Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BitTorrent programs can be abused to amplify distributed denial-of-service attacks

Lucian Constantin | Aug. 18, 2015
Attackers could launch crippling attacks by reflecting the traffic through millions of computers running BitTorrent programs.

ddos attack wi fi defense

BitTorrent applications used by hundreds of millions of users around the world could be tricked into participating in distributed denial-of-service (DDoS) attacks, amplifying the malicious traffic generated by attackers by up to 50 times.

DDoS reflection is a technique that uses IP (Internet Protocol) address spoofing to trick a service to send responses to a third-party computer instead of the original sender. It can be used to hide the source of malicious traffic.

The technique can typically be used against services that communicate over the User Datagram Protocol (UDP), because unlike the Transmission Control Protocol (TCP), UDP does not perform handshakes and therefore source IP address validation. This means an attacker can send a UDP packet with a forged header that specifies someone else's IP address as the source, causing the service to send the response to that address.

Over the past two years, attackers have abused UDP-based protocols like the Domain Name System (DNS), the Network Time Protocol (NTP) and the Simple Network Management Protocol (SNMP) to launch record-breaking DDoS attacks with bandwidths of up to 400Gbps.

Four researchers from City University London, Mittelhessen University of Applied Sciences in Friedberg, Germany and cloud networking firm PLUMgrid, analyzed the protocols used by popular BitTorrent clients and found that they could also be abused for DDoS reflection and amplification.

In a paper presented last week at the 9th USENIX Workshop on Offensive Technologies (WOOT '15) the researchers showed how popular programs like uTorrent, Vuze or the BitTorrent Mainline client can help attackers amplify DDoS traffic by up to 50 times. BitTorrent Sync (BTSync), which is a separate protocol designed for peer-to-peer file synchronization, can be exploited for an amplification factor of up to 120.

Even less popular BitTorrent clients with smaller market shares like Transmission or LibTorrent are vulnerable, but their amplification factor is considerably lower -- 4 percent and 5 percent respectively -- the researchers said.

Exploiting BitTorrent protocols for DDoS amplification is in many ways more efficient than exploiting DNS or NTP. That's because there is a relatively small number of vulnerable DNS or NTP servers available on the Internet, but there are tens of millions of computers running vulnerable BitTorrent programs.

Moreover, DNS and NTP typically use a fixed port number so it's easy to filter malicious traffic over those protocols. But BitTorrent uses dynamic port ranges, so detecting and blocking an attack requires specialized firewalls capable of performing deep packet inspection, the researchers said.

Furthermore, attackers could exploit a BitTorrent protocol extension called Message Stream Encryption (MSE), which is supported by most BitTorrent clients and is designed to encrypt the traffic. DDoS amplification using MSE would be even harder to filter, the researchers said.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.