Using BitTorrent for DRDoS Attacks
Researcher Florian Adamsky, City University London; Syed Ali Khayam, PLUMgrid Inc.; Rudolf Jäger, THM Friedberg; Muttukrishnan Rajarajan, City University London have published an interesting paper demonstrating that the BitTorrent protocol family is vulnerable to distributed reflective denial-of-service (DRDoS) attacks.
With peer-discovery techniques like trackers, DHT or PEX, an attacker can collect millions of amplifiers. An attacker only needs a valid info-hash or secret to exploit the vulnerabilities.
BitTorrent clients, uTorrent, Mainline and Vuze, are highly vulnerable and can be amplified up to a factor of 50 times. With a single BTSync ping message, an attacker can amplify the traffic up to 120 times. An easier amplifier target is a MSE handshake, since an attacker does not need an info-hash. The amplification factor of this attack ranges from 4–32.5 times. Experiments showed that a possible attack is robust against amplifier churn.
To validate the robustness of the attack, cyber security researchers wrote a BitTorrent crawler which ran for one month and collected more than 2.1 million IP addresses and analyzed more than 10,000 BitTorrent handshakes.
The impact of a DRDoS attack is proportional to the adoption of the protocol that it is exploiting, as wide adoption makes it easier to find and scale-out the ampli- fier population. The two attacks mentioned above were particularly devastating because they exploited DNS and NTP, both of which are widely-used protocols in the Internet today.
BitTorrent and BTSync make use of UDP protocols. Since these protocols do not include mechanisms to prevent IP source address spoofing, an attacker can use peer-discovery techniques like trackers, DHT or Peer Exchange (PEX) to collect millions of possible amplifiers. Therefore researchers showed that BitTorrent, one of the most popular P2P file sharing protocols , can also be exploited to launch DRDoS attacks.
An attacker which initiates a DRDoS does not send the traffic directly to the victim; instead he/she sends it to amplifiers which reflect the traffic to the victim. The attacker does this by exploiting network protocols which are vulnerable to IP spoofing. A DRDoS attack results in a distributed attack which can be initiated by one or multiple attacker nodes.
There are following attacking steps that a cyber attacker might undertake:
1. The attacker needs to identify amplifiers before initiating the attack. This step is dependent on the protocol which the attacker wants to exploit. However ZMap scanning tool can help to identify possible amplifiers.
2 .After the attacker has identified amplifiers, he/she initiates the attack by sending small packets to the amplifiers. Instead of using its own socket address, the attacker spoofs the address in the packet from the victim.
3. The amplifiers respond to the victim with a larger packet.
DRDoS has several advantages towards same kind of attacks:
- the attacker hides his own identity, since the attacks uses IP spoofing (evadability advantage);
- it can be initiated by a single computer, but results in a distributed attack (efficiency advantage);
- the amplifiers send a larger packet to the victim and therefore increase the impact of the attack (effi- ciency advantage)
Exploiting BItTorrent Handshake
After the connection is established BitTorrent requires a handshake as its first message. It contains reserved bytes for extensions, info-hash and the peer-id. If a client receives a handshake with an info-hash that it does not participate, the client drops the connection immediately. An attacker can use the BitTorrent handshake to initiate an amplification attack based on the two-way handshake of uTP.
- The attacker initiates a connection with a spoofed ST_SYN packet to the amplifier.
- The amplifier responds with an acknowledgment via a ST_STATE packet to the victim.
- This packet does not contain useful information, because uTP only supports the two-way handshake
- Attacker sends an ST_DATA packet with a BitTorrent handshake in the payload.
- This handshake needs an info-hash (20 bytes) of an active torrent of the amplifier.
- The handshake has a minimum size of 88 bytes. If the amplifier participates in that torrent, it will respond with its own handshake.
- The handshake is bigger than the packet which the attacker has sent, since the clients put additional messages in the uTP packet.
According to research paper in tests, nearly all clients either sent either a BITFIELD or multiple HAVE messages within the first uTP data packet. If and how many HAVE messages are sent with the handshake, depends on the client implementation. The size of the BITFIELD message depends on the size of the shared files. Since the handshake does not get acknowledged, the amplifier thinks the packet is lost and retransmits the handshake again. In our tests, all clients retransmitted the handshake from 3– 4 times until the connection gets terminated.
Researchers showed that an attack is quite difficult to circumvent, as the found vulnerabilities can only be defended with a DPI firewall. In case of a MSE handshake, it is even harder to detect the attack, since the packet contains a high entropy payload with a public key and random data.