to Protocol Index
EarthStation 5 Description
EarthStation 5 is a relatively new client.
It claims to be operating out of the West Bank, to avoid legal
entanglements. We consider this client to be a high security
risk for corporate customers, due to a problem in the original
release with allowed remote deletion of files. There is some
controversy over whether the company behind ES5 is linked
to Steve Cohen, a convicted felon and fugitive (http://p2pwatchdog.com/forum/viewtopic.php?p=8#8),
although this is probably unwitting on the part of ES5.
The ES5 client has perhaps the most advanced
feature set available for hiding activity. For instance, it
can spread a download across multiple encrypting proxy servers.
Non-encrypted sessions can be traced relatively easily, but
encrypted activity generated by this client requires more
sophisticated forms of traffic analysis or packet decoding.
With the exception of file transfers, and
accessing web content for the client UI, all of the traffic
generated by ES5 uses UDP, and is either encoded or encrypted.
Unfortunately, it uses a lot of bandwidth. The first version
we tested, 1.1.30, used 5 megabits for a single file search.
On Dec 15, 2003, we tested the latest version (1.1.45), and
bandwidth consumption was reduced to 1-2 megabits per search.
TCP is used for file transfer. Like several other P2P protocols,
the clients can run in active or passive mode. For active
mode, the user needs to define a set of ports for inbound
connections. In passive mode, the client will be unable to
share files with other passive clients.
Firewall Settings: Static firewall
rules are not likely to be effective. Given the built-in support
for rotating proxies and encryption, detection is not an easy
task, but nevertheless is possible. Likely methods for detecting
the client include traffic analysis, or partial decoding of
either the TCP or the UDP or packets. Since the TCP stream
is encrypted using SSL, details about the file being transferred
would need to be obtained from the UDP packets.
Note that P2P WatchDog does not decrypt
the ES5 SSL stream, and does not attempt to collect information
on the file being transferred. It merely identifies file transfer
traffic as originating from ES5, so that it can be blocked.
to Protocol Index
5 Packet Library
packets are referred to by number. These packets can be downloaded
from our library.)
Packet #40: Client opens a TCP channel to a peer, in
sends a file request. Note that for some transfers this information
will be encrypted.
date: Tue, 07 Oct 2003 16:11:26 GMT
Packet #41: Request Response. This
signifies the start of the file transfer.
Expires: Wed, 06 Oct 2004 16:13:37 GMT
date: Tue, 07 Oct 2003 16:13:37 GMT
last-modified: Mon, 06 Oct 2003 13:53:54 GMT
Packet #30: This is a request through
a proxy. The target peer in this case is 220.127.116.11:18773.
date: Wed, 08 Oct 2003 10:55:26 GMT
Packet #31: This is a response through
Via: 1.0 FHRSERVER
Expires: Thu, 07 Oct 2004 11:03:24 GMT
date: Wed, 08 Oct 2003 11:03:24
GMT content-type: audio/mp3
last-modified: Sat, 21 Jun 2003 19:18:21 GMT
Return to Protocol