BitTorrent programs can be abused to amplify distributed denial-of-service attacks

Attackers could launch crippling attacks by reflecting the traffic through millions of computers running BitTorrent programs

BitTorrent applications used by hundreds of millions of users around the world could be tricked into participating in distributed denial-of-service (DDoS) attacks, amplifying the malicious traffic generated by attackers by up to 50 times.

DDoS reflection is a technique that uses IP (Internet Protocol) address spoofing to trick a service to send responses to a third-party computer instead of the original sender. It can be used to hide the source of malicious traffic.

The technique can typically be used against services that communicate over the User Datagram Protocol (UDP), because unlike the Transmission Control Protocol (TCP), UDP does not perform handshakes and therefore source IP address validation. This means an attacker can send a UDP packet with a forged header that specifies someone else's IP address as the source, causing the service to send the response to that address.

Over the past two years, attackers have abused UDP-based protocols like the Domain Name System (DNS), the Network Time Protocol (NTP) and the Simple Network Management Protocol (SNMP) to launch record-breaking DDoS attacks with bandwidths of up to 400Gbps.

Four researchers from City University London, Mittelhessen University of Applied Sciences in Friedberg, Germany and cloud networking firm PLUMgrid, analyzed the protocols used by popular BitTorrent clients and found that they could also be abused for DDoS reflection and amplification.

In a paper presented last week at the 9th USENIX Workshop on Offensive Technologies (WOOT '15) the researchers showed how popular programs like uTorrent, Vuze or the BitTorrent Mainline client can help attackers amplify DDoS traffic by up to 50 times. BitTorrent Sync (BTSync), which is a separate protocol designed for peer-to-peer file synchronization, can be exploited for an amplification factor of up to 120.

Even less popular BitTorrent clients with smaller market shares like Transmission or LibTorrent are vulnerable, but their amplification factor is considerably lower -- 4 percent and 5 percent respectively -- the researchers said.

Exploiting BitTorrent protocols for DDoS amplification is in many ways more efficient than exploiting DNS or NTP. That's because there is a relatively small number of vulnerable DNS or NTP servers available on the Internet, but there are tens of millions of computers running vulnerable BitTorrent programs.

Moreover, DNS and NTP typically use a fixed port number so it's easy to filter malicious traffic over those protocols. But BitTorrent uses dynamic port ranges, so detecting and blocking an attack requires specialized firewalls capable of performing deep packet inspection, the researchers said.

Furthermore, attackers could exploit a BitTorrent protocol extension called Message Stream Encryption (MSE), which is supported by most BitTorrent clients and is designed to encrypt the traffic. DDoS amplification using MSE would be even harder to filter, the researchers said.

There are several types of countermeasures that could be implemented to prevent such attacks, according to the researchers.

One requires ISPs to implement recommended security practices like network ingress filtering to prevent IP spoofing in general. According to the Spoofer Project, which tracks how many networks allow IP spoofing on the Internet, about 24 percent of publicly routed IP address prefixes in the world can currently be spoofed.

Another countermeasure would be to implement a TCP-like, three-way handshake in the Micro Transport Protocol (uTP) that is currently used by most BitTorrent clients. However, this would be a significant change that would require a long adoption time and would create incompatibility with older clients.

Finally, BitTorrent programs could limit the messages that they include in their first uTP packet to one, which some clients already do. This wouldn't prevent the attack, but would reduce the amplification factor to around 4 or 5, the researchers said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags PLUMgridsecurityExploits / vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?