Slashdot Mirror

← Back to Stories (view on slashdot.org)

P2P Networks Supplement Botnets

Posted by samzenpus on from the share-you-bot dept.

stuckinarut writes "Peer to peer file sharing network popularity is at an all time high, with hundreds of thousands of computers connected to a single P2P network at a given time. These networks are increasingly being used to trick PCs into attacking other machines, experts say. In fact, some reports indicate that peer-to-peer may actually exceed web traffic. Computer scientists have previously shown how P2P networks can be subverted so that several connected PCs gang up to attack a single machine, flooding it with enough traffic to make it crash. This can work even if the target is not part of the P2P network itself. Now, security experts are warning that P2P networks are increasingly being used to do just this. "Until January of this year we had never seen a peer-to-peer network subverted and used for an attack," says Darren Rennick of internet security company Prolexic in an advisory released recently. "We now see them constantly being subverted.""

9 of 74 comments (clear)

  1. It would be interesting... by Tuxedo+Jack · · Score: 4, Interesting

    Think about it. Make a false request for a file - and then do TONS of requests for it from hundreds and thousands of other people. It's a classic DDoS attack.

    However, this will rule out a lot of corporate machines from being used as bots in this fashion; most decent sysadmins filter P2P traffic.

    --

    Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
    1. Re:It would be interesting... by Bill+Wong · · Score: 4, Insightful

      From what I understand, this sounds like a new DDoS technique.
      Spoof some packets and forward them to a torrent tracker that so-and-so-IP-address is a seed for popular torrents.
      Watch as requests for that file flood the target. Repeat as necessary (actually, probably will need to repeat a whole lot).

    2. Re:It would be interesting... by necro2607 · · Score: 3, Insightful

      What's new about it: The victims don't have to be P2P users at all (in fact, their PC could just be sitting there at the log in screen, not even in use).

      We're talking about subverting P2P protocols in such a manner that completely legit P2P client software all over the net will be making regular requests to a certain target machine, because as far as the client software knows, that's where the requested file (SHREK_3_SCREENER_DVDRIP.AVI etc.) is supposedly located.

    3. Re:It would be interesting... by Pedrito · · Score: 3, Interesting

      most decent sysadmins filter P2P traffic.

      You should read the advisory. Apparently firewalls aren't generally enough to prevent an attack. I suspect I've actually been the victim of some of these attacks, though I have no idea why and it's possible that it's something else, but I've had "attacks" that appear to be related to the ED2K (eMule/eDonkey) network where I just get flooded with incoming ED2K packets and it quickly hoses my DSL modem, which obviously isn't designed to handle a DDOS attack. My iptables firewall seems to survive longer than the DSL modem. Fortunately, switching off the modem for a few seconds and firing it back up gives me a new address (one of the benefits of dynamic addresses).

      I don't know why I'd be attacked. It's possible people are just testing out their botnets or something, but it's happened several times over the past few months. Since it's fairly simple for me to fix the problem (restarting the modem) and it's only happened a few times, I haven't really bothered to dig too deep into it.

  2. Web traffic? by kihjin · · Score: 4, Funny

    Don't you mean P2P over port 80?

    --
    This slashdot-related signature is a stub. You can help kihjin by expanding it.
  3. well by mastershake_phd · · Score: 3, Insightful

    I know my connection sees more P2P traffic than web traffic. One 175mb TV show is a lot of web pages.

    --
    Libertarian Leaning Political Discussion Forum.
  4. That doesn't sound THAT bad. by khasim · · Score: 4, Informative
    From TFA:

    "In all file-sharing systems, you need a database to locate where these files are," Ross says. "The trick is to poison the database, to put bogus entries in that say that a very popular file is located at some target address that you want to attack."

    Thousands of computers will then start contacting the target computer requesting, for example, the latest Britney Spears song or episodes of The Office.

    Actually, that won't happen.

    Computers do not AUTOMATICALLY hit the "target computer". A person has to CHOOSE to download whatever the content is supposed to be.

    In order to get "thousands of computers" to attack the target, you'd have to claim that the content was something that "thousands" of people wanted ... RIGHT THEN!

    Otherwise your "attack" will be limited to how many people are trying to download the content at any one time that have not timed out.

    They created modified versions of BitTorrent files, and their own "tracker" a computer, which stores the databases that peers use to find one another on the network. Then, using 25 bogus files, they were able to trick more than 50,000 computers into cooperating within a few hours.

    It's not how many TOTAL computers over a TOTAL time period.

    If each of those 50,000 computers timed out and gave up in 60 seconds (a very reasonable time frame), then you're only looking at 278 (rounded up) "attacks" a minute.

    Between 4 and 5 "attacks" a second.

    It doesn't sound like much when you do the math, does it?
    1. Re:That doesn't sound THAT bad. by rtb61 · · Score: 5, Funny

      Dang, now why would you go and take apart a good old "P2P is evil and must be banned" story, just think of that wasted RIAA money going down the drain on a failed corporate viral marketing meme ;).

      --
      Chaos - everything, everywhere, everywhen
  5. A bit of Older news by maelfius · · Score: 5, Informative

    I'm glad this finally made it to Slashdot. It's a bit of older news to those of us who work in the web hosting industry and have already been subjected to these types of attacks. The scale that the abuse of these networks causes the DDOS attacks to be is on a much larger scale than DDOS style attacks have been in the past (for the most part).

    Thankfully some Peer to Peer network protocols aren't badly implemented (and the client software isn't as bad as others). Netcraft has a decent article about this with examples of the P2P networks that have been shown as exploitable.

    http://news.netcraft.com/archives/2007/05/23/p2p_n etworks_hijacked_for_ddos_attacks.html

    I can confidently say that these attacks can easily span the 800,000 pkt/sec (per link) and include millions of source addresses for a "cheap cost" compared to the botnets that previously have been almost exclusive to the attacks. Thankfully most P2P clients aren't hijackable in a way to simply pulse connections (all at once) or the more traditional SynFlooding. Connection (fully negotiated) tends to be easier to diagnose than the strictly syn-flooding style attacks can be, on top of it they tend to be more directed (single destination vs. rotating with some kind of intelligence across an entire netblock).

    --
    Information is not Knowledge.