BitTorrent programs can be abused to amplify distributed denial-of-service attacks

Attackers could launch crippling attacks by reflecting the traffic through millions of computers running BitTorrent programs

BitTorrent applications used by hundreds of millions of users around the world could be tricked into participating in distributed denial-of-service (DDoS) attacks, amplifying the malicious traffic generated by attackers by up to 50 times.

DDoS reflection is a technique that uses IP (Internet Protocol) address spoofing to trick a service to send responses to a third-party computer instead of the original sender. It can be used to hide the source of malicious traffic.

The technique can typically be used against services that communicate over the User Datagram Protocol (UDP), because unlike the Transmission Control Protocol (TCP), UDP does not perform handshakes and therefore source IP address validation. This means an attacker can send a UDP packet with a forged header that specifies someone else’s IP address as the source, causing the service to send the response to that address.

Over the past two years, attackers have abused UDP-based protocols like the Domain Name System (DNS), the Network Time Protocol (NTP) and the Simple Network Management Protocol (SNMP) to launch record-breaking DDoS attacks with bandwidths of up to 400Gbps.

Four researchers from City University London, Mittelhessen University of Applied Sciences in Friedberg, Germany and cloud networking firm PLUMgrid, analyzed the protocols used by popular BitTorrent clients and found that they could also be abused for DDoS reflection and amplification.

In a paper presented last week at the 9th USENIX Workshop on Offensive Technologies (WOOT ‘15) the researchers showed how popular programs like uTorrent, Vuze or the BitTorrent Mainline client can help attackers amplify DDoS traffic by up to 50 times. BitTorrent Sync (BTSync), which is a separate protocol designed for peer-to-peer file synchronization, can be exploited for an amplification factor of up to 120.

Even less popular BitTorrent clients with smaller market shares like Transmission or LibTorrent are vulnerable, but their amplification factor is considerably lower—4 percent and 5 percent respectively—the researchers said.

Exploiting BitTorrent protocols for DDoS amplification is in many ways more efficient than exploiting DNS or NTP. That’s because there is a relatively small number of vulnerable DNS or NTP servers available on the Internet, but there are tens of millions of computers running vulnerable BitTorrent programs.

Moreover, DNS and NTP typically use a fixed port number so it’s easy to filter malicious traffic over those protocols. But BitTorrent uses dynamic port ranges, so detecting and blocking an attack requires specialized firewalls capable of performing deep packet inspection, the researchers said.

Furthermore, attackers could exploit a BitTorrent protocol extension called Message Stream Encryption (MSE), which is supported by most BitTorrent clients and is designed to encrypt the traffic. DDoS amplification using MSE would be even harder to filter, the researchers said.

There are several types of countermeasures that could be implemented to prevent such attacks, according to the researchers.

One requires ISPs to implement recommended security practices like network ingress filtering to prevent IP spoofing in general. According to the Spoofer Project, which tracks how many networks allow IP spoofing on the Internet, about 24 percent of publicly routed IP address prefixes in the world can currently be spoofed.

Another countermeasure would be to implement a TCP-like, three-way handshake in the Micro Transport Protocol (uTP) that is currently used by most BitTorrent clients. However, this would be a significant change that would require a long adoption time and would create incompatibility with older clients.

Finally, BitTorrent programs could