Slashdot Mirror

← Back to Stories (view on slashdot.org)

P2P Networks Supplement Botnets

Posted by samzenpus on from the share-you-bot dept.

stuckinarut writes "Peer to peer file sharing network popularity is at an all time high, with hundreds of thousands of computers connected to a single P2P network at a given time. These networks are increasingly being used to trick PCs into attacking other machines, experts say. In fact, some reports indicate that peer-to-peer may actually exceed web traffic. Computer scientists have previously shown how P2P networks can be subverted so that several connected PCs gang up to attack a single machine, flooding it with enough traffic to make it crash. This can work even if the target is not part of the P2P network itself. Now, security experts are warning that P2P networks are increasingly being used to do just this. "Until January of this year we had never seen a peer-to-peer network subverted and used for an attack," says Darren Rennick of internet security company Prolexic in an advisory released recently. "We now see them constantly being subverted.""

13 of 74 comments (clear)

  1. It would be interesting... by Tuxedo+Jack · · Score: 4, Interesting

    Think about it. Make a false request for a file - and then do TONS of requests for it from hundreds and thousands of other people. It's a classic DDoS attack.

    However, this will rule out a lot of corporate machines from being used as bots in this fashion; most decent sysadmins filter P2P traffic.

    --

    Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
    1. Re:It would be interesting... by Bill+Wong · · Score: 4, Insightful

      From what I understand, this sounds like a new DDoS technique.
      Spoof some packets and forward them to a torrent tracker that so-and-so-IP-address is a seed for popular torrents.
      Watch as requests for that file flood the target. Repeat as necessary (actually, probably will need to repeat a whole lot).

    2. Re:It would be interesting... by necro2607 · · Score: 3, Insightful

      What's new about it: The victims don't have to be P2P users at all (in fact, their PC could just be sitting there at the log in screen, not even in use).

      We're talking about subverting P2P protocols in such a manner that completely legit P2P client software all over the net will be making regular requests to a certain target machine, because as far as the client software knows, that's where the requested file (SHREK_3_SCREENER_DVDRIP.AVI etc.) is supposedly located.

    3. Re:It would be interesting... by Pedrito · · Score: 3, Interesting

      most decent sysadmins filter P2P traffic.

      You should read the advisory. Apparently firewalls aren't generally enough to prevent an attack. I suspect I've actually been the victim of some of these attacks, though I have no idea why and it's possible that it's something else, but I've had "attacks" that appear to be related to the ED2K (eMule/eDonkey) network where I just get flooded with incoming ED2K packets and it quickly hoses my DSL modem, which obviously isn't designed to handle a DDOS attack. My iptables firewall seems to survive longer than the DSL modem. Fortunately, switching off the modem for a few seconds and firing it back up gives me a new address (one of the benefits of dynamic addresses).

      I don't know why I'd be attacked. It's possible people are just testing out their botnets or something, but it's happened several times over the past few months. Since it's fairly simple for me to fix the problem (restarting the modem) and it's only happened a few times, I haven't really bothered to dig too deep into it.

  2. Web traffic? by kihjin · · Score: 4, Funny

    Don't you mean P2P over port 80?

    --
    This slashdot-related signature is a stub. You can help kihjin by expanding it.
  3. well by mastershake_phd · · Score: 3, Insightful

    I know my connection sees more P2P traffic than web traffic. One 175mb TV show is a lot of web pages.

    --
    Libertarian Leaning Political Discussion Forum.
  4. BitTorrent by TheSHAD0W · · Score: 2, Informative

    The reason P2P lends itself to abuse is because peers typically depend on data from non-authoritative sources (other peers) for information. BitTorrent's classical tracker communication doesn't allow spurious inserted IP addresses to be broadcast to other peers, which prevents BitTorrent networks from being used as DoS amplifiers.

    I can't say the same for certain non-standard extensions to BitTorrent, or for official's DHT-based trackerless system, unfortunately; I haven't studied them enough to assert their infallibility.

  5. Another reason to better utilize P2P networks by Freed · · Score: 2, Insightful

    P2P has too much potential at stake to just being associated with massive copyright infringements and now botnets.

    These associations will only be used as excuses to involve clueless regulators to inflict even more damage than they already do.

    P2P also is used to distribute OS images, large collections of data, etc. Companies and organizations--especially involved with free software--need to get on the ball and rely more on P2P. There's more than just bandwidth savings at stake.

  6. That doesn't sound THAT bad. by khasim · · Score: 4, Informative
    From TFA:

    "In all file-sharing systems, you need a database to locate where these files are," Ross says. "The trick is to poison the database, to put bogus entries in that say that a very popular file is located at some target address that you want to attack."

