BitTorrent Clients Can Be Made To Participate In High-Volume DoS Attacks

An anonymous reader writes: A group of researchers have discovered some of the most popular BitTorrent applications, including uTorrent, Mainline, and Vuze are vulnerable to a newly discovered form of distributed denial of service attack that makes it easy for a single person to bring down large sites. The weaknesses allow an attacker to insert the target's IP address instead of their own in the malicious request. To mount a Distributed Reflective DoS (DRDoS) attack, an attacker sends this malformed requests to other BitTorrent users, which then act as reflectors and amplifiers and flood the intended victim with responses.

Interesting.

[Shaman]

I've wondered several times to myself if this was possible. I figured no, since the torrent clients / seeds participate in an ACK system of sorts (or, so I've reasoned), so the sending clients would not get a return and so wouldn't keep bothering. But then, this *IS* possible to a torrent client which clicks on a carefully formed link and always was. Ever click on a link that has 40,000+ peers and/or seeds on it?

Re:Interesting.

Ever click on a link that has 40,000+ peers and/or seeds on it?

Found links that claimed 40,000 peers and 700 seeds. Turns out there were 8 peers, no seeds, and all 9 of us were waiting for the same little bit in the middle of the rar (because for some reason it's always rar when this sort of thing happens, never loose files, and for some reason never any of the other compression formats).

Re:Interesting.

[Zocalo]

Yeah, this is what is often referred to as "afterglow" and can persist for quite some time after you shut down a BitTorrent client, even without the IP change. I've found that you can minimise it a bit by stopping all your active torrents (or better yet removing them altogether) and leaving the client itself running for a while before actually shutting it down. Gaming the protocol so that it thinks a victim's IP is a 100% complete seed for a number of popular torrents with a low number of seeds seems like a viable way of generating a lot of inbound traffic, but the attacker would need to continually keep adding new torrents as existing ones gained more and more seeds and reduced the likilihood a client would target the victim's IP. The article is light on details of how effective this is (or might be) in practice, but my gut feeling is that this is probably more effort than it's worth compared to other UDP based amplification attack techniques out there that require much less interaction.

Re:Interesting.

[mlts]

I've never understood why people bag on rar. In fact, it is one of the few programs that I have a volume license for because it winds up on every box and general purpose VM I own.

The main reason is that it is a stable archive format. I grab a stack of multi-part archives I burned on CDs 10 years ago, and I have an excellent chance of pulling a file off. Dead CD? I just put the media in with the recovery volume, and that is only if the error correction recovery record I added (usually 5-10%) didn't cut the mustard. Plus, I can then save the archive (repairing any damage) if needed. Had I used .tar.bzip2 or .tar.xz, I probably would be SOL, especially with a database backup image that spanned more than one piece of media.

Plus, I can extract the archives on many other platforms. Of course, there are other utilities (PAR, 7Zip, Stuffit Deluxe), but not many provide error correction as part of the archive file, encryption, multi-volume spanning, and decent compression.

Re:Interesting.

[behrooz0az]

rar torrent means fake torrent. seriously, archive format was not the point.

Re:Interesting.

[ArmoredDragon]

Actually in my own tests I've gotten better ratios with winrar.

Anyways torrents that use rar format don't bother me so long as it's ONE file instead of being broken up into over 96523481256712 files. That's usually a symptom of somebody taking a usenet release and torrenting it, which by the way rar is wonderful for usenet.

Re:Interesting.

[timrod]

The question I'd have is why anyone who really wants to DoS a target would bother doing it this way. It would be far easier to upload a popular torrent with malware attached (hide it in a cracked .exe or something else that people would expect to show up as a false positive on a virus scanner as many cracked .exes tend to) and then use the resulting botnet to DoS a target. By the time someone finds out that the torrent contains malware, you've probably already got a sizeable botnet and have your goal accomplished.

Re:Interesting.

[Mal-2]

I avoid using shady sources (torrent or otherwise) for executables, but I'm nowhere near as choosy when it comes to media files. I'm willing to run the risk that the file is actually Madonna yelling "what the fuck do you think you're doing?". (I didn't have a problem with it when she did that, it's just trolling.) I don't think I'm particularly unusual in this respect, either.

Re:Interesting.

What's the recovery ratio?

Re:Interesting.

100%. You do keep backups, right?

Re:Interesting.

[allo]

who cares? What's the last time you got a corrupted file? Filetransfers via the internet use checksums, they are "there or not there", so you need some faulty disk. floppys had its problems, but a bitflip on a harddrive? Not that often ...

Spoofed Source IP

Just another spoofed source IP address attack.

No one's ever seen that before.

Re:Spoofed Source IP

God forbid anyone do any sort of egress filtering on their end-user networks to make sure that any packets leaving it, claim to come from it.

You'd think this would have been solved aeons ago, what with ISPs cutting costs and refusing to upgrade infrastructure. Cutting off DOS attacks before they head out onto the upstream backbone that they've got to pay for seems like a no-brainer.

Re:Spoofed Source IP

[Cramer]

This has been a "best practice" for decades, and yet, many BIG NAME ISPs cannot be bothered to do it.

Re:Spoofed Source IP

[Anubis+IV]

Exactly. I was reading research papers about similar DDoS attacks using unwitting BitTorrent clients back in 2007 and 2008. Not sure why this is noteworthy, since there were several different attacks back then that could be used to publish false IP addresses to the distributed hash table (DHT) as being sources for particular packets from the torrent, such that peers looking for that packet would try to repeatedly contact a server that wasn't even a part of the torrent swarm. There were also a variety of techniques for groups like the MPAA and RIAA to poison the data in torrents, such that corrupted or bad data would get distributed in a swarm, rather than the good data that was originally being published.

