From 6eb1097177e1c973cbc51a102846e3513f728781 Mon Sep 17 00:00:00 2001 From: Rick Dicaire Date: Thu, 22 Jan 2026 19:02:57 -0500 Subject: [PATCH 1/7] 1st --- _posts/2026-01-22-Mitigate-Correlation.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 _posts/2026-01-22-Mitigate-Correlation.md diff --git a/_posts/2026-01-22-Mitigate-Correlation.md b/_posts/2026-01-22-Mitigate-Correlation.md new file mode 100644 index 000000000..4cda0b210 --- /dev/null +++ b/_posts/2026-01-22-Mitigate-Correlation.md @@ -0,0 +1,15 @@ +--- +layout: post +title: "Mitigating User Tracking Caused By Correlation Attack" +lang: "en" +author: "@rdica" +heading: "Mitigating User Tracking Caused By Correlation Attack" +--- + +By default the Jamulus protocol does not map usernames to IP addresses in any publicly available data. +However it is possible to execute a correlation attack to achieve user<‐>IP mapping. +This was first reported to Jamulus developers here: [https://github.com/orgs/jamulussoftware/discussions/3545](https://github.com/orgs/jamulussoftware/discussions/3545) + + + +## Scope From b9b4bb9958d3c8900563c86d3dc9b2c3444b9176 Mon Sep 17 00:00:00 2001 From: Rick Dicaire Date: Thu, 22 Jan 2026 19:17:50 -0500 Subject: [PATCH 2/7] 2nd --- _posts/2026-01-22-Mitigate-Correlation.md | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/_posts/2026-01-22-Mitigate-Correlation.md b/_posts/2026-01-22-Mitigate-Correlation.md index 4cda0b210..eeb652cea 100644 --- a/_posts/2026-01-22-Mitigate-Correlation.md +++ b/_posts/2026-01-22-Mitigate-Correlation.md @@ -2,7 +2,7 @@ layout: post title: "Mitigating User Tracking Caused By Correlation Attack" lang: "en" -author: "@rdica" +author: "rdica" heading: "Mitigating User Tracking Caused By Correlation Attack" --- @@ -10,6 +10,23 @@ By default the Jamulus protocol does not map usernames to IP addresses in any pu However it is possible to execute a correlation attack to achieve user<‐>IP mapping. This was first reported to Jamulus developers here: [https://github.com/orgs/jamulussoftware/discussions/3545](https://github.com/orgs/jamulussoftware/discussions/3545) - - ## Scope + +This document will attempt to summarize the problem, and provide mitigations for both users, and server admins. + +## The Problem - Pings and Join Events + +### Pings + +When a user attempts to connect to a server, they open the Connect dialog window. The client will **start** sending “pings” to every server listed in that genre to report delay latency (basically network distance) to those servers. + +Anyone running a server can capture those “pings” using tools like `tcpdump` or `tshark/wireshark` and view the IP addresses of the clients that are sending them. +**No username data is sent.** This is part of the Jamulus protocol, by design, to maintain a level of privacy and prevent others from finding the IP addresses of specific users. + +### Join Events + +A user will either select a server from the list, or type in a server address:port, click Connect or hit Enter, and the client will then attempt to connect to the server. At this point the client **stops** sending the “pings” and the client typically completes the connection to the server. + +Each genre has a directory server. The purpose of the directory server is to provide clients with a listing of servers registered to it, and the users connected to each server. This is public data, and viewed in the Connect dialog window, and available through a number of websites, like [https://explorer.jamulus.io](explorer.jamulus.io) or [https://jamulusjams.com](jamulusjams.com). + +Anyone can run an explorer instance. An explorer queries each genres directory server to get a list of servers, then queries each server directly to get a list of connected users. This is public data. **There is no IP address information on users, just the user profile data**. Again this is by design to prevent IP<‐>username mapping. This data can also be saved for later processing. From 61302508c9740eafd220ef196d0d4081eed37f08 Mon Sep 17 00:00:00 2001 From: Rick Dicaire Date: Thu, 22 Jan 2026 19:19:39 -0500 Subject: [PATCH 3/7] url --- _posts/2026-01-22-Mitigate-Correlation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2026-01-22-Mitigate-Correlation.md b/_posts/2026-01-22-Mitigate-Correlation.md index eeb652cea..1bef39b2f 100644 --- a/_posts/2026-01-22-Mitigate-Correlation.md +++ b/_posts/2026-01-22-Mitigate-Correlation.md @@ -27,6 +27,6 @@ Anyone running a server can capture those “pings” using tools like ` A user will either select a server from the list, or type in a server address:port, click Connect or hit Enter, and the client will then attempt to connect to the server. At this point the client **stops** sending the “pings” and the client typically completes the connection to the server. -Each genre has a directory server. The purpose of the directory server is to provide clients with a listing of servers registered to it, and the users connected to each server. This is public data, and viewed in the Connect dialog window, and available through a number of websites, like [https://explorer.jamulus.io](explorer.jamulus.io) or [https://jamulusjams.com](jamulusjams.com). +Each genre has a directory server. The purpose of the directory server is to provide clients with a listing of servers registered to it, and the users connected to each server. This is public data, and viewed in the Connect dialog window, and available through a number of websites, like [explorer.jamulus.io](https://explorer.jamulus.io) or [jamulusjams.com](https://jamulusjams.com). Anyone can run an explorer instance. An explorer queries each genres directory server to get a list of servers, then queries each server directly to get a list of connected users. This is public data. **There is no IP address information on users, just the user profile data**. Again this is by design to prevent IP<‐>username mapping. This data can also be saved for later processing. From fe2fde552fb3ae12d32ea382bb2fddcff7bd85db Mon Sep 17 00:00:00 2001 From: Rick Dicaire Date: Thu, 22 Jan 2026 19:44:07 -0500 Subject: [PATCH 4/7] updates --- _posts/2026-01-22-Mitigate-Correlation.md | 48 +++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/_posts/2026-01-22-Mitigate-Correlation.md b/_posts/2026-01-22-Mitigate-Correlation.md index 1bef39b2f..b152490b2 100644 --- a/_posts/2026-01-22-Mitigate-Correlation.md +++ b/_posts/2026-01-22-Mitigate-Correlation.md @@ -30,3 +30,51 @@ A user will either select a server from the list, or type in a server address:po Each genre has a directory server. The purpose of the directory server is to provide clients with a listing of servers registered to it, and the users connected to each server. This is public data, and viewed in the Connect dialog window, and available through a number of websites, like [explorer.jamulus.io](https://explorer.jamulus.io) or [jamulusjams.com](https://jamulusjams.com). Anyone can run an explorer instance. An explorer queries each genres directory server to get a list of servers, then queries each server directly to get a list of connected users. This is public data. **There is no IP address information on users, just the user profile data**. Again this is by design to prevent IP<‐>username mapping. This data can also be saved for later processing. + +### Correlation Attack + +Anyone can run servers **and** explorer instances. +Using IPs captured by a server, one can correlate **when an IP address stops pinging** (ie; just connected to a server) and **when a new client joined a server** (username data from explorer query directly to a jamulus server) to produce an IP<‐>username mapping. The IP address can then be processed to provide geolocation data. From this one can determine the location of a specific user. + +## The Current Correlation Attack (as of 20260122) + +### Listeners + +There are seven servers on public Jamulus space, one in each genre. They are named ***Duet***, and have a userlimit set at two. They all share the same IP and each sit on different ports. +These servers are “listening” for pings from clients, and packet capturing them to get the IP addresses of users clients. + +``` +Genre Name IP:port + +Any Genre1 Duet 24.199.107.192:22121 +Any Genre2 Duet 24.199.107.192:22122 +Any Genre3 Duet 24.199.107.192:22123 +Rock Duet 24.199.107.192:22124 +Jazz Duet 24.199.107.192:22125 +Classical/Folk Duet 24.199.107.192:22126 +Choral/Barbershop Duet 24.199.107.192:22127 +``` + +### User Data + +There is an explorer instance collecting lists of servers and users running from **`137.184.43.255`** +IP addresses of users collected from the listeners are being correlated with join events derived from the explorer instance to produce IP<‐>username mappings. IP addresses are processed to provide geolocation data of users. This geolocation data is being collected **and** displayed without express permission of users, and with no means to opt in or out. + +**This data is also being fed into AI for various analyses**, again with no express permission, and no means to opt in or out. + +## Mitigations + +### Clients + +When you open the Connect dialog window your client starts sending pings to every server in the list. **`24.199.107.192`** is the IP address of one of those servers. A server using **`24.199.107.192`** exists on each genre, their names are ***Duet***. +Blocking outgoing **UDP** traffic on your DAW or router to **`24.199.107.192`** will prevent the listeners from collecting your IP address and break the correlation attack. This will help prevent you from being tracked. + +### Server Admins + +Server admins can contribute to helping prevent user tracking by blocking the explorer probe. +If you run a server on the jamulus public network, it is currently being indexed by the explorer instance on **`137.184.43.255`** +Blocking incoming **UDP** traffic from **`137.184.43.255`** will prevent the explorer from indexing your server and breaks the correlation attack. This will protect users on your server from being tracked while they use it. + +--- + +Updated information can be found here: [https://jamulusjams.com/block-user-tracking.html](https://jamulusjams.com/block-user-tracking.html) From 1be9eee44b7a9e96459d92ccf1a2f34e37c7aadf Mon Sep 17 00:00:00 2001 From: Rick Dicaire Date: Thu, 22 Jan 2026 19:57:44 -0500 Subject: [PATCH 5/7] more --- _posts/2026-01-22-Mitigate-Correlation.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/_posts/2026-01-22-Mitigate-Correlation.md b/_posts/2026-01-22-Mitigate-Correlation.md index b152490b2..8a51ab6d9 100644 --- a/_posts/2026-01-22-Mitigate-Correlation.md +++ b/_posts/2026-01-22-Mitigate-Correlation.md @@ -10,6 +10,8 @@ By default the Jamulus protocol does not map usernames to IP addresses in any pu However it is possible to execute a correlation attack to achieve user<‐>IP mapping. This was first reported to Jamulus developers here: [https://github.com/orgs/jamulussoftware/discussions/3545](https://github.com/orgs/jamulussoftware/discussions/3545) + + ## Scope This document will attempt to summarize the problem, and provide mitigations for both users, and server admins. From 0023b5e9c32b2064d752365117b7964ae3d21c09 Mon Sep 17 00:00:00 2001 From: Rick Dicaire Date: Thu, 22 Jan 2026 20:00:46 -0500 Subject: [PATCH 6/7] breaks --- _posts/2026-01-22-Mitigate-Correlation.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/_posts/2026-01-22-Mitigate-Correlation.md b/_posts/2026-01-22-Mitigate-Correlation.md index 8a51ab6d9..ed52705da 100644 --- a/_posts/2026-01-22-Mitigate-Correlation.md +++ b/_posts/2026-01-22-Mitigate-Correlation.md @@ -68,13 +68,15 @@ IP addresses of users collected from the listeners are being correlated with joi ### Clients -When you open the Connect dialog window your client starts sending pings to every server in the list. **`24.199.107.192`** is the IP address of one of those servers. A server using **`24.199.107.192`** exists on each genre, their names are ***Duet***. +When you open the Connect dialog window your client starts sending pings to every server in the list. **`24.199.107.192`** is the IP address of one of those servers. A server using **`24.199.107.192`** exists on each genre, their names are ***Duet***. + Blocking outgoing **UDP** traffic on your DAW or router to **`24.199.107.192`** will prevent the listeners from collecting your IP address and break the correlation attack. This will help prevent you from being tracked. ### Server Admins Server admins can contribute to helping prevent user tracking by blocking the explorer probe. -If you run a server on the jamulus public network, it is currently being indexed by the explorer instance on **`137.184.43.255`** +If you run a server on the jamulus public network, it is currently being indexed by the explorer instance on **`137.184.43.255`** + Blocking incoming **UDP** traffic from **`137.184.43.255`** will prevent the explorer from indexing your server and breaks the correlation attack. This will protect users on your server from being tracked while they use it. --- From e245c3166bd52fe4a317658a0a096ed601d80307 Mon Sep 17 00:00:00 2001 From: Rick Dicaire Date: Mon, 2 Feb 2026 11:10:30 -0500 Subject: [PATCH 7/7] updates --- _posts/2026-01-22-Mitigate-Correlation.