Slashdot Mirror
P2P Networks Supplement Botnets
stuckinarut writes "Peer to peer file sharing network popularity is at an all time high, with hundreds of thousands of computers connected to a single P2P network at a given time. These networks are increasingly being used to trick PCs into attacking other machines, experts say. In fact, some reports indicate that peer-to-peer may actually exceed web traffic. Computer scientists have previously shown how P2P networks can be subverted so that several connected PCs gang up to attack a single machine, flooding it with enough traffic to make it crash. This can work even if the target is not part of the P2P network itself. Now, security experts are warning that P2P networks are increasingly being used to do just this. "Until January of this year we had never seen a peer-to-peer network subverted and used for an attack," says Darren Rennick of internet security company Prolexic in an advisory released recently. "We now see them constantly being subverted.""
Think about it. Make a false request for a file - and then do TONS of requests for it from hundreds and thousands of other people. It's a classic DDoS attack.
However, this will rule out a lot of corporate machines from being used as bots in this fashion; most decent sysadmins filter P2P traffic.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
My friends and I use good ol' ftp.
What?
Don't you mean P2P over port 80?
This slashdot-related signature is a stub. You can help kihjin by expanding it.
I know my connection sees more P2P traffic than web traffic. One 175mb TV show is a lot of web pages.
Libertarian Leaning Political Discussion Forum.
another one of the RIAA's scare tactics?
The reason P2P lends itself to abuse is because peers typically depend on data from non-authoritative sources (other peers) for information. BitTorrent's classical tracker communication doesn't allow spurious inserted IP addresses to be broadcast to other peers, which prevents BitTorrent networks from being used as DoS amplifiers.
I can't say the same for certain non-standard extensions to BitTorrent, or for official's DHT-based trackerless system, unfortunately; I haven't studied them enough to assert their infallibility.
P2P has too much potential at stake to just being associated with massive copyright infringements and now botnets.
These associations will only be used as excuses to involve clueless regulators to inflict even more damage than they already do.
P2P also is used to distribute OS images, large collections of data, etc. Companies and organizations--especially involved with free software--need to get on the ball and rely more on P2P. There's more than just bandwidth savings at stake.
That starting amount of people will try to connect to that site could be high, ok, but as soon the p2p client realizes that is not talking with a p2p server all ends there, the attack said by Bittorrent author in the article could be better. How long could be a p2p attack that way? Or maybe, how much retries/time do usual the p2p clients to make that worrysome?
Wouldn't surprise me at all to see the Mafiaa somewhere in the background on this one.
"I drank what?" -- Socrates
"However, this will rule out a lot of corporate machines from being used as bots in this fashion; most decent sysadmins filter P2P traffic."
Especially those academic machines.
So the article mentions two cases:
1) Edonkey/Emule
2) Bittorrent
In the second case, it sounds a lot like the attacker needs to run their own tracker, which means they have convince people to come to their tracker in the first place, making it relatively easy to avoid.
But the first case, with Edonkey, sounds like it might only need a naughty client. But they don't go into details, instead referencing an academic paper which I am too lazy to read and suspect it won't answer my ultimate question anyway, which is:
If you are running emule, are there any tell-tale signs to indicate that your emule client is unwittingly participating in a DDOS attack? Like certain verbose log entries or somesuch?
When information is power, privacy is freedom.
Actually, that won't happen.
Computers do not AUTOMATICALLY hit the "target computer". A person has to CHOOSE to download whatever the content is supposed to be.
In order to get "thousands of computers" to attack the target, you'd have to claim that the content was something that "thousands" of people wanted
Otherwise your "attack" will be limited to how many people are trying to download the content at any one time that have not timed out.
It's not how many TOTAL computers over a TOTAL time period.
If each of those 50,000 computers timed out and gave up in 60 seconds (a very reasonable time frame), then you're only looking at 278 (rounded up) "attacks" a minute.
Between 4 and 5 "attacks" a second.
It doesn't sound like much when you do the math, does it?
I remember a while ago I went on vacation and lost the lease on my IP back when I had Comcast. I came home and booted up the router, it leased a new IP, business as usual.
That night I look over at my modem and the send/receive lights are flashing like crazy. I check my firewall logs and see mass connection attempts on some port I wasn't aware was associated with anything. I do some Google searching and come to find out it's that peer-to-peer edonkey crap.
I thought "Whatever, surely the client will stop making connection attempts after it times out for a few days." But no sir, it went on for literally months until I received a new IP lease (with a little intervention on my part). Granted the traffic was not enough to affect my connection all that much but if 'legitimate' usage generates such a high volume of traffic I can see how abuse could become a concern.
Who writes these clients anyway, connection/ping timeout for a month and the IP is not put on some sort of exclude list?
"P2P has too much potential at stake to just being associated with massive copyright infringements and now botnets."
Oh, my. Cause and effect? Quick! Someone blame the RIAA and Microsoft before it's too late.
