Document Correlation Attack by rdica · Pull Request #1116 · jamulussoftware/jamuluswebsite

rdica · 2026-01-25T16:41:37Z

Short description of changes
Provides knowledge base entry to document current correlation attack in progress, and provides mitigations for clients and servers.

Context: Fixes an issue? Related issues

Relates to https://github.com/orgs/jamulussoftware/discussions/3545

Status of this Pull Request

What is missing until this pull request can be merged?

Does this need translation?

Checklist

I've verified that this Pull Request follows the general code principles
I waited some time after this Pull Request was opened and all GitHub checks completed without errors.
I'm sure that this Pull Request goes to the correct branch

ann0see

I'd frame it more neutral as some users might want to be tracked to use the service.

I'd like to have a neutral review by @mcfnord

mcfnord · 2026-02-04T08:30:36Z

I believe this is technically called a side-channel attack rather than a correlation attack.

mcfnord · 2026-02-14T04:10:46Z

The FAQ at https://jamulus.live now says:

Q: Does this web page collect data? What happens to the data?
A: This web page collects details about users on public Jamulus servers, including IP addresses. The IP addresses are never shared, and are erased after 15 days. As a public service, this web page associates a geographic region with each IP address. This web page complies with GDPR, Europe's privacy law.

To prevent details about servers you join from being shared with this web page, block outgoing UDP traffic to 24.199.107.192 using your router or computer firewall.
To prevent details about musicians that join your server from being shared, block incoming UDP traffic from 137.184.43.255. If you do this, your server will not appear on this web page.

Co-authored-by: ann0see <20726856+ann0see@users.noreply.github.com>

This reverts commit 35d74a5.

mcfnord · 2026-06-15T02:13:57Z

+### Server Admins
+
+Server admins can decide to prevent user tracking by blocking the explorer probe.  
+If you run a Server on the Jamulus public network, it is currently being indexed by the explorer instances on **`137.184.43.255`**, and **`134.199.209.51`**.


134.199.209.51 is not an explorer instance, and correlation only occurs on 137.184.43.255. I see how they probably look similar, and one might think there are two explorer instances involved. In harvest.cs, client metadata is collected immediately before level nibbles, and I refresh server cards with this signal, but all correlation occurs in the 137.x.x.x instance and nowhere else.

Rick Dicaire added 6 commits January 22, 2026 19:02

1st

6eb1097

2nd

b9b4bb9

url

6130250

updates

fe2fde5

more

1be9eee

breaks

0023b5e

ann0see reviewed Feb 2, 2026

View reviewed changes

Comment thread _posts/2026-01-22-Mitigate-Correlation.md Outdated

Comment thread _posts/2026-01-22-Mitigate-Correlation.md Outdated

updates

e245c31

ann0see requested changes Feb 3, 2026

View reviewed changes