    Thousands of computers will then start contacting the target computer requesting, for example, the latest Britney Spears song or episodes of The Office.

    Actually, that won't happen.

    Computers do not AUTOMATICALLY hit the "target computer". A person has to CHOOSE to download whatever the content is supposed to be.

    In order to get "thousands of computers" to attack the target, you'd have to claim that the content was something that "thousands" of people wanted ... RIGHT THEN!

    Otherwise your "attack" will be limited to how many people are trying to download the content at any one time that have not timed out.

    They created modified versions of BitTorrent files, and their own "tracker" a computer, which stores the databases that peers use to find one another on the network. Then, using 25 bogus files, they were able to trick more than 50,000 computers into cooperating within a few hours.

    It's not how many TOTAL computers over a TOTAL time period.

    If each of those 50,000 computers timed out and gave up in 60 seconds (a very reasonable time frame), then you're only looking at 278 (rounded up) "attacks" a minute.

    Between 4 and 5 "attacks" a second.

    It doesn't sound like much when you do the math, does it?
    1. Re:That doesn't sound THAT bad. by rtb61 · · Score: 5, Funny

      Dang, now why would you go and take apart a good old "P2P is evil and must be banned" story, just think of that wasted RIAA money going down the drain on a failed corporate viral marketing meme ;).

      --
      Chaos - everything, everywhere, everywhen
  7. What probably gave the author the idea: by MLS100 · · Score: 2, Informative

    I remember a while ago I went on vacation and lost the lease on my IP back when I had Comcast. I came home and booted up the router, it leased a new IP, business as usual.

    That night I look over at my modem and the send/receive lights are flashing like crazy. I check my firewall logs and see mass connection attempts on some port I wasn't aware was associated with anything. I do some Google searching and come to find out it's that peer-to-peer edonkey crap.

    I thought "Whatever, surely the client will stop making connection attempts after it times out for a few days." But no sir, it went on for literally months until I received a new IP lease (with a little intervention on my part). Granted the traffic was not enough to affect my connection all that much but if 'legitimate' usage generates such a high volume of traffic I can see how abuse could become a concern.

    Who writes these clients anyway, connection/ping timeout for a month and the IP is not put on some sort of exclude list?

  8. A bit of Older news by maelfius · · Score: 5, Informative

    I'm glad this finally made it to Slashdot. It's a bit of older news to those of us who work in the web hosting industry and have already been subjected to these types of attacks. The scale that the abuse of these networks causes the DDOS attacks to be is on a much larger scale than DDOS style attacks have been in the past (for the most part).

    Thankfully some Peer to Peer network protocols aren't badly implemented (and the client software isn't as bad as others). Netcraft has a decent article about this with examples of the P2P networks that have been shown as exploitable.

    http://news.netcraft.com/archives/2007/05/23/p2p_n etworks_hijacked_for_ddos_attacks.html

    I can confidently say that these attacks can easily span the 800,000 pkt/sec (per link) and include millions of source addresses for a "cheap cost" compared to the botnets that previously have been almost exclusive to the attacks. Thankfully most P2P clients aren't hijackable in a way to simply pulse connections (all at once) or the more traditional SynFlooding. Connection (fully negotiated) tends to be easier to diagnose than the strictly syn-flooding style attacks can be, on top of it they tend to be more directed (single destination vs. rotating with some kind of intelligence across an entire netblock).

    --
    Information is not Knowledge.
  9. P2P-ize everything! by suv4x4 · · Score: 2, Insightful

    Well here's what: P2P is just a hack. That's all it is. It's a scheme to avoid central authority, and avoid a central point of load...

    While in some cases this is an attempt to avoid legal repercussions of hosting illegal content, on other cases, where content is legal, it's an attempt for the content providers to make their very big bandwidth problem, someone else's bandwidth problem.

    Because this is all P2P is doing, moving the problem elsewhere, and actually multiplying it. Downloading a 100 MB file via bittorent will generate far more traffic and connection on the Internet as a whole, than a direct download from a proper server farm. No wonder ISP-s are stressed out from this whole P2P deal.

    And then there's the security problems. I wonder: where did all those guys shouting with full throat "P2P-ize everything" do? I've read here on Slashdot, bold commenters proclaim boldly how lame it is that there are still things that aren't P2P yet. We need P2P search engines! P2P hosting! P2P banking! All of those are actual things I've read.

    But back to the beginning, P2P means no central authority. Hence, it means no central trusted entity, no trust, no security.