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/_posts/2026-01-22-Mitigate-Correlation.md b/_posts/2026-01-22-Mitigate-Correlation.md index ed52705da..3e6055044 100644 --- a/_posts/2026-01-22-Mitigate-Correlation.md +++ b/_posts/2026-01-22-Mitigate-Correlation.md @@ -1,13 +1,13 @@ --- layout: post -title: "Mitigating User Tracking Caused By Correlation Attack" +title: "Privacy: Mitigating User Tracking By Third Parties" lang: "en" author: "rdica" -heading: "Mitigating User Tracking Caused By Correlation Attack" +heading: "Privacy: Mitigating User Tracking By Third Parties" --- By default the Jamulus protocol does not map usernames to IP addresses in any publicly available data. -However it is possible to execute a correlation attack to achieve user<‐>IP mapping. +However it is possible to correlate connections to servers to achieve user<‐>IP mapping. This was first reported to Jamulus developers here: [https://github.com/orgs/jamulussoftware/discussions/3545](https://github.com/orgs/jamulussoftware/discussions/3545) @@ -33,12 +33,12 @@ Each genre has a directory server. The purpose of the directory server is to pro Anyone can run an explorer instance. An explorer queries each genres directory server to get a list of servers, then queries each server directly to get a list of connected users. This is public data. **There is no IP address information on users, just the user profile data**. Again this is by design to prevent IP<‐>username mapping. This data can also be saved for later processing. -### Correlation Attack +### Correlation Anyone can run servers **and** explorer instances. Using IPs captured by a server, one can correlate **when an IP address stops pinging** (ie; just connected to a server) and **when a new client joined a server** (username data from explorer query directly to a jamulus server) to produce an IP<‐>username mapping. The IP address can then be processed to provide geolocation data. From this one can determine the location of a specific user. -## The Current Correlation Attack (as of 20260122) +## Current Correlation (as of 20260202) ### Listeners @@ -70,14 +70,14 @@ IP addresses of users collected from the listeners are being correlated with joi When you open the Connect dialog window your client starts sending pings to every server in the list. **`24.199.107.192`** is the IP address of one of those servers. A server using **`24.199.107.192`** exists on each genre, their names are ***Duet***. -Blocking outgoing **UDP** traffic on your DAW or router to **`24.199.107.192`** will prevent the listeners from collecting your IP address and break the correlation attack. This will help prevent you from being tracked. +Blocking outgoing **UDP** traffic on your DAW or router to **`24.199.107.192`** will prevent the listeners from collecting your IP address and breaks correlation. This will help prevent you from being tracked. ### Server Admins Server admins can contribute to helping prevent user tracking by blocking the explorer probe. If you run a server on the jamulus public network, it is currently being indexed by the explorer instance on **`137.184.43.255`** -Blocking incoming **UDP** traffic from **`137.184.43.255`** will prevent the explorer from indexing your server and breaks the correlation attack. This will protect users on your server from being tracked while they use it. +Blocking incoming **UDP** traffic from **`137.184.43.255`** will prevent the explorer from indexing your server and breaks correlation. This will protect users on your server from being tracked while they use it. ---