Slashdot Mirror

← Back to Stories (view on slashdot.org)

BitTorrent Clients Can Be Made To Participate In High-Volume DoS Attacks

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes: A group of researchers have discovered some of the most popular BitTorrent applications, including uTorrent, Mainline, and Vuze are vulnerable to a newly discovered form of distributed denial of service attack that makes it easy for a single person to bring down large sites. The weaknesses allow an attacker to insert the target's IP address instead of their own in the malicious request. To mount a Distributed Reflective DoS (DRDoS) attack, an attacker sends this malformed requests to other BitTorrent users, which then act as reflectors and amplifiers and flood the intended victim with responses.

47 comments

  1. Interesting. by Shaman · · Score: 4, Interesting

    I've wondered several times to myself if this was possible. I figured no, since the torrent clients / seeds participate in an ACK system of sorts (or, so I've reasoned), so the sending clients would not get a return and so wouldn't keep bothering. But then, this *IS* possible to a torrent client which clicks on a carefully formed link and always was. Ever click on a link that has 40,000+ peers and/or seeds on it?

    --
    ...Steve
    1. Re:Interesting. by Anonymous Coward · · Score: 1

      Ever click on a link that has 40,000+ peers and/or seeds on it?

      Found links that claimed 40,000 peers and 700 seeds. Turns out there were 8 peers, no seeds, and all 9 of us were waiting for the same little bit in the middle of the rar (because for some reason it's always rar when this sort of thing happens, never loose files, and for some reason never any of the other compression formats).

    2. Re:Interesting. by Anonymous Coward · · Score: 0

      It's worth pointing out that people sometimes have a heap of traffic coming to their router if they switch to a dynamic IP that was previously active.

      Just because you drop out doesn't mean the rest of the swarm is aware of it. I'm guessing you tell your DHT peers or 1000 trackers that xyz IP is a seeder for [superpopulartorrent]?

    3. Re:Interesting. by Anonymous Coward · · Score: 0

      Raaaarrrr!

    4. Re:Interesting. by Zocalo · · Score: 1

      Yeah, this is what is often referred to as "afterglow" and can persist for quite some time after you shut down a BitTorrent client, even without the IP change. I've found that you can minimise it a bit by stopping all your active torrents (or better yet removing them altogether) and leaving the client itself running for a while before actually shutting it down. Gaming the protocol so that it thinks a victim's IP is a 100% complete seed for a number of popular torrents with a low number of seeds seems like a viable way of generating a lot of inbound traffic, but the attacker would need to continually keep adding new torrents as existing ones gained more and more seeds and reduced the likilihood a client would target the victim's IP. The article is light on details of how effective this is (or might be) in practice, but my gut feeling is that this is probably more effort than it's worth compared to other UDP based amplification attack techniques out there that require much less interaction.

      --
      UNIX? They're not even circumcised! Savages!
    5. Re:Interesting. by mlts · · Score: 1

      I've never understood why people bag on rar. In fact, it is one of the few programs that I have a volume license for because it winds up on every box and general purpose VM I own.

      The main reason is that it is a stable archive format. I grab a stack of multi-part archives I burned on CDs 10 years ago, and I have an excellent chance of pulling a file off. Dead CD? I just put the media in with the recovery volume, and that is only if the error correction recovery record I added (usually 5-10%) didn't cut the mustard. Plus, I can then save the archive (repairing any damage) if needed. Had I used .tar.bzip2 or .tar.xz, I probably would be SOL, especially with a database backup image that spanned more than one piece of media.

      Plus, I can extract the archives on many other platforms. Of course, there are other utilities (PAR, 7Zip, Stuffit Deluxe), but not many provide error correction as part of the archive file, encryption, multi-volume spanning, and decent compression.

    6. Re:Interesting. by Anonymous Coward · · Score: 0

      7-Zip is stable, open source and achieves higher compression ratios than RAR.

    7. Re:Interesting. by behrooz0az · · Score: 1

      rar torrent means fake torrent. seriously, archive format was not the point.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
    8. Re:Interesting. by Anonymous Coward · · Score: 0

      RAR is a commercial compressor, neither gratis nor libre. That's why people do not like RAR format.

    9. Re:Interesting. by ArmoredDragon · · Score: 1

      Actually in my own tests I've gotten better ratios with winrar.

      Anyways torrents that use rar format don't bother me so long as it's ONE file instead of being broken up into over 96523481256712 files. That's usually a symptom of somebody taking a usenet release and torrenting it, which by the way rar is wonderful for usenet.

    10. Re:Interesting. by Anonymous Coward · · Score: 0

      I've done extensive testing with both 7-Zip and RAR and 7-Zip almost always wins for compression.