BTW The popularity protocol is overrated.* Once the popularity wears off, it's no better than FTP.
*There are alrady FTP clients that download different pieces of the same file from different servers. The only thing P2P does well is hide content, and destination.
I'm glad this finally made it to Slashdot. It's a bit of older news to those of us who work in the web hosting industry and have already been subjected to these types of attacks. The scale that the abuse of these networks causes the DDOS attacks to be is on a much larger scale than DDOS style attacks have been in the past (for the most part).
n etworks_hijacked_for_ddos_attacks.html
Thankfully some Peer to Peer network protocols aren't badly implemented (and the client software isn't as bad as others). Netcraft has a decent article about this with examples of the P2P networks that have been shown as exploitable.
http://news.netcraft.com/archives/2007/05/23/p2p_
I can confidently say that these attacks can easily span the 800,000 pkt/sec (per link) and include millions of source addresses for a "cheap cost" compared to the botnets that previously have been almost exclusive to the attacks. Thankfully most P2P clients aren't hijackable in a way to simply pulse connections (all at once) or the more traditional SynFlooding. Connection (fully negotiated) tends to be easier to diagnose than the strictly syn-flooding style attacks can be, on top of it they tend to be more directed (single destination vs. rotating with some kind of intelligence across an entire netblock).
Information is not Knowledge.
Did anyone ever read the friggin' advisory? They speak of a DC++ attack, not edonkey and not bittorrent. I know jack-shit about edonkey because thats typically only used for downloading "warez" and movies and such. But, yes, bittorrent is designed with certain security features in mind that prevent this. Those that use distributed trackers, I dunno, I dont use them and am not a liberty to discuss them.
I believe most everyone who has posted here must work at Best Buy in their Geek Squad. They use all the buzzwords. They write such a long rant full of geek-speak garbage that it distracts the majority and everyone assumes they know what they are speaking about.
Almost every reply here has been off-topic. Sad.
A couple years ago while studying p2p protocols, and contemplating writing one myself to release anonymously. I wrote a program that emulated a Kazaa node with the ability to monitor and modify traffic passing through it.
I then added the ability to query and download files, and while experimenting with making it cache queries to others, added a slight bug, in that instead of giving the actual address of the resource, it kept spitting out my address... Shortly after, I realized I had a dandy means for a DOS attack if I wanted to.
Hopefully modern p2p is more secure, but I doubt it.
Well here's what: P2P is just a hack. That's all it is. It's a scheme to avoid central authority, and avoid a central point of load...
While in some cases this is an attempt to avoid legal repercussions of hosting illegal content, on other cases, where content is legal, it's an attempt for the content providers to make their very big bandwidth problem, someone else's bandwidth problem.
Because this is all P2P is doing, moving the problem elsewhere, and actually multiplying it. Downloading a 100 MB file via bittorent will generate far more traffic and connection on the Internet as a whole, than a direct download from a proper server farm. No wonder ISP-s are stressed out from this whole P2P deal.
And then there's the security problems. I wonder: where did all those guys shouting with full throat "P2P-ize everything" do? I've read here on Slashdot, bold commenters proclaim boldly how lame it is that there are still things that aren't P2P yet. We need P2P search engines! P2P hosting! P2P banking! All of those are actual things I've read.
But back to the beginning, P2P means no central authority. Hence, it means no central trusted entity, no trust, no security.
The advisory indeed speaks only of using DC++ to launch DDoS http://www.prolexic.com/news/20070514-alert.php However, the New Scientist article refers to two academic studies that discuss how eMule and BitTorrent can be misused for the same purpose:
a) N. Naoumov, and K.W. Ross, Exploiting P2P Systems for DDoS Attacks, International Workshop on Peer-to-Peer Information Management, May 2006 http://cis.poly.edu/~ross/papers/p2pddos.pdf
They show that one can subvert Overnet traffic (applicable to eMule that uses the same DHT as Overnet)
b) Karim El Defrawy, Minas Gjoka, Athina Markopoulou, "BotTorrent: Misusing BitTorrent to Launch DDoS Attacks", USENIX SRUTI, June 2007.
They show that one can subvert BitTorrent traffic by submitting to torrent aggregators fake torrent files that advertize the IP of the victim instead of a legitimate tracker's.
Well shoot, if this is all true, people should just start using private, encrytped file-sharing between friends! There's nothing safer, and no one outside your network of friends can pull any mean stuff. There's several alternatives out there, my favorite being GigaTribe: http://www.gigatribe.com/
It really depends on which servers they're using the bot-net on...
Competing sites? Bad business.
White supremacist sites? Let em burn!
In fact, some reports indicate that peer-to-peer may actually exceed web traffic.
This was already the case in most of the measurements we collected in 2002. In fact by 2003, video traffic was the largest by volume, followed by audio, followed by web traffic. Our numbers came from sophisticated measurement devices that could, among other things, tell apart web pages from audio/video traffic on port 80.