Slashdot Mirror
Ratio Vulnerability in BitTorrent Discovered
An anonymous reader writes "The "vulnerability" has been tested on all the major torrent trackers that use the torrentbits source code. The idea is that you will sniff your torrent info using the HTTP Analyzer and with Firefox you will update your stats to the tracker being identified as a client."
Was it really a good thing to make this public?
Won't this cause a new wave of leechers?
A lot of trackers are built on torrentbits.
Have you metaroderated recently?
now this. I can't believe it, my world is falling apart!
Unpretentious Sydney reviews by unqualified Sydney reviewers
I can't wait to see my pornbits ratios go through the roof! j/k
http://xyflar.blogspot.com.nyud.net:8090/
Guess now I really have to start seeding files. Thank you for spoiling it for me.
There are any number of parties who will headline "Vulnerability in BitTorrent!" and cound on most readers never bothering to get the facts.
Lacking <sarcasm> tags,
As much as many people will ask if disclosure was a good idea in this case, it's important to remember that if one person can find this vulnerability and make it public, an unknown number of people could have found it and be making use of it in the background. The functionality of BitTorrent depends on clients seeding copies of the file back into the network after having downloaded, and a vulnerability like this in a significant amount of trackers could easily cause serious damage to the operation of many torrents.
Business Voyeur
The way I look at it is this:
Step 1. Load site logs
Step 2. Do a search for these entries
Step 3. Ban any cheaters
I'm sure this it should be pretty easy to tell fake entries from real ones as I'm guessing that the tracker software, with a known IP address, is the only thing that should be accessing that url.
Seems kinda dumb that BT trackers rely on the clients to honestly report their ratios/upload amounts. Is it just this tracker implementation, or does the BT protocol work that way?
IIRC the ed2k network had a similar issue in its infancy, nowadays (with eMule anyway) "upload credit" is maintained as a relationship between each client (i.e. I know how much a person has sent to me, so I know how much I should reward them in my upload queue) -- no potential for abuse that way.
for promoting FF, but one of the steps in that list should be: set FF as the default browser ;)
You can't handle the truth.
Seriously, I thought this was already widely known. All info from the client to the tracker is sent with basic HTTP GET requests. You could fake your ratio with a simple php script. Well, maybe even by just typing the info in your web browser, however I think the urlencoding would be a problem.
This is not a vulnerability .. it's by design.
The statistics reported to the tracker by the client were never meant to be used for things like enforcing ratios because they TRUST THE CLIENT. But there's simply no other way to collect statistics such as amount uploaded.. if the client lies to you (which is what this "vulerability" is exposing), there is little you can do to protect yourself.
It's TRIVIAL (a 1 line change, or if you want to make it a parameter, a 4 line change) to modify any python open source client such that it 'amplifies' the ammount you upload by 10x or 100x. Then you don't need to do any HTTP sniffing, your client can just lie for you.
Now, there is a way to block this author's method because he doesn't amplify the upload, he creates a step-change in the upload ammount (which can be caught on the server side.. if it's been the same ammount of time since the last check-in, but suddenly his cumulative upload ammounts tripled, you're likely being abused). However, using my 'amplifying' trick from above, this is much trickier to detect. Perhaps you measure the client's upload speed on the website and record it to the database, maybe even double it just to be safe.. so you KNOW this client can only do 60 k/sec or whatever. Then when the client reports in stats, you take the time since the last check-in and you calculate his approxomate 'instantenous' rate. If this rate is higher then the upload rate you previously decided was this client's ceiling, then he's lying to you.
The above method is not foolproof, but it would likely be better then the nothing we have now. It was really only a matter of time this surfaced.. and I'm amazed it took this long.
--kRYPT
(author of burst! and MakeTorrent)
DJ kRYPT's Free MP3s!
I've been studying BT for over a year now, and this problem is very obvious and well-known. So, anyone who claims that they shouldn't have posted this because it's going to kill BT is wrong. They shouldn't have posted it because it's obvious to anyone who reads the BT protocol. You can just modify the source code and send a random real from zero to one, plus one, times however much you've downloaded and you've got a share ration between 1 and 2. Simple.
