Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ratio Vulnerability in BitTorrent Discovered

Posted by CmdrTaco on from the well-thats-always-annoying dept.

An anonymous reader writes "The "vulnerability" has been tested on all the major torrent trackers that use the torrentbits source code. The idea is that you will sniff your torrent info using the HTTP Analyzer and with Firefox you will update your stats to the tracker being identified as a client."

6 of 252 comments (clear)

  1. Nothing new by gagge · · Score: 5, Informative

    Seriously, I thought this was already widely known. All info from the client to the tracker is sent with basic HTTP GET requests. You could fake your ratio with a simple php script. Well, maybe even by just typing the info in your web browser, however I think the urlencoding would be a problem.

  2. This is not a vulnerability.. by kryptkpr · · Score: 4, Informative

    This is not a vulnerability .. it's by design.

    The statistics reported to the tracker by the client were never meant to be used for things like enforcing ratios because they TRUST THE CLIENT. But there's simply no other way to collect statistics such as amount uploaded.. if the client lies to you (which is what this "vulerability" is exposing), there is little you can do to protect yourself.

    It's TRIVIAL (a 1 line change, or if you want to make it a parameter, a 4 line change) to modify any python open source client such that it 'amplifies' the ammount you upload by 10x or 100x. Then you don't need to do any HTTP sniffing, your client can just lie for you.

    Now, there is a way to block this author's method because he doesn't amplify the upload, he creates a step-change in the upload ammount (which can be caught on the server side.. if it's been the same ammount of time since the last check-in, but suddenly his cumulative upload ammounts tripled, you're likely being abused). However, using my 'amplifying' trick from above, this is much trickier to detect. Perhaps you measure the client's upload speed on the website and record it to the database, maybe even double it just to be safe.. so you KNOW this client can only do 60 k/sec or whatever. Then when the client reports in stats, you take the time since the last check-in and you calculate his approxomate 'instantenous' rate. If this rate is higher then the upload rate you previously decided was this client's ceiling, then he's lying to you.

    The above method is not foolproof, but it would likely be better then the nothing we have now. It was really only a matter of time this surfaced.. and I'm amazed it took this long.

    --kRYPT
    (author of burst! and MakeTorrent)

    --
    DJ kRYPT's Free MP3s!
  3. This is old old old old old by OverlordQ · · Score: 4, Informative

    This is nothing new, there's been client hacks for this for quite a while (http://www.00de.com/), there's also been ratio faking programs out for quite a while as well. So I really dont see anything additional that this 'xyflar' guy has added besides posting what's been known to pretty much every torrent user as well as pretty much every torrent site that uses ratios.

    --
    Your hair look like poop, Bob! - Wanker.
  4. obviousness, and where the vulnerability really is by SuperBanana · · Score: 5, Informative
    As much as many people will ask if disclosure was a good idea in this case, it's important to remember that if one person can find this vulnerability and make it public, an unknown number of people could have found it and be making use of it in the background.

    Anyone who has even so much as glanced at the protocol specification can see that the client is trusted to return an accurate count for how much it has uploaded. This wasn't a "disclosure" or a "vulnerability announcement"- it was a statement of the patently obvious.

    The problem is not with BitTorrent. The problem is with BitTorrent trackers and sites which trust that value returned by the client. There are dozens of open-source clients, including the original- and all it takes is adding one operation that multiplies the real upload by whatever number you desire.

    The functionality of BitTorrent depends on clients seeding copies of the file back into the network after having downloaded, and a vulnerability like this in a significant amount of trackers could easily cause serious damage to the operation of many torrents.

    How did this pseudo-intellectual first-post get modded insightful? You clearly don't understand how the BitTorrent network is designed. Clients evaluate only how much data they receive directly from another client, and how fast. Nothing else factors into their decisions of who to upload. There is absolutely NO mechanism for the client to query the server to see how much you've uploaded, nor is there even a way to ask other clients. Why? Because both sources would be unreliable. Each client CAN only rely on direct "experience", unless they're engaging in a reputation system of their own hacking- if they are, best of luck to them, Bram wasn't an idiot for not trying that.

    The "vulnerability" only affects trackers which "enforce" an upload ratio, and only to the extent of letting people bypass that ratio. Ratios is a concept that is pretty stupid with BitTorrent. The more you push back, the more you get, unless there is plenty of bandwidth. About the only "benefit" I see to ratios is that it might keep files available with seeds longer.

    I hear a lot of crying about leechers on BitTorrent, but the network is self-regulating. Don't upload? You won't get much back. I think the perceived problem is also because reporting of the stats is unreliable- in the case of Azureus, for example, I can download a big file, upload 3x as much, and then if I get a connection error when my client stops, I "loose" all that uploading. I then look like a leecher, when it is exactly the opposite.

    --
    Please help metamoderate.
  5. Re:Neccessary Exposure by OverlordQ · · Score: 4, Informative

    This only effects sites that use ratios for things like "VIP Status" or Auto-Bans, without hacking the client as well you wont be able to fool the other clients to send you data if you dont send them data.

    --
    Your hair look like poop, Bob! - Wanker.
  6. Re:Why a vulnerability by joto · · Score: 4, Informative
    Well it seems that this could completely demolish the protocol. If everyone used this and then set their upload to the minimum (what, 1kbps?) it would take forever and a day to get files from Bittorrent.

    No, it wouldn't. The only thing this has any effects on, are tracker stats.

    Bittorrent clients upload to who uploads most to them. And then they add a certain amount of randomness so that they get to try different peers. They don't care about the stats from the tracker, and neither should they, as they can be easily forged anyway (just change a line in your favourite bittorrent client and recompile).

    If the bittorrent protocol was so brittle as to care about easily forged information, it would never have worked as open source software anyway.

    So why do people care about trackers stats? Well, some people like to publish them (e.g. to make leechers ashamed). Some are nazis, and want to block leechers from their trackers. And some go beyond nazis, and want to block multi-tracker clients, etc, because it disturbs their tracker stats. This "vulnerability" is only a vulnerability to the two last groups...