Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security The Internet

BitTorrent Clients Can Be Made To Participate In High-Volume DoS Attacks 47

An anonymous reader writes: A group of researchers have discovered some of the most popular BitTorrent applications, including uTorrent, Mainline, and Vuze are vulnerable to a newly discovered form of distributed denial of service attack that makes it easy for a single person to bring down large sites. The weaknesses allow an attacker to insert the target's IP address instead of their own in the malicious request. To mount a Distributed Reflective DoS (DRDoS) attack, an attacker sends this malformed requests to other BitTorrent users, which then act as reflectors and amplifiers and flood the intended victim with responses.
This discussion has been archived. No new comments can be posted.

BitTorrent Clients Can Be Made To Participate In High-Volume DoS Attacks

Comments Filter:
  • Interesting. (Score:5, Interesting)

    by Shaman ( 1148 ) <shaman @ k o s .net> on Monday August 17, 2015 @02:28PM (#50334025) Homepage

    I've wondered several times to myself if this was possible. I figured no, since the torrent clients / seeds participate in an ACK system of sorts (or, so I've reasoned), so the sending clients would not get a return and so wouldn't keep bothering. But then, this *IS* possible to a torrent client which clicks on a carefully formed link and always was. Ever click on a link that has 40,000+ peers and/or seeds on it?

    • by Anonymous Coward

      Ever click on a link that has 40,000+ peers and/or seeds on it?

      Found links that claimed 40,000 peers and 700 seeds. Turns out there were 8 peers, no seeds, and all 9 of us were waiting for the same little bit in the middle of the rar (because for some reason it's always rar when this sort of thing happens, never loose files, and for some reason never any of the other compression formats).

      • by mlts ( 1038732 )

        I've never understood why people bag on rar. In fact, it is one of the few programs that I have a volume license for because it winds up on every box and general purpose VM I own.

        The main reason is that it is a stable archive format. I grab a stack of multi-part archives I burned on CDs 10 years ago, and I have an excellent chance of pulling a file off. Dead CD? I just put the media in with the recovery volume, and that is only if the error correction recovery record I added (usually 5-10%) didn't cut t

        • rar torrent means fake torrent. seriously, archive format was not the point.
  • Spoofed Source IP (Score:2, Insightful)

    by Anonymous Coward

    Just another spoofed source IP address attack.

    No one's ever seen that before.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      God forbid anyone do any sort of egress filtering on their end-user networks to make sure that any packets leaving it, claim to come from it.

      You'd think this would have been solved aeons ago, what with ISPs cutting costs and refusing to upgrade infrastructure. Cutting off DOS attacks before they head out onto the upstream backbone that they've got to pay for seems like a no-brainer.

      • by Cramer ( 69040 )

        This has been a "best practice" for decades, and yet, many BIG NAME ISPs cannot be bothered to do it.

    • Since this is basically a smurf attack through a different protocol, I think we should call it a "snork attack".

    • Exactly. I was reading research papers about similar DDoS attacks using unwitting BitTorrent clients back in 2007 and 2008. Not sure why this is noteworthy, since there were several different attacks back then that could be used to publish false IP addresses to the distributed hash table (DHT) as being sources for particular packets from the torrent, such that peers looking for that packet would try to repeatedly contact a server that wasn't even a part of the torrent swarm. There were also a variety of tec

  • by Anonymous Coward

    I've seen this a few times against networks that I managed in the past couple years. Some of it is also due to root server DNS poisoning in China directing torrent clients to my web servers instead of "thepiratebay.org" which can cause a decent amount of amplification. It's easy enough to mitigate if you take a look at the HTTP communications coming in, because they definitely don't look right.

  • by ukoda ( 537183 ) on Monday August 17, 2015 @03:18PM (#50334421) Homepage
    Given media companies chasing people for illegal sharing on the basis the very lists that this exploit is manipulating I guess this could lead to false allegations of file sharing? I guess it could be used in countries like New Zealand to have victims force disconnected by their ISP for multiple instances of file sharing when they had in fact never shared anything?
    • by Anonymous Coward

      We all know BitTorrent is only for hackers, god forbid they are also running Linux.

    • There was that case where researchers were able to use some manner of spoofing to attract DMCA complaints claiming that their networked printer was engaging in file-sharing. There's a TorrentFreak article about it here [torrentfreak.com] which links to the PDF of the paper they published.
  • Kind of analogous to a synchrotron for weaponized data...or wait, here's a good one: Focused Binary Multiplicative Scalar Informational Superfluity Generator. Torrentpedo? Rickroll of Damocles? These are all terrible.

  • Am I the only one who immediately thought of DR-DOS [wikipedia.org], which was for a time the best and most useful version of DOS out there? Nostalgia, thine name is the BBS days. - HEX
  • I would have thought all this lone DDOS attacker need was all those compromised Microsoft Windows computers out there on the Internet.
  • The problem seems to be that uTP, which uses UDP instead of TCP, was created because when torrents used TCP, they had the same priority as TCP packets for things like web browsing. Going back to TCP would seem to ameliorate at least one form of attack mentioned. Why reinvent the wheel by enhancing uTP to the point where its virtually indistinguishable from TCP when the priority problem can be solved another way?

    How about an "internal" QoS parameter, set as a socket option call, that sets a QoS within a gi

    • by Agripa ( 139780 )

      I've had cases where I'm downloading a lot of stuff (either in the browser's download manager or something external like fedora's yum reposync) and foreground web browsing slows to a crawl.

      I do not have this problem and there are at least two ways to solve it:

      The uTP protocol includes monitoring of the connection latency and is suppose to throttle itself if latency becomes excessive. Maybe this is set wrong on your bittorrent client.

      Using a traffic shaper will also fix this problem.

  • by holophrastic ( 221104 ) on Tuesday August 18, 2015 @09:35AM (#50339047)

    In March, of this year, that's exactly what happened to my servers. It took a few hours to narrow down the traffic logs to find the excess load, and then it became quite obvious, based on the user agent, that it was nothing more than a bittorrent swarm.

    The nice part is that it's easily blocked by user-agent -- which isn't something that the original attacker can control.

No spitting on the Bus! Thank you, The Mgt.

Working...