Slashdot Mirror
Ratio Vulnerability in BitTorrent Discovered
An anonymous reader writes "The "vulnerability" has been tested on all the major torrent trackers that use the torrentbits source code. The idea is that you will sniff your torrent info using the HTTP Analyzer and with Firefox you will update your stats to the tracker being identified as a client."
Was it really a good thing to make this public?
Won't this cause a new wave of leechers?
A lot of trackers are built on torrentbits.
Have you metaroderated recently?
The way I look at it is this:
Step 1. Load site logs
Step 2. Do a search for these entries
Step 3. Ban any cheaters
I'm sure this it should be pretty easy to tell fake entries from real ones as I'm guessing that the tracker software, with a known IP address, is the only thing that should be accessing that url.
Seems kinda dumb that BT trackers rely on the clients to honestly report their ratios/upload amounts. Is it just this tracker implementation, or does the BT protocol work that way?
IIRC the ed2k network had a similar issue in its infancy, nowadays (with eMule anyway) "upload credit" is maintained as a relationship between each client (i.e. I know how much a person has sent to me, so I know how much I should reward them in my upload queue) -- no potential for abuse that way.
But there's simply no other way to collect statistics such as amount uploaded.
Why not ask the other peers?
Instead of having every client tell the tracker how much it's uploaded, have each client tell the tracker how much it's downloaded from each of it's peers and extract the other peers upload rates from that data.
At least that way you need a conspiracy of multiple clients to fake a high upload rate. Combined with only allowing one client per torrent per IP, this could prevent a single machine from providing false upload data.
Combined with only allowing one client per torrent per IP, this could prevent a single machine from providing false upload data.
I see 3 problems with your proposal:
1) I'm not sure if it's fair to impose a one client per torrent per IP rule.. sometimes NATs (I'm thinking unviersities here) can be pretty big, encompassing thousands of machines.
2) The original problem (trusting the client) has not been solved. Instead of trusting the client to report it's own statistics, you now trust it to report someone else's. Nothing stops several (2 or 3) clients from corroberating. They could refuse to connect to any client they don't know will lie for them, and then easily amplify their upload by 1000000x and their partners in crime will corroberate their story. This wouldn't need to be done very often, just when you feel like boosting your ratio.
3) This would add quite a bit of overhead to tracker requests; you now have to report statistics for every peer you're connected to.. and this could be hundreds of peers. Many trackers are bandwidth-strapped already.
DJ kRYPT's Free MP3s!
I tend to use public sites that don't keep track of ratios of individuals--honor system an all that--and I still always try to keep at least a 1.0 on all torrents, many of them usually end up at 2.0 ~ 3.0 just because ratios build up very quickly on popular torrens overnight on broadband connections.
It seems like from the posts the BT community has known about this for a while and it really doesn't seem to matter too much. Most downloaders who have at least a basic understanding of how torrents work will keep those downloads going caust it's just a nice thing to do.
Easy way to get your ratio up is to join a site that only allows you two slots on the tracker at first. Either download two small files and seed them or upload two of your own torrents and stay connected to the tracker so you are using your two tracker slots.
Using azeurus (or any client which stores peer IP's) stop on of your seeding files and connect to a large file you want to download, let your client pick up some IP's or until you are getting the file at a decent speed.
Now stop your download and begin seeding again, when you restart your download you will connect to the clients and your download will be resumed but the tracker will not be updated with the data you are download. AFAIK users who you are leeching off will still be given credit for all the data you upload.
Worked on elite torrents and some of the sites I use now.
All spelling mistakes are due to solar flares...honest
Since when Firefox is more appropriate term for HTTP than HTTP?
Being a formet BT tracker admin we knew of this well over a year ago.
Just download the original client and change the source code if you want to automate the process.
By the way, I'm talking about smallish torrent sites (<50,000 users or so) where the account turnover is low enough that new users can be noticed by mod staff. Huge sites with six figure userbases and hundreds of signups a day would obviously be much easier to cheat on.
I can use two clients to abuse upload ratios even without hacking the clients or the data they send. All I have to do is find a reasonably small torrent (15-20 or so clients max) where I have a good chance of one client being requested to send data to the other, and put them on the same Ethernet segment, the faster the better, and turn off any bandwidth limits. They don't even have to have the same real IP address (I get five addresses on my DSL, and normally use three).
Once one client starts sending to the other, the upload rate goes sky-high, giving you lots of karma with the tracker. If the receiving client is asked to report its download rate, it will even agree. Again, standard client, no hacking involved.
That being said, years ago I've heard of hacked clients that the moment they appear, suddenly everyone else's download rate flatlines (seen from a client in the torrent that shows everybody's stats), as everybody's client starts sending data to the leech. Then once they've leeched the file, they disconnect immediately.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
It is very, very, very easy to detect cheaters on private torrent sites -- which are the only sites where ratios really matter anyway.
Globally, across an entire torrent, the amount of data uploaded can't be greater than the amount downloaded. Think about it for more than three seconds and its rather obvious. Every single client reports their usage to the tracker. Every byte you upload must have been downloaded by another client, who also reports their usage.
And hash fails are counted as downloads by the client, so thats not a factor.
If the torrent admin looks through a torrent and sees Joe Cheater claiming to have uploaded 3.6GB, and it just so happens that the amount uploaded is 3.6GB more than that downloaded...its not hard to work out who's spoofing their stats.
Granted, the situation becomes worse when multiple people are cheating, but it's not too hard to track users who are on multiple torrents and pick out usernames who always appear to be on the torrents with the discrepancies.
I've seen it happen on private sites before, and it will happen again.
The short answer is -- you can fudge your stats all you want. But unless you can find a way to fudge someone elses stats to minus the discrepancy, you'll get caught. And rightly so.
Ratios is a concept that is pretty stupid with BitTorrent.
Right, stupid as in "people routinely saturate their downstream when ratio is enforced because everyone keeps seeding after having downloaded" and as opposed to smart, non-ratio trackers as in "people often get crappy speeds especially when they're on asymmetric connections because everyone kills the client after having downloaded the file".
BT is kind of self-regulating, upload more and you download more. But the self-regulation only goes so far and offers no incentive whatsoever to actually seeding files. Since a vast majority of the peers are on asymmetric links (e.g. ADSL), there obviously is a need for pure seeds to keep network speed at a high level, because otherwise the maximum network speed would be limited by the total upload speed of the asymmetric links.
Switch back to Slashdot's D1 system.
You just give it the torrent, how much to "upload" and how much to wait between start and stop updates.
it's in SVN in my home PC so, it may not stay there for long if you abuse my DSL.
Just go where you want to install it and type:
svn co svn://arcanum.homelinux.org/cheatbt cheatbt
Please, no complaints about the code... i know :)
Slashdot Sig. version 0.1alpha. Use at your own risk.
If anyone gets hauled to court over their use of BT and these "amount shared" statistics are used as evidence against them, having the data be easily forged should help the defendent.
So, what do these nazis do to people who's client is sitting there, waiting to upload and give back the bandwidth they've used but who aren't being asked for anything? I've sometimes left my client running for hours after finishing a download and not sent back a single piece because nobody's asking for it. Does that make me a leach?
Good, inexpensive web hosting