Slashdot Mirror

← Back to Stories (view on slashdot.org)

BitTorrent Clients Can Be Made To Participate In High-Volume DoS Attacks

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes: A group of researchers have discovered some of the most popular BitTorrent applications, including uTorrent, Mainline, and Vuze are vulnerable to a newly discovered form of distributed denial of service attack that makes it easy for a single person to bring down large sites. The weaknesses allow an attacker to insert the target's IP address instead of their own in the malicious request. To mount a Distributed Reflective DoS (DRDoS) attack, an attacker sends this malformed requests to other BitTorrent users, which then act as reflectors and amplifiers and flood the intended victim with responses.

7 of 47 comments (clear)

  1. Interesting. by Shaman · · Score: 4, Interesting

    I've wondered several times to myself if this was possible. I figured no, since the torrent clients / seeds participate in an ACK system of sorts (or, so I've reasoned), so the sending clients would not get a return and so wouldn't keep bothering. But then, this *IS* possible to a torrent client which clicks on a carefully formed link and always was. Ever click on a link that has 40,000+ peers and/or seeds on it?

    --
    ...Steve
  2. Spoofed Source IP by Anonymous Coward · · Score: 2, Insightful

    Just another spoofed source IP address attack.

    No one's ever seen that before.

    1. Re:Spoofed Source IP by Anonymous Coward · · Score: 2, Interesting

      God forbid anyone do any sort of egress filtering on their end-user networks to make sure that any packets leaving it, claim to come from it.

      You'd think this would have been solved aeons ago, what with ISPs cutting costs and refusing to upgrade infrastructure. Cutting off DOS attacks before they head out onto the upstream backbone that they've got to pay for seems like a no-brainer.

    2. Re:Spoofed Source IP by Cramer · · Score: 2

      This has been a "best practice" for decades, and yet, many BIG NAME ISPs cannot be bothered to do it.

  3. Could this lead to false sharing allegations? by ukoda · · Score: 5, Interesting

    Given media companies chasing people for illegal sharing on the basis the very lists that this exploit is manipulating I guess this could lead to false allegations of file sharing? I guess it could be used in countries like New Zealand to have victims force disconnected by their ISP for multiple instances of file sharing when they had in fact never shared anything?

    1. Re:Could this lead to false sharing allegations? by mpeskett · · Score: 2

      There was that case where researchers were able to use some manner of spoofing to attract DMCA complaints claiming that their networked printer was engaging in file-sharing. There's a TorrentFreak article about it here which links to the PDF of the paper they published.

  4. Happened to me by holophrastic · · Score: 2

    In March, of this year, that's exactly what happened to my servers. It took a few hours to narrow down the traffic logs to find the excess load, and then it became quite obvious, based on the user agent, that it was nothing more than a bittorrent swarm.

    The nice part is that it's easily blocked by user-agent -- which isn't something that the original attacker can control.