      What compression settings are you using for 7-Zip? Mine are:

      Archive format: 7z
      Compression level: Ultra
      Compression method: LZMA2
      Dictionary size: 512 MB
      Word size: 273
      Solid Block size: Solid

    11. Re:Interesting. by timrod · · Score: 1

      The question I'd have is why anyone who really wants to DoS a target would bother doing it this way. It would be far easier to upload a popular torrent with malware attached (hide it in a cracked .exe or something else that people would expect to show up as a false positive on a virus scanner as many cracked .exes tend to) and then use the resulting botnet to DoS a target. By the time someone finds out that the torrent contains malware, you've probably already got a sizeable botnet and have your goal accomplished.

    12. Re:Interesting. by Mal-2 · · Score: 1

      I avoid using shady sources (torrent or otherwise) for executables, but I'm nowhere near as choosy when it comes to media files. I'm willing to run the risk that the file is actually Madonna yelling "what the fuck do you think you're doing?". (I didn't have a problem with it when she did that, it's just trolling.) I don't think I'm particularly unusual in this respect, either.

      --
      How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
    13. Re:Interesting. by Anonymous Coward · · Score: 0

      The worst is CBR. The idea behind using RAR is to get just that last bit of compression over what ZIP gives you, but the files are already compressed, and using RAR gains you nothing while cutting way back on your options for reading the file. CBR is cargo-cult computing.

    14. Re:Interesting. by Anonymous Coward · · Score: 1

      What's the recovery ratio?

    15. Re:Interesting. by Anonymous Coward · · Score: 1

      100%. You do keep backups, right?

    16. Re:Interesting. by Anonymous Coward · · Score: 0

      It is possible and can be as simple as the old ratio cheating trick, but this time you aren't injecting or modifying the request to the server to fake your upload ratio, you are swapping out the IPs, so you send the request out to the swarm impersonating the target, the swarm responds as it should by trying to open connections with that IP to share.

      Since the IP is likely not even running bittorrent, these requests will just hammer and hammer and hammer the target, since it's a torrent swarm it's hard to block the IPs as they aren't in any particular range or segment.

    17. Re:Interesting. by Anonymous Coward · · Score: 0

      because you fell for a torrent honey pot.

      A few things of note. The number of seeds/peers on a torrent SITE is a projection, an estimation. Just because there are 4000 seeds doesn't mean you'll connect to any of them. Bittorrent, by design, is there to load balance away from the source. The seed has the full file, they feed peers, the idea being that the new peers download from the other peers who are downloading from the seed.

      Beyond that, your torrent client itself will be limiting the amount of seeds and peers you can connect to (if your windows/linux box isn't already) it's easy to find an adjust in utorrent settings, no idea about other clients.

      If you are attempting to download anything that's large and in .rar format that does NOT include some .par files, pass on it. It's likely a honey pot torrent that has fake statistics (it's really easy to fake torrent stats). You'll likely find, if you know how to look, that you are downloading a bunch of useless data "piece failed crc check" or what not, because this is how honey pots work. You will never complete the download, because there is no real download it's all padding and useless data. But you have added your ip address into a list that may or may not result in some blanket settlement demanding letters.

      I'm not sure why the fakers love rar, maybe it's because rar is a pain in the ass to verify by a single piece? who knows, it's not newsgroups and torrents offer a built in hash check so there's no reason to compress them, at all.

      Real groups using rar provide .par files so you can rebuild the lost .rar no par, no play

    18. Re:Interesting. by Anonymous Coward · · Score: 0

      I figured no, since the torrent clients / seeds participate in an ACK system of sorts (or, so I've reasoned), so the sending clients would not get a return and so wouldn't keep bothering.

      Years ago, I seen a bittorrent client try to connect to various IP addresses, and abandon the connection when there was no response. I was unsure whether this was provided by a tracker, or if it was some form of peer-exchange, but in both cases, I doubt the protocol understood clients either behind firewalls or clients that decided to give up and exit.

      Ever click on a link that has 40,000+ peers and/or seeds on it?

      First time I did - very slow download because all the seeds I connected to had very little downloaded (perhaps half a block), and the seeds were overloaded at the time.

      I'm sure both these have since been corrected, but old implementations die hard.

    19. Re:Interesting. by allo · · Score: 1

      who cares? What's the last time you got a corrupted file? Filetransfers via the internet use checksums, they are "there or not there", so you need some faulty disk. floppys had its problems, but a bitflip on a harddrive? Not that often ...

  2. Wow by Anonymous Coward · · Score: 0

    And you thought it was only good for piracy. It won't last long anyway. DDoS attacks are bad for corporate profits, so they must be stopped.

  3. Spoofed Source IP by Anonymous Coward · · Score: 2, Insightful

    Just another spoofed source IP address attack.

    No one's ever seen that before.

