Sunday, June 2, 2013

Bittorrent Based DDOS Attack

BitTorrent is the most famous and widely used peer to peer file transfer protocol. Created in 2001 by Bran Cohen, it quickly caught users’ attention all over the world and it became more popular than other existing such networks like Napster, Gnutella and FastTrack. But its popularity combined with a basic flaw in the design and working of this protocol has opened the possibility for a Distributed Denial of service attack on arbitrary server of the attacker’s choice. Here we are going to look how this is possible.


Bittorrent protocol consists of some basic entities like
•    Seed – a seeder is a client which has the complete file(s). It shares it with other clients.
•    Peer/leecher – they are clients that have part of the file(s) and are currently downloading the remaining of it.
•    Tracker – A tracker is a server that has the list of all seeds and peers which are currently sharing the file(s).
•    Torrent file – it is a file that contains the location of all the trackers and the checksums of all the hashes that the file(s) is divided.
Now initially the tracker is setup, a torrent file is generated and minimum of one seeder must exist. As the torrent is distributed, new peers join in to download the data and convert to seeds. Any new peer that joins in to download the file must announce itself to the tracker. Then the tracker directs it to other potential seeders and peers from where the peer would download the file(s). Now here’s the problem – the peers blindly agree on whatever the tracker announces to them. The peers do not authenticate the list of peers and the seeders that the tracker gives them.

We would now exploit this vulnerability of the protocol that peers don’t authenticate other seeds or peers and have full trust on whatever the tracker announces as seeds. Consider an attacker wants to perform a DOS attack on the victim server(s). What he will do is setup a tracker and create a fake torrent (any popular game or movie). It will seed it initially. Then the attacker advertises its torrent via popular torrent search engines. Now the tracker, along with the legitimate seeds, will announce the victim’s server(s) as a seed. So all the other users that are downloading this torrent will try to connect to the server hoping to get a part of the file. In this process there will be many open TCP connections on the server from arbitrary users around the world. This will cause that server to eventually break down due to memory overflow. Once this happens we can say that the attack is successful.

•    The client needs no modification and is also unaware that it is participating in an attack.
•    Everything seems normal to the client as it is able to download the entire file normally.
•    The attacker gets full flexibility as to which server, how many server any which ports it wants to attack and also controls the start time and end time of the attack.
•    The attacker is not exposed as it never attacks any machine.

Here we just saw how the minor lack of authentication can be a serious vulnerability in the famous bittorrent protocol and can be easily and efficiently used to perform a DDos attack on any server(s). 

A BitTorrent-Driven Distributed Denial-of-Service Attack - Jerome Harrington, Corey Kuwanoe, Cliff C. Zou

Image Reference

Author : Mufaddal Makati
Contact :

No comments: