Menu
BitTorrent programs can be abused to amplify distributed denial-of-service attacks

BitTorrent programs can be abused to amplify distributed denial-of-service attacks

Attackers could launch crippling attacks by reflecting the traffic through millions of computers running BitTorrent programs

BitTorrent applications used by hundreds of millions of users around the world could be tricked into participating in distributed denial-of-service (DDoS) attacks, amplifying the malicious traffic generated by attackers by up to 50 times.

DDoS reflection is a technique that uses IP (Internet Protocol) address spoofing to trick a service to send responses to a third-party computer instead of the original sender. It can be used to hide the source of malicious traffic.

The technique can typically be used against services that communicate over the User Datagram Protocol (UDP), because unlike the Transmission Control Protocol (TCP), UDP does not perform handshakes and therefore source IP address validation. This means an attacker can send a UDP packet with a forged header that specifies someone else’s IP address as the source, causing the service to send the response to that address.

Over the past two years, attackers have abused UDP-based protocols like the Domain Name System (DNS), the Network Time Protocol (NTP) and the Simple Network Management Protocol (SNMP) to launch record-breaking DDoS attacks with bandwidths of up to 400Gbps.

Four researchers from City University London, Mittelhessen University of Applied Sciences in Friedberg, Germany and cloud networking firm PLUMgrid, analyzed the protocols used by popular BitTorrent clients and found that they could also be abused for DDoS reflection and amplification.

In a paper presented last week at the 9th USENIX Workshop on Offensive Technologies (WOOT ‘15) the researchers showed how popular programs like uTorrent, Vuze or the BitTorrent Mainline client can help attackers amplify DDoS traffic by up to 50 times. BitTorrent Sync (BTSync), which is a separate protocol designed for peer-to-peer file synchronization, can be exploited for an amplification factor of up to 120.

Even less popular BitTorrent clients with smaller market shares like Transmission or LibTorrent are vulnerable, but their amplification factor is considerably lower—4 percent and 5 percent respectively—the researchers said.

Exploiting BitTorrent protocols for DDoS amplification is in many ways more efficient than exploiting DNS or NTP. That’s because there is a relatively small number of vulnerable DNS or NTP servers available on the Internet, but there are tens of millions of computers running vulnerable BitTorrent programs.

Moreover, DNS and NTP typically use a fixed port number so it’s easy to filter malicious traffic over those protocols. But BitTorrent uses dynamic port ranges, so detecting and blocking an attack requires specialized firewalls capable of performing deep packet inspection, the researchers said.

Furthermore, attackers could exploit a BitTorrent protocol extension called Message Stream Encryption (MSE), which is supported by most BitTorrent clients and is designed to encrypt the traffic. DDoS amplification using MSE would be even harder to filter, the researchers said.

There are several types of countermeasures that could be implemented to prevent such attacks, according to the researchers.

One requires ISPs to implement recommended security practices like network ingress filtering to prevent IP spoofing in general. According to the Spoofer Project, which tracks how many networks allow IP spoofing on the Internet, about 24 percent of publicly routed IP address prefixes in the world can currently be spoofed.

Another countermeasure would be to implement a TCP-like, three-way handshake in the Micro Transport Protocol (uTP) that is currently used by most BitTorrent clients. However, this would be a significant change that would require a long adoption time and would create incompatibility with older clients.

Finally, BitTorrent programs could limit the messages that they include in their first uTP packet to one, which some clients already do. This wouldn’t prevent the attack, but would reduce the amplification factor to around 4 or 5, the researchers said.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments