧒㦚G㣪㼃䞲┺UG
Fep-File 0x59 0x82 G䕢㧒G㣪㼃㠦G╖䞲G㦧╋UG
Req-Slot 0x54 0x54 G䕢㧒㦚G⹱₆㥚䞲G㔂⫅G䞶╏㦚G㣪㼃䞲┺UG
Rep-Allslot 0x55 0x55 㔂⫅G䞶╏㠦G╖䞲G㦧╋G
B. Analysis of E-donkey protocols
E-Donkey protocols have their own specific ID's which are dividied into three: proto-
col ID only for E-Donkey, protocol ID used by Emule extension module and protocol
ID used when data area is compressed.
Table 3 shows signatures which are commonly used and contain protocols used
uniquely by Emule. For example, Emule uses E-Donkey's specific signature and
Emule extension signature simultaneously.
26 S.-M. Hwang

C. Protection algorithm
for(i=0; i< protocolTableSize; i++){
If(str(PacketString[0] == protocolIDTable[i])
protocolIDFlag = true;
}
if(protocolIDFlag){
for(j=0; j < DonkeySigSize; j++){
if(strPacketString[SigSpace] == Donkey-
Sig[j])
return true;
}
}
return false;

Fig. 4. E-Donkey Protocol protection algorithm

3.2 Gnutella

A. Architecture of Gnutella packets

Gnutella protocol's packet architecture comprises 16-byte descriptor ID and 1-byte
payloader descriptor ID. The 16-byte descriptor ID is a sole ID that a peer has on the
network. Other peers use the 16-byte descriptor ID to establish connections with each
other. Payloader descriptor ID means a signature showing the four basic commands
used by Gnutella protocol.

Fig. 5. Packet Structure of Gnutella Protocol

B. Analysis of protocol
Ping message: Ping message means that each peer (called servant in case of Gnutella
protocol) broadcasts its own descriptor ID to the Gnutella network in order to log on
to the Gnutella network.
Pong message: Pong message is the reply of each servant the ping message. The pay-
load descriptor ID for pong message is 0x01.
Data query
 P2P Protocol Analysis and Blocking Algorithm 27

Query hit: Payload descriptor ID has a value of 0x81. This is a list of query hits.
When each servant's data has hits corresponding to queries, the list of hits are to the
servants that requested it. Analysis of transferred messages shows that the list of data
of the servants that contains actual query 'california' is included.
Actual data transfer: Data is transferred actually by TCP/IP stream. Data heads have
slightly different values depending on the characteristics of relevant applications.
Limewire, an application used for analysis, allows stream transfer as shown in
Fig. 6.

GET /uri-res/N2R?urn:sha1:MLX6DEJZMUHSK4PITMQYIDOJRBGARAKI
HTTP/1.1
HOST: 70.64.173.156:6346
User-Agent: LimeWire/3.8.3
X-Queue: 0.1
X-Gnutella-Content-URN:
urn:sha1:MLX6DEJZMUHSK4PITMQYIDOJRBGARAKI
X-Alt: 155.97.202.30, 152.3.72.242:6348
Range: bytes=1499870-1599879
Chat: 203.237.140.179:6346

HTTP/1.1 206 Partial Content

Server: LimeWire/4.0.8
Content-Type: application/binary
Content-Length: 100010
Date: Thu, 23 Sep 2004 16:41:45 GMT
Content-Range: bytes 1499870-1599879/4202496
X-Gnutella-Content-URN:
urn:sha1:MLX6DEJZMUHSK4PITMQYIDOJRBGARAK

Fig. 6. Data Send/Receive in Limewire

C. Protection algorithm
for(i=0; i < payloaderDesTableSize; i++){
if(strPacketString[GnuSigSpace] == payloaderDesTa-
ble[i])
return true;
}
return false;

Fig. 7. Protection algorithm of Gnutella class application

28 S.-M. Hwang

3.3 Soribada3
A. Analysis of protocol
Access to Soribada server: When Soribada is run, access to the website www.soribada.com
is established (http protocol). Then, a user enters his/her ID and password at sori-
bada3.phtml?action=nick&id=XXXXX&pw= XXXXX and gets user authentification. This
method of user authentification is used wide on ordinary websites. However, this authen-
thification is exposed to TCP stream so that this study could analyze the protocol easily.
Obtainment of the list of peers: After logging on to server, the application uses
http://211.233.14.157/habor.html?action=list to get the list of peers.
Peer-to-peer receiving and sending: The application sends messages to the list of
peers that is received from server and makes sure that peers can receive or send data
to and from each other. The messages sent contain 0x1014 signature (UDP protocol).
In reply to this, each peer exchanges data by transferring the messages containing
0x1015 signature to users.
Request for file search: Users use the messages that they have searched for by using
their lists of peers, and sends request for data search to the peers. The signature used
for this is 0x01.
Sending search results: When a peer received request for data search has data corre-
sponding to search conditions, it sends the list of the data.
File receiving and sending: Since files are transferred by TCP stream as in case of
Gnutella, transferred data is analyzed for stream comparison so that the application
can be recognized to be Soribada.
B. Blocking algorithms
Since the signature held by Soribada is used only for query and search, the application
can be recognized correctly by comparing this signature and the texts of GETMP3
and soribada3 existing in TCP stream. Recognition mechanism of Soribada applica-
tion is a little complex.

for(i=0; i < SoribadaSig1byteTableSize; i++){

if(strPacketString[0] == SoribadaSig[i])
return true;
}
for(i=0; i < SoribadaSig2byteTableSize; i++){
if(strPacketString[0] == Sori-
badaSig2byte[i][0] && strPacketString[1] ==
SoribadaSig2byte[i][1])
return true;
}
Return false;
Fig. 8. Soribada Protocol algorithm
 P2P Protocol Analysis and Blocking Algorithm 29

4 P2P Blocking Programs

This study used a library called WinPCap to build a P2P blocking program which can
block P2P programs by using P2P programs' packet architecture analyzed above and
the proposed algorithms. Fig. 6 is shows the screen of loaded blocking program.
When the blocking program starts to capture packets, all packets existing on the net-
work are captured. Then the blocking program uses the proposed algorithms to make
sure that there is any P2P packet and shows the list of present packets.
Additionally, a dialogue box to prompt the blocking of P2P packets is embedded in
the blocking program so that the P2P packets can be selectively blocked. Fig. 7
This study shows that it is possible to efficiently block E-Donkey family (E-
Donkey, Emule, Overnet, Pruna), Gnutella family (Morpheus, Limewire) and Sori-
bada3, which are subjects of analysis, by using the proposed algorithms.

5 Conclusions

P2P protocols have some advantages that can be used very usefully. P2P model has
lower dependence on server than conventional client-server mechanism. Instead, the
model focuses on each peer. Because of this, when it appeared, it was expected that
P2P model would be of great help in creating more innovative solutions than conven-
tional ones. However, P2P solutions have been used for bad purposes, giving losses to
many people.
Using P2P applications, users can easily find and download commercially avail-
able soft wares (games, operating systems, development tools etc.) and even
download mp3 files, movie files and porn files.
For this, many users take it granted that they share data. They are not aware that
their data sharing via P2P services bring losses to many other people. Software devel-
opment companies undergo increasingly larger damages and losses because they do
not have any measures and technologies to prevent their software products from being
distributed free via the P2P applications. Additionally, software piracy has brought
serious social problems.
This paper proposes a method to block P2P applications fundamentally in order to
eliminate software piracy. This study used Ethereal, a reliable network packet analysis
tool, and analyzed the packets received and sent when P2P applications run. Then, the
study examined the packet architecture and characteristics of each P2P application,
and proposed the algorithms that can block P2P applications.
When being used for blocking up P2P applications, these proposed algorithms can
play important roles in reducing excessive P2P traffic and illegal data sharing.
However, the algorithms do not necessarily block up all P2P applications. Nobody
knows which kind of P2P protocols using new methods will appear. It is not possible
to assure that delicate matters excluded from the subjects of this study can be exam-
ined. Consequently, more studies on the blocking algorithms will provide more com-
plete and more reliable P2P blocking mechanisms.
30 S.-M. Hwang

Moreover, current blocking algorithms use block up P2P applications, disallowing

the P2P applications used for good purposes. If there are algorithms which can take a
closer look at exchanged packets and determine what kind of data is exchanged, it
will be possible to develop the methods that can filter only illegal data sharing
through P2P applications.

References
[1] Ian D Graham and Join G Cleary, “Cell level measurements of ATM traffic,” Proceed-
ings of the Australian Telecommunications Networks and Applications Conference,
pp.495-500, December 1996.
[2] Cisco, White Paper, “NetFlow Services and Applications,”http://www.cisco.com/warp/
public/cc/pd/iosw/ioft/netflct/tech/napps_wp.htm.
[3] P.Phaal, S. Panchen, N. McKee, “InMon Corporation’s sFlow: A Method for Monitoring
Traffic in Switched and Routed Networks”, IETF RFC 3176, September 2001.
[4] N. Brownlee, C. Mills, G. Ruth, “Traffic Flow Measurement: Architecture”, IETF RFC
2722, October 1999.
[5] Argus, http://www.qosient.com/argus/.
[6] Se-Hee Han, Myung-Sup Kim, Hong-Taek Ju and James W. Hong, “The Architecture of
NG-MON: A Passive Network Monitoring System”, LNCS 2506, DSOM 2002, October,
2002, pp16-27.
[7] ㏢Ⰲ⹪┺S http://www.soribada.com/.
[8] Napster, http://www.napster.com/.
[9] Gnutella, http://gnutella.wego.com/.
[10] MSN Messenger, http://messenger.msn.co.kr/, Microsoft.
[11] Yahoo Messenger, http://kr.messenger.yahoo.com/, Yahoo.
[12] eDonkey2000, http://www.edonkey2000.com/.
[13] Matei Ripeanu, “Peer-to-Peer Architecture Case Study: Gnutella Network”, Techreports
TR-2001-26, University of Chicago, July, 2001.
[14] Subhabrata Sen, Jia Wang, “Analyzing Peer-to-Perr Traffic Across Large Networks”,
IMW2002 Workshop, 2002.
[15] AOL, http://www.aol.com/.
[16] Hun-Jeong Kang, Hong-Taek Ju, Myung-Sup Kim and James W. Hong, “Towards
Streaming Media Traffic Monitoring and Analysis”, APNOM2002, 2002, pp 503-504.
[17] Ethereal, http://www.ethereal.com/.