The simplest and best solution to this problem is the one that idiots (especially BT client developers like Bram Cohen and the Azureus dev team) tend to dislike the most: instead of forcing people to be cooperative by enforcing seeding requirements either in the client or at the trackers, simply recognize that swarming creates an inherently competetive environment, as everyone is really only concerned about their download and SHOULD only be concerned about their download, and let people use the most unscrupulous tactics they can think of to game the system. The way it will play out is that people will end up with a share ratio close to 1. The swarms become like little free markets: if you have a valuable piece, you can agree to trade for a lot of data. If someone breaks their agreement, you ban their IP address for a while. If you're willing to upload twice as much as you request from others, EVERYONE will want to trade with you.
If you do the math and economic analysis, everyone ends up trading on a 1 for 1 ratio, seeds only have to upload when there's very few peers (they simply require 2 bits from you for every bit they upload, that way people will only rely on seeds if they can't get a piece any other way, specifically, if the availability of the piece is zero), and no one other than the individual or group publishing the data needs to seed. BT was never meant (whether Bram Cohen realizes this or not) to shift the responsibility of serving from the publisher to the clients, it was meant to reduce the amount of bandwidth needed to publish data.
The current system is like socialism. It needs to become more like capitalism, and I'm not even a laissez-faire capitalist! Why no one realizes this is beyond me.
So please grow up and contribute to torrent communities, it's not difficult and it makes everything work better in the end.
This is nothing new, there's been client hacks for this for quite a while (http://www.00de.com/), there's also been ratio faking programs out for quite a while as well. So I really dont see anything additional that this 'xyflar' guy has added besides posting what's been known to pretty much every torrent user as well as pretty much every torrent site that uses ratios.
Your hair look like poop, Bob! - Wanker.
Anyone who has even so much as glanced at the protocol specification can see that the client is trusted to return an accurate count for how much it has uploaded. This wasn't a "disclosure" or a "vulnerability announcement"- it was a statement of the patently obvious.
The problem is not with BitTorrent. The problem is with BitTorrent trackers and sites which trust that value returned by the client. There are dozens of open-source clients, including the original- and all it takes is adding one operation that multiplies the real upload by whatever number you desire.
The functionality of BitTorrent depends on clients seeding copies of the file back into the network after having downloaded, and a vulnerability like this in a significant amount of trackers could easily cause serious damage to the operation of many torrents.
How did this pseudo-intellectual first-post get modded insightful? You clearly don't understand how the BitTorrent network is designed. Clients evaluate only how much data they receive directly from another client, and how fast. Nothing else factors into their decisions of who to upload. There is absolutely NO mechanism for the client to query the server to see how much you've uploaded, nor is there even a way to ask other clients. Why? Because both sources would be unreliable. Each client CAN only rely on direct "experience", unless they're engaging in a reputation system of their own hacking- if they are, best of luck to them, Bram wasn't an idiot for not trying that.
The "vulnerability" only affects trackers which "enforce" an upload ratio, and only to the extent of letting people bypass that ratio. Ratios is a concept that is pretty stupid with BitTorrent. The more you push back, the more you get, unless there is plenty of bandwidth. About the only "benefit" I see to ratios is that it might keep files available with seeds longer.
I hear a lot of crying about leechers on BitTorrent, but the network is self-regulating. Don't upload? You won't get much back. I think the perceived problem is also because reporting of the stats is unreliable- in the case of Azureus, for example, I can download a big file, upload 3x as much, and then if I get a connection error when my client stops, I "loose" all that uploading. I then look like a leecher, when it is exactly the opposite.
Please help metamoderate.
I tend to use public sites that don't keep track of ratios of individuals--honor system an all that--and I still always try to keep at least a 1.0 on all torrents, many of them usually end up at 2.0 ~ 3.0 just because ratios build up very quickly on popular torrens overnight on broadband connections.
It seems like from the posts the BT community has known about this for a while and it really doesn't seem to matter too much. Most downloaders who have at least a basic understanding of how torrents work will keep those downloads going caust it's just a nice thing to do.
Easy way to get your ratio up is to join a site that only allows you two slots on the tracker at first. Either download two small files and seed them or upload two of your own torrents and stay connected to the tracker so you are using your two tracker slots.
Using azeurus (or any client which stores peer IP's) stop on of your seeding files and connect to a large file you want to download, let your client pick up some IP's or until you are getting the file at a decent speed.
Now stop your download and begin seeding again, when you restart your download you will connect to the clients and your download will be resumed but the tracker will not be updated with the data you are download. AFAIK users who you are leeching off will still be given credit for all the data you upload.
Worked on elite torrents and some of the sites I use now.
All spelling mistakes are due to solar flares...honest
Since when Firefox is more appropriate term for HTTP than HTTP?
I've been using Bittornado and Rufus for some time now, and with both, I get away with uploading at 3KBps and downloading as fast as I can manage. I have ADSL, so this means about 60KBps short of my 180KBps upper limit for downloading. But I've been known to download at 180KBps. (It's not that I'm a prick by nature, it's just that with my connection, I can only upload at around 12KBps, and the faster I upload, the slower I download.)
News for merdes. Shit that matters.
Ask me about my sig.
Being a formet BT tracker admin we knew of this well over a year ago.
Just download the original client and change the source code if you want to automate the process.
By the way, I'm talking about smallish torrent sites (<50,000 users or so) where the account turnover is low enough that new users can be noticed by mod staff. Huge sites with six figure userbases and hundreds of signups a day would obviously be much easier to cheat on.
It is very, very, very easy to detect cheaters on private torrent sites -- which are the only sites where ratios really matter anyway.
Globally, across an entire torrent, the amount of data uploaded can't be greater than the amount downloaded. Think about it for more than three seconds and its rather obvious. Every single client reports their usage to the tracker. Every byte you upload must have been downloaded by another client, who also reports their usage.
And hash fails are counted as downloads by the client, so thats not a factor.
If the torrent admin looks through a torrent and sees Joe Cheater claiming to have uploaded 3.6GB, and it just so happens that the amount uploaded is 3.6GB more than that downloaded...its not hard to work out who's spoofing their stats.
Granted, the situation becomes worse when multiple people are cheating, but it's not too hard to track users who are on multiple torrents and pick out usernames who always appear to be on the torrents with the discrepancies.
I've seen it happen on private sites before, and it will happen again.
The short answer is -- you can fudge your stats all you want. But unless you can find a way to fudge someone elses stats to minus the discrepancy, you'll get caught. And rightly so.
Ratios is a concept that is pretty stupid with BitTorrent.
Right, stupid as in "people routinely saturate their downstream when ratio is enforced because everyone keeps seeding after having downloaded" and as opposed to smart, non-ratio trackers as in "people often get crappy speeds especially when they're on asymmetric connections because everyone kills the client after having downloaded the file".
BT is kind of self-regulating, upload more and you download more. But the self-regulation only goes so far and offers no incentive whatsoever to actually seeding files. Since a vast majority of the peers are on asymmetric links (e.g. ADSL), there obviously is a need for pure seeds to keep network speed at a high level, because otherwise the maximum network speed would be limited by the total upload speed of the asymmetric links.
Switch back to Slashdot's D1 system.
You just give it the torrent, how much to "upload" and how much to wait between start and stop updates.
it's in SVN in my home PC so, it may not stay there for long if you abuse my DSL.
Just go where you want to install it and type:
svn co svn://arcanum.homelinux.org/cheatbt cheatbt
Please, no complaints about the code... i know :)
Slashdot Sig. version 0.1alpha. Use at your own risk.
No, it wouldn't. The only thing this has any effects on, are tracker stats.
Bittorrent clients upload to who uploads most to them. And then they add a certain amount of randomness so that they get to try different peers. They don't care about the stats from the tracker, and neither should they, as they can be easily forged anyway (just change a line in your favourite bittorrent client and recompile).
If the bittorrent protocol was so brittle as to care about easily forged information, it would never have worked as open source software anyway.
So why do people care about trackers stats? Well, some people like to publish them (e.g. to make leechers ashamed). Some are nazis, and want to block leechers from their trackers. And some go beyond nazis, and want to block multi-tracker clients, etc, because it disturbs their tracker stats. This "vulnerability" is only a vulnerability to the two last groups...
If anyone gets hauled to court over their use of BT and these "amount shared" statistics are used as evidence against them, having the data be easily forged should help the defendent.
I've always thought that the best way for the MPAA/RIAA to kill bittorrent would be to break the protocol such that cheaters could leach without giving much back.
If you look at other systems where the amount leechers far outstrip people giving back the system pretty much gets bogged down.
Bram had always said his system works because every client is out for it's own interest. Researchers who have tried to "improve" BT usually have done something to break this model.
If I were the RIAA/MPAA I'd hire a bunch of crack programmers to try and create a "cheat" and then release the source code to that people would get to download with little or no uploading. That would effetively KILL many bittorrent swarms
This cheat DOES work... but it's rather suspicious to the admins when you do it. Like a thirty-second leap from a terrible download-upload ratio to a godlike ratio won't go unnoticed... That said, I had no problem TESTING it, but I contacted the admins of my favorite tracker and told them what I did, why, and got them to reverse it. They'll be watching for it now and banning anyone who tries it.
use it on boxtorrents and we will ban your entire ISP for a month. we know about it, we know how to monitor for it.
It's very easy to detect cheating in a swarm. If a client reports that it's uploaded ten megabytes, but the remainder of the swarm has only downloaded one megabyte, there's obviously something askew. Of course, not everybody will get their stats counted accurately, due to disconnection and tracker outages, but things should average out reasonably (*). If these community-based ratio-monitoring sites simply count the number of times a given member is part of a swarm with a mismatched overall upload:download ratio, greedy leechers will be identified quickly. Can I recommend the paper "How to cheat BitTorrent, and why nobody does"? It's a lot older than this article. http://www.cs.unibo.it/pub/TR/UBLCS/2005/2005-12.p df
(*) Obviously I've never measured this or anything :)
Mod this tripe down! This has been covered several times throughout this discussion. The only thing this affects are a set of numbers which have absolutely nothing to do with the functionality of the protocol itself.
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
I would think that the vast majority of folks using BT to get "legitimate" downloads won't be using this hack (I must get this Knoppix ISO and not share!). Really, it just exploits the greed of the pirate community, for which I have little sympathy.
You could try the exploits, which only damages the system and will get you eventually banned from your favourite torrent sites, or you could just get half a dozen downloading and go to bed.
Phillip.
Property for sale in Nice, France
For example, here in New Zealand, the fastest speed you can get is 2mbps ADSL, and depending on the plan you choose, when you hit 10GB of traffic (that's traffic in both directions added together), you either start paying excessive data charges designed to be so high as to force you to stop, or your bandwidth is reduced to 64kbps.
The latter option is obviously the one that the huge majority choose, and to the uninitiated, 64kbps seems like not such a bad idea. The problem is that the ISP acheives 64kbps by heavily dropping packets, and that results in much much worse performance than you would have got with a dialup modem connection.
I, for example, would be happy to leave BT running 24/7, seeding files, but I simply can't afford to do that, because at 2mbps, I can chew up 10GB in just 11 hours (actually less, because you have to include transmitted traffic too), and unless I want to have unusable internet access for the remaining 30.5 days of the month, I have to strictly control the amount of traffic I transmit and receive.
So, what do these nazis do to people who's client is sitting there, waiting to upload and give back the bandwidth they've used but who aren't being asked for anything? I've sometimes left my client running for hours after finishing a download and not sent back a single piece because nobody's asking for it. Does that make me a leach?
Good, inexpensive web hosting