I haven't paid much attention to this space since I got out of grad school in 2011, so it's possible that those previous attack vectors were patched and this is a brand new one that was discovered, but still, it's nothing new, and those old ones weren't a big deal at the time, so why is this one?

Relatively Common Attack

I've seen this a few times against networks that I managed in the past couple years. Some of it is also due to root server DNS poisoning in China directing torrent clients to my web servers instead of "thepiratebay.org" which can cause a decent amount of amplification. It's easy enough to mitigate if you take a look at the HTTP communications coming in, because they definitely don't look right.

Could this lead to false sharing allegations?

[ukoda]

Given media companies chasing people for illegal sharing on the basis the very lists that this exploit is manipulating I guess this could lead to false allegations of file sharing? I guess it could be used in countries like New Zealand to have victims force disconnected by their ISP for multiple instances of file sharing when they had in fact never shared anything?

Re:Could this lead to false sharing allegations?

We all know BitTorrent is only for hackers, god forbid they are also running Linux.

Re:Could this lead to false sharing allegations?

[behrooz0az]

no, it doesn't really work that way.
https://wiki.theory.org/BitTor... is the protocol that has problems in it. the bit-torrent protocol
The things IP owners use to track people are DHT and public trackers which are an entirely different thing used only for discovery of peers.
Theoretically they should be spoofable too, using very similar technics(they too are built on top of udp(mostly)), but it's not related to this.

Re:Could this lead to false sharing allegations?

[mpeskett]

There was that case where researchers were able to use some manner of spoofing to attract DMCA complaints claiming that their networked printer was engaging in file-sharing. There's a TorrentFreak article about it here which links to the PDF of the paper they published.

This Attack Vector Needs A Badass Name

[Guy+From+V]

Kind of analogous to a synchrotron for weaponized data...or wait, here's a good one: Focused Binary Multiplicative Scalar Informational Superfluity Generator. Torrentpedo? Rickroll of Damocles? These are all terrible.

Re:This Attack Vector Needs A Badass Name

[viperidaenz]

Bit-gate

Re:This Attack Vector Needs A Badass Name

[GameboyRMH]

HiveChucker. Because it's a lot like throwing a beehive at somebody. Without knowing any better, a swarm attacks an innocent target.

Not to be confused with DR-DOS

[Jonah+Hex]

Am I the only one who immediately thought of DR-DOS, which was for a time the best and most useful version of DOS out there? Nostalgia, thine name is the BBS days. - HEX

BitTorrent and high-volume DoS attacks ..

[nickweller]

I would have thought all this lone DDOS attacker need was all those compromised Microsoft Windows computers out there on the Internet.

use TCP with new type of internal QoS

[Forever+Wondering]

The problem seems to be that uTP, which uses UDP instead of TCP, was created because when torrents used TCP, they had the same priority as TCP packets for things like web browsing. Going back to TCP would seem to ameliorate at least one form of attack mentioned. Why reinvent the wheel by enhancing uTP to the point where its virtually indistinguishable from TCP when the priority problem can be solved another way?

How about an "internal" QoS parameter, set as a socket option call, that sets a QoS within a given system/node for the given socket, but is not the classic QoS packet parameter? That is, a web browser sets a lower QoS for its download manager so that a lengthy download doesn't slow down new http/html traffic. The OS's network stack layer uses this to prioritize requests, but this is purely internal (e.g. no packet gets a QoS value). In other words, it's not a protocol extension, just an OS network stack enhancement.

I've had cases where I'm downloading a lot of stuff (either in the browser's download manager or something external like fedora's yum reposync) and foreground web browsing slows to a crawl.

This is more akin to lowering a process scheduling priority below "normal". I use this if I'm running a heavy compute job in the background, but I still want my web browser, email, editor, etc. to have reasonable responsiveness.

The most efficient way to implement this would be through a socket option, which would require a kernel change.

Linux has a cgroup for something similar (/sys/fs/cgroup/net_prio) but creating a subdir under this and attaching a process to it usually requires root access. It's baroque. I tried to use the cgroup fs to implement a limit on a process resident set size because the syscall for RLIMIT_RSS isn't connected to anything. I got it to work, but the mechanism was far more complex than the equivalent for lowering process priority via setpriority. Hence, the "clean" solution for socket/connection priority would be a socket option.

Applications could do this with minimal system support by getting stats on all connections (e.g. via netstat, etc.), calculating what their load is, and throttling themselves if they see they're using more than X percentage of the current total usage. Torrent clients already have this (e.g. one can set a parameter that limits the upstream bitrate used by a given torrent). But, there is no global limit or mechanism that says "How much bandwidth am I hogging?" and do a backoff.

Re:use TCP with new type of internal QoS

[Agripa]

I've had cases where I'm downloading a lot of stuff (either in the browser's download manager or something external like fedora's yum reposync) and foreground web browsing slows to a crawl.

I do not have this problem and there are at least two ways to solve it:

The uTP protocol includes monitoring of the connection latency and is suppose to throttle itself if latency becomes excessive. Maybe this is set wrong on your bittorrent client.

Using a traffic shaper will also fix this problem.

We shall call it...

[Jesrad]

Since this is basically a smurf attack through a different protocol, I think we should call it a "snork attack".

Happened to me

[holophrastic]

In March, of this year, that's exactly what happened to my servers. It took a few hours to narrow down the traffic logs to find the excess load, and then it became quite obvious, based on the user agent, that it was nothing more than a bittorrent swarm.

The nice part is that it's easily blocked by user-agent -- which isn't something that the original attacker can control.