BitTorrent programs can be abused to amplify distributed denial-of-service attacks

Attackers could launch crippling attacks by reflecting the traffic through millions of computers running BitTorrent programs

BitTorrent applications used by hundreds of millions of users around the world could be tricked into participating in distributed denial-of-service (DDoS) attacks, amplifying the malicious traffic generated by attackers by up to 50 times.

DDoS reflection is a technique that uses IP (Internet Protocol) address spoofing to trick a service to send responses to a third-party computer instead of the original sender. It can be used to hide the source of malicious traffic.

The technique can typically be used against services that communicate over the User Datagram Protocol (UDP), because unlike the Transmission Control Protocol (TCP), UDP does not perform handshakes and therefore source IP address validation. This means an attacker can send a UDP packet with a forged header that specifies someone else's IP address as the source, causing the service to send the response to that address.

Over the past two years, attackers have abused UDP-based protocols like the Domain Name System (DNS), the Network Time Protocol (NTP) and the Simple Network Management Protocol (SNMP) to launch record-breaking DDoS attacks with bandwidths of up to 400Gbps.

Four researchers from City University London, Mittelhessen University of Applied Sciences in Friedberg, Germany and cloud networking firm PLUMgrid, analyzed the protocols used by popular BitTorrent clients and found that they could also be abused for DDoS reflection and amplification.

In a paper presented last week at the 9th USENIX Workshop on Offensive Technologies (WOOT '15) the researchers showed how popular programs like uTorrent, Vuze or the BitTorrent Mainline client can help attackers amplify DDoS traffic by up to 50 times. BitTorrent Sync (BTSync), which is a separate protocol designed for peer-to-peer file synchronization, can be exploited for an amplification factor of up to 120.

Even less popular BitTorrent clients with smaller market shares like Transmission or LibTorrent are vulnerable, but their amplification factor is considerably lower -- 4 percent and 5 percent respectively -- the researchers said.

Exploiting BitTorrent protocols for DDoS amplification is in many ways more efficient than exploiting DNS or NTP. That's because there is a relatively small number of vulnerable DNS or NTP servers available on the Internet, but there are tens of millions of computers running vulnerable BitTorrent programs.

Moreover, DNS and NTP typically use a fixed port number so it's easy to filter malicious traffic over those protocols. But BitTorrent uses dynamic port ranges, so detecting and blocking an attack requires specialized firewalls capable of performing deep packet inspection, the researchers said.

Furthermore, attackers could exploit a BitTorrent protocol extension called Message Stream Encryption (MSE), which is supported by most BitTorrent clients and is designed to encrypt the traffic. DDoS amplification using MSE would be even harder to filter, the researchers said.

There are several types of countermeasures that could be implemented to prevent such attacks, according to the researchers.

One requires ISPs to implement recommended security practices like network ingress filtering to prevent IP spoofing in general. According to the Spoofer Project, which tracks how many networks allow IP spoofing on the Internet, about 24 percent of publicly routed IP address prefixes in the world can currently be spoofed.

Another countermeasure would be to implement a TCP-like, three-way handshake in the Micro Transport Protocol (uTP) that is currently used by most BitTorrent clients. However, this would be a significant change that would require a long adoption time and would create incompatibility with older clients.

Finally, BitTorrent programs could limit the messages that they include in their first uTP packet to one, which some clients already do. This wouldn't prevent the attack, but would reduce the amplification factor to around 4 or 5, the researchers said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags PLUMgridsecurityExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?