    1. Re:Spoofed Source IP by Anonymous Coward · · Score: 2, Interesting

      God forbid anyone do any sort of egress filtering on their end-user networks to make sure that any packets leaving it, claim to come from it.

      You'd think this would have been solved aeons ago, what with ISPs cutting costs and refusing to upgrade infrastructure. Cutting off DOS attacks before they head out onto the upstream backbone that they've got to pay for seems like a no-brainer.

    2. Re:Spoofed Source IP by Cramer · · Score: 2

      This has been a "best practice" for decades, and yet, many BIG NAME ISPs cannot be bothered to do it.

    3. Re:Spoofed Source IP by Anubis+IV · · Score: 1

      Exactly. I was reading research papers about similar DDoS attacks using unwitting BitTorrent clients back in 2007 and 2008. Not sure why this is noteworthy, since there were several different attacks back then that could be used to publish false IP addresses to the distributed hash table (DHT) as being sources for particular packets from the torrent, such that peers looking for that packet would try to repeatedly contact a server that wasn't even a part of the torrent swarm. There were also a variety of techniques for groups like the MPAA and RIAA to poison the data in torrents, such that corrupted or bad data would get distributed in a swarm, rather than the good data that was originally being published.

      I haven't paid much attention to this space since I got out of grad school in 2011, so it's possible that those previous attack vectors were patched and this is a brand new one that was discovered, but still, it's nothing new, and those old ones weren't a big deal at the time, so why is this one?

  4. Relatively Common Attack by Anonymous Coward · · Score: 1

    I've seen this a few times against networks that I managed in the past couple years. Some of it is also due to root server DNS poisoning in China directing torrent clients to my web servers instead of "thepiratebay.org" which can cause a decent amount of amplification. It's easy enough to mitigate if you take a look at the HTTP communications coming in, because they definitely don't look right.

  5. block all the ports by Anonymous Coward · · Score: 0

    and close all the firewalls.

    1. Re:block all the ports by Anonymous Coward · · Score: 0

      Screw that. Air-gap everything! Yeah!!!!!

  6. just now figured this out?? by Anonymous Coward · · Score: 0

    seriously?? lol people have been exploiting this for years

  7. Could this lead to false sharing allegations? by ukoda · · Score: 5, Interesting

    Given media companies chasing people for illegal sharing on the basis the very lists that this exploit is manipulating I guess this could lead to false allegations of file sharing? I guess it could be used in countries like New Zealand to have victims force disconnected by their ISP for multiple instances of file sharing when they had in fact never shared anything?

    1. Re:Could this lead to false sharing allegations? by Anonymous Coward · · Score: 1

      We all know BitTorrent is only for hackers, god forbid they are also running Linux.

    2. Re:Could this lead to false sharing allegations? by Anonymous Coward · · Score: 0

      I think you're missing the point of the parent post completely. The idea is that there are three parties:

      1. Nefarious user
      2. Target of nefarious user, who has never heard of BitTorrent or Linux
      3. Intellectual Property honeypot, which logs IPs of people sharing files on BitTorrent

      User #1 deceives a BitTorrent swarm into believing that User #2 is sharing copyrighted data. User #3, also deceived, accuses user #2 of copyright infringement, when they have in fact done no such thing.

    3. Re:Could this lead to false sharing allegations? by behrooz0az · · Score: 1

      no, it doesn't really work that way.
      https://wiki.theory.org/BitTor... is the protocol that has problems in it. the bit-torrent protocol
      The things IP owners use to track people are DHT and public trackers which are an entirely different thing used only for discovery of peers.
      Theoretically they should be spoofable too, using very similar technics(they too are built on top of udp(mostly)), but it's not related to this.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
    4. Re:Could this lead to false sharing allegations? by mpeskett · · Score: 2

      There was that case where researchers were able to use some manner of spoofing to attract DMCA complaints claiming that their networked printer was engaging in file-sharing. There's a TorrentFreak article about it here which links to the PDF of the paper they published.

    5. Re:Could this lead to false sharing allegations? by Anonymous Coward · · Score: 0

      That would be awesome to see, specially if the IP adresses were other high level backend/bone structures from several ISP's and popular websites (R*AA anyone?) oh the hilarity seeing R*AA publicly chewing their own ass.

  8. This Attack Vector Needs A Badass Name by Guy+From+V · · Score: 1

    Kind of analogous to a synchrotron for weaponized data...or wait, here's a good one: Focused Binary Multiplicative Scalar Informational Superfluity Generator. Torrentpedo? Rickroll of Damocles? These are all terrible.

    1. Re:This Attack Vector Needs A Badass Name by viperidaenz · · Score: 1

      Bit-gate

    2. Re:This Attack Vector Needs A Badass Name by GameboyRMH · · Score: 1

      HiveChucker. Because it's a lot like throwing a beehive at somebody. Without knowing any better, a swarm attacks an innocent target.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  9. Not to be confused with DR-DOS by Jonah+Hex · · Score: 1

    Am I the only one who immediately thought of DR-DOS, which was for a time the best and most useful version of DOS out there? Nostalgia, thine name is the BBS days. - HEX

    --
    Horror & SciFi Erotic Nudes
    1. Re:Not to be confused with DR-DOS by Anonymous Coward · · Score: 0

      You are not alone!

  10. BitTorrent and high-volume DoS attacks .. by nickweller · · Score: 1

    I would have thought all this lone DDOS attacker need was all those compromised Microsoft Windows computers out there on the Internet.

  11. use TCP with new type of internal QoS by Forever+Wondering · · Score: 1

    The problem seems to be that uTP, which uses UDP instead of TCP, was created because when torrents used TCP, they had the same priority as TCP packets for things like web browsing. Going back to TCP would seem to ameliorate at least one form of attack mentioned. Why reinvent the wheel by enhancing uTP to the point where its virtually indistinguishable from TCP when the priority problem can be solved another way?

    How about an "internal" QoS parameter, set as a socket option call, that sets a QoS within a given system/node for the given socket, but is not the classic QoS packet parameter? That is, a web browser sets a lower QoS for its download manager so that a lengthy download doesn't slow down new http/html traffic. The OS's network stack layer uses this to prioritize requests, but this is purely internal (e.g. no packet gets a QoS value). In other words, it's not a protocol extension, just an OS network stack enhancement.

    I've had cases where I'm downloading a lot of stuff (either in the browser's download manager or something external like fedora's yum reposync) and foreground web browsing slows to a crawl.

    This is more akin to lowering a process scheduling priority below "normal". I use this if I'm running a heavy compute job in the background, but I still want my web browser, email, editor, etc. to have reasonable responsiveness.

    The most efficient way to implement this would be through a socket option, which would require a kernel change.

    Linux has a cgroup for something similar (/sys/fs/cgroup/net_prio) but creating a subdir under this and attaching a process to it usually requires root access. It's baroque. I tried to use the cgroup fs to implement a limit on a process resident set size because the syscall for RLIMIT_RSS isn't connected to anything. I got it to work, but the mechanism was far more complex than the equivalent for lowering process priority via setpriority. Hence, the "clean" solution for socket/connection priority would be a socket option.

    Applications could do this with minimal system support by getting stats on all connections (e.g. via netstat, etc.), calculating what their load is, and throttling themselves if they see they're using more than X percentage of the current total usage. Torrent clients already have this (e.g. one can set a parameter that limits the upstream bitrate used by a given torrent). But, there is no global limit or mechanism that says "How much bandwidth am I hogging?" and do a backoff.

    --
    Like a good neighbor, fsck is there ...
    1. Re:use TCP with new type of internal QoS by Agripa · · Score: 1

      I've had cases where I'm downloading a lot of stuff (either in the browser's download manager or something external like fedora's yum reposync) and foreground web browsing slows to a crawl.

      I do not have this problem and there are at least two ways to solve it:

      The uTP protocol includes monitoring of the connection latency and is suppose to throttle itself if latency becomes excessive. Maybe this is set wrong on your bittorrent client.

      Using a traffic shaper will also fix this problem.

  12. Old news by Anonymous Coward · · Score: 0

    This has been an obvious problem for years, im surprised it took this long for someone to abuse that trust. Any time you can make a remote machine attempt to connect to some other remote machine without a chain of trust, its an easy kill.

  13. We shall call it... by Jesrad · · Score: 1

    Since this is basically a smurf attack through a different protocol, I think we should call it a "snork attack".

    --
    Maybe we deserve this world ?
  14. Awful news for the entire Internet by Anonymous Coward · · Score: 0

    Let's be honest, people, there are currently NO mitigation techniques against an attack such as this that are realistic to implement in the foreseeable future. None at all. Banning all martian IP packets on the Internet level is impossible without colossal expenses in money, effort and time. Same goes for the proposed "deep packet inspection" of all Internet traffic. Forcing all BT users to upgrade their software looks even less possible. If an attacker could force an arbitrary website out of the Internet using only a handful of controlled hosts, then I guess we're going to see really major changes in the very way the Internet works. We'll see soon enough.

  15. Happened to me by holophrastic · · Score: 2

    In March, of this year, that's exactly what happened to my servers. It took a few hours to narrow down the traffic logs to find the excess load, and then it became quite obvious, based on the user agent, that it was nothing more than a bittorrent swarm.

    The nice part is that it's easily blocked by user-agent -- which isn't something that the original attacker can control.