Return to Protocol Index

EarthStation 5 Description

EarthStation 5 is a relatively new client. It claims to be operating out of the West Bank, to avoid legal entanglements. We consider this client to be a high security risk for corporate customers, due to a problem in the original release with allowed remote deletion of files. There is some controversy over whether the company behind ES5 is linked to Steve Cohen, a convicted felon and fugitive (, although this is probably unwitting on the part of ES5.

The ES5 client has perhaps the most advanced feature set available for hiding activity. For instance, it can spread a download across multiple encrypting proxy servers. Non-encrypted sessions can be traced relatively easily, but encrypted activity generated by this client requires more sophisticated forms of traffic analysis or packet decoding.

With the exception of file transfers, and accessing web content for the client UI, all of the traffic generated by ES5 uses UDP, and is either encoded or encrypted. Unfortunately, it uses a lot of bandwidth. The first version we tested, 1.1.30, used 5 megabits for a single file search. On Dec 15, 2003, we tested the latest version (1.1.45), and bandwidth consumption was reduced to 1-2 megabits per search. TCP is used for file transfer. Like several other P2P protocols, the clients can run in active or passive mode. For active mode, the user needs to define a set of ports for inbound connections. In passive mode, the client will be unable to share files with other passive clients.

Firewall Settings: Static firewall rules are not likely to be effective. Given the built-in support for rotating proxies and encryption, detection is not an easy task, but nevertheless is possible. Likely methods for detecting the client include traffic analysis, or partial decoding of either the TCP or the UDP or packets. Since the TCP stream is encrypted using SSL, details about the file being transferred would need to be obtained from the UDP packets.

Note that P2P WatchDog does not decrypt the ES5 SSL stream, and does not attempt to collect information on the file being transferred. It merely identifies file transfer traffic as originating from ES5, so that it can be blocked.

Return to Protocol Index

EarthStation 5 Packet Library

(The packets are referred to by number. These packets can be downloaded from our library.)

Packet #40: Client opens a TCP channel to a peer, in sends a file request. Note that for some transfers this information will be encrypted.

GET /26445197/U2%20With%20or%20Without%20You.mp3 HTTP/1.0
connection: close
date: Tue, 07 Oct 2003 16:11:26 GMT
if-modified-since: 2209342679
referer: 2085624616

Packet #41: Request Response. This signifies the start of the file transfer.

HTTP/1.0 200 OK
Content-Location: QXJ0aXN0OiAKQWxidW06IApUaXRsZT...
Content-MD5: 180057920
Expires: Wed, 06 Oct 2004 16:13:37 GMT
From: 4737115
Title: 1065462834
connection: close
content-length: 4737115
content-range: 0-4737114/4737115
content-type: audio/mp3
date: Tue, 07 Oct 2003 16:13:37 GMT
last-modified: Mon, 06 Oct 2003 13:53:54 GMT


Packet #30: This is a request through a proxy. The target peer in this case is

connection: close
date: Wed, 08 Oct 2003 10:55:26 GMT
if-modified-since: 2248690615
referer: 2046276680


Packet #31: This is a response through a proxy.

HTTP/1.1 200 OK
Connection: close
content-length: 3463168
Expires: Thu, 07 Oct 2004 11:03:24 GMT
date: Wed, 08 Oct 2003 11:03:24
GMT content-type: audio/mp3
Content-Location: QXJ0aXN0OiBCcml0bmV5IFNwZ...
Content-MD5: 69085172
From: 3463168
Title: 1056237501
content-range: 0-3463167/3463168
last-modified: Sat, 21 Jun 2003 19:18:21 GMT


Return to Protocol Index