DNS-based BitTorrent DOS attacks proved possible
Mon 17 Aug 2015
New research from City University London has demonstrated the practicability of using highly popular file-sharing clients based on the BitTorrent protocol to accomplish Denial of Service (DOS) attacks that are orders of magnitude more aggressive and powerful than conventional techniques currently in use.
The paper [PDF], entitled P2P File-Sharing in Hell: Exploiting BitTorrent Vulnerabilities to Launch Distributed Reflective DoS Attacks, details the efforts of researcher Florian Adamsky (along with fellows Syed Ali Khayam of Santa Clara-based security outfit PLUMgrid and Rudolf Jäger of The Mittelhessen University of Applied Sciences in Germany) to prove that attackers can exploit vulnerabilities in BitTorrent clients in order to effect Distributed Reflective Denial of Service (DRDoS) attacks.
The paper states “Our protocol analysis shows that BitTorrent is highly vulnerable to DRDoS attacks. An attacker is able to amplify the traffic beginning from 4–54.3 times.”
DRDoS attacks rely on the misconfiguration of Domain Name System (DNS) servers to help attackers spoof the apparent originating source of a ‘request flood’ – the type of information overload that can bring down a website or organizational infrastructure for days, or weeks.
A DRDoS attack routes the aggressive traffic through ‘amplifiers’, and these reflect the traffic to the victim. In the case of a BitTorrent-based attack the protocols exploited are Distributed Hash Table (DHT), Micro Transport Protocol (uTP), BitTorrent Sync (BTSync) and Message Stream Encryption (MSE). “Since these protocols do not include mechanisms to prevent IP source address spoofing,” the paper explains “an attacker can use peer-discovery techniques like trackers, DHT or Peer Exchange (PEX) to collect millions of possible amplifiers.”
Apparently the BitTorrent clients that are most susceptible to the attack are also those that are most widely-used; the report observes that ‘the most widely-used BitTorrent clients like uTorrent, Mainline and Vuze are also the most vulnerable ones.” Three years ago the number of users of uTorrent alone was estimated at 150 million, making the potential devastation of Torrent-based DOS attack a formidable one.
In terms of security for the attacking actor, this attack method has the advantage of being undetectable by standard firewalls due to the encrypted nature of the protocol, and would require deep packet inspection to identify. Additionally a BitTorrent-based DRDoS attack has the advantage of being launchable from a single computer. The potency of this attack format is further reinforced by the multiple connections that BitTorrent is able to leverage; clients operate separate connection threads on multiple ports, which can result in a client dominating available bandwidth.
Update 28/08/15 – BitTorrent has since responded to the Adamsky paper. In a blog post today the company outlines how its engineering teams have been working to mitigate the possibility of DrDoS attacks. To find out more click here.