BitTorrent patches flaw that could amplify distributed denial-of-service attacks

Attackers could use the vulnerability to force BitTorrent applications to send malicious traffic

BitTorrent fixed a vulnerability that would have allowed attackers to hijack BitTorrent applications used by hundreds of millions of users in order to amplify distributed denial-of-service (DDoS) attacks.

The vulnerability was located in libuTP, a reference implementation of the Micro Transport Protocol (uTP) that's used by many popular BitTorrent clients including uTorrent, Vuze, Transmission and the BitTorrent mainline client.

The flaw was disclosed earlier this month in a paper presented at the 9th USENIX Workshop on Offensive Technologies by four researchers from City University London, Mittelhessen University of Applied Sciences in Friedberg, Germany and cloud networking firm PLUMgrid.

DDoS amplification is an increasingly popular technique among attackers and can generate very large traffic volumes. It involves sending rogue requests to a large number of servers that appear to originate from the IP (Internet Protocol) address of a target chosen by attackers. This tricks those servers into sending their responses to the spoofed IP address instead of the original sender, flooding the victim with data packets.

The technique has the effect of hiding the source of the original traffic, which is known as reflection, but can also significantly amplify it if the generated responses are larger in size than the requests that triggered them.

This type of attack typically affects protocols that rely on the User Datagram Protocol (UDP) for data transmission, because UDP does not perform source address validation. In their paper, the four researchers showed that uTP is one such protocol.

They showed that an attacker could send a connection request with a spoofed address to a BitTorrent client forcing it to send an acknowledgement (ACK) packet to the victim. The attacker could then send a second request with the same spoofed address and a random ACK number to initiate a BitTorrent handshake.

The BitTorrent client would accept this second request as well and would send a handshake response to the victim. However, since the victim would not expect the packet, it wouldn't respond back, forcing the BitTorrent client to resend the data up to 4 times, amplifying the traffic that the attackers can generate.

In order to fix the issue, BitTorrent, the company that maintains libuTP, modified the library so that it properly verifies the ACK number accompanying the second request. If it doesn't match the one sent to the victim in the first packet, it will drop the connection.

The change does not prevent DDoS reflection but kills the amplification effect.

It would be fairly difficult for an attacker to guess the acknowledgement number for a sufficiently large number of reflectors, a BitTorrent engineer said in a blog post Thursday that explains the fix in detail.

The latest versions of uTorrent, BitTorrent mainline and BitTorrent Sync, which are developed by the company, have included the fix since Aug. 4.

The change does not affect backwards compatibility with older versions of those applications nor with third-party BitTorrent clients that use libuTP, a BitTorrent engineer said via email. "Nonetheless, we encourage other developers to ensure their implementations properly enforce acknowledgment number sequencing."

Other protocols designed by the company that rely on libuTP, like the Message Stream Encryption (MSE), are also protected.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?