Using BitTorrent Vulnerabilities to Launch Distributed Reflective DoS Attacks

Researchers warn several BitTorrent protocols can be leveraged to carry out distributed reflective denial of service (DRoS) attacks.

Researchers warn that several protocols used by the peer-to-peer file sharing service BitTorrent, including a handful of clients that run the protocol, can be leveraged to carry out distributed reflective denial of service (DRDoS) attacks.

Distributed reflective denial of service, or DRDoS attacks, occur when attackers send an overwhelming amount of traffic to amplifiers, which act like reflectors and redirect traffic to a victim. Unlike conventional DoS attacks, in DRDoS attacks traffic isn’t sent directly to the victim.

Researchers describe several attack scenarios involving the protocol in an academic paper, “P2P File-Sharing in Hell: Exploiting BitTorrent Vulnerabilities to Launch Distributed Reflective DoS Attacks” (.PDF) published as part of USENIX’s Woot ’15 workshop last week.

In the paper, Florian Adamsky, a research student at City University London, describes how to exploit common BitTorrent network protocols, including its default transport option, uTP. Adamsky, who’s published BitTorrent research in the past, was assisted by PLUMgrid, Inc.’s Syed Ali Khayam, THM Friedberg’s Rudolf Jager, and another City University London student, Muttukrishnan Rajarajan, on this paper.

To test for attacks the researchers put together a “P2P lab testbed” composed of more than 10,000 BitTorrent handshakes – two-way connections between uTP nodes.

Assuming they have a valid SHA-1 info-hash, the researchers claim uTP could enable attackers to carry out attacks by using a spoofed IP address. In fact, attacks channeled through BitTorrent could be amplified up to 50 times. This includes those filtered through some of the more protocol’s more popular clients, such as uTorrent, Mainline and one of the biggest culprits, Vuze, which they found heightened attacks up to 54 times.

“uTP establishes a connection with a two-way handshake. This allows an attacker to establish a connection with an amplifier using a spoofed IP address, as the receiver does not check whether the initiator has received the acknowledgment,” the paper reads.

The vector the attack uses is difficult to detect researchers warn, stressing that a DRDoS attack, routed through BitTorrent, can’t be detected by normal firewalls. Users would have to go further, by implementing a Deep Packet Inspection (DPI) firewall to detect most of the attacks, according to Adamsky and company. An MSE handshake would be even trickier.

“In case of a MSE handshake, it is even harder to detect the attack, since the packet contains a high entropy payload with a public key and random data,” the researchers write.

To combat the attacks from happening, the researchers encourage developers behind the protocol to switch uTP over to a more secure three-way handshake, like the one that TCP uses, which would prevent attacks like this from happening.

The researchers claim there are a handful of other techniques, such as limiting the messages in the first uTP packet that’s sent to amplifiers, that could also help thwart IP spoofing and minimize the number of amplification attacks that use BitTorrent as a medium.

The researchers stress that protocols used by BitTorrent other than uTP, including DHT — Distributed Hash Table, MSE — Message Stream Encryption and BTSync — BitTorrent Sync, are also vulnerable to these types attacks. In the case of BTSync, an attacker could use “a single ping message” to amplify some attacks up to 120 times via the protocol, according to the paper.

New forms of reflected distributed denial of service attacks are upping the ante when it comes large-scale DDoS attacks. Earlier this year hackers used an old routing protocol RIPv1 found on multiple old and out of date business routers to launch both reflection and amplification-centric DDoS attacks.

In April experts warned that of a vulnerability in Multicast DNS that could be harnessed and as a result trigger high volume DDoS amplification attacks.

Suggested articles