H. Morrow Long
morrow.long at yale.edu
Thu Apr 4 00:08:33 GMT 2002
BTW Peter, we use #3.
Peter Van Epp wrote:
> 1) block port 1214 in your border router. I believe this blocks access to
> a required kaza connection (although it may port hop, I'm usually behind
> the times on these things).
TCP port 1214 is the one port at which KaZaa listens. Previously this had been
a very simple HTTP web-server-like service at which you could actually connect
with a web browser to and request files (e.g. you could pointer your IE or
Netscape at http://IPaddress:1214/ where IPaddress was the IP address of a
KaZaa user and you would get a file listing and could click on a file to d/l it).
However, I've noticed that recently KaZaa changed the protcol that they use at
TCP port 1214 (probably around the time they upgraded their software and froze
out the old Morpheus users...) and it is now much more complex and no longer
lets a regular web browser talk to (e.g. list the 'shared' files in the shared
directory via a web session to TCP port 1214). This is probably to attempt to
keep the NetPDs and MediaForces of the world away -- though it is unlikely to
and they will likely just go to the next level.
The new client side of the KaZaa protocol looks like (fairly std HTTP 1.1
but the actual file requested is encoded in a hash and there is are some
special 'X-KaZaa' client side headers):
GET /.hash=8236c2e4f676fc3fc12673eaad9a64024a226174 HTTP/1.1
UserAgent: KazaaClient Mar. 4 2002 16:25:02
Unsuccessful server-side header responses in the KaZaa protocol are short :
HTTP/1.0 503 Service Unavailable
Successful server-side header responses (rarer) in the KaZaa protocol are longer:
HTTP/1.1 206 Partial Content
Content-Range: bytes 1582858-5220351/5220352
Date: Wed, 03 Apr 2002 23:56:41 GMT
Server: KazaaClient Mar. 4 2002 16:25:02
Last-Modified: Sat, 07 Oct 2000 19:24:22.GMT
X-KazaaTag: 6=Jenny Lynd
X-KazaaTag: 4=Battle Hymn of the Republic
KaZaa tag 5 is ?, 21 is the sampling bitrate? (in Khz), 6 is the 'artist',
14 the genre, 4 the title and 3 appears to be a nonce, hash or checksum.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4243 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20020403/8c176df9/smime-0007.bin
More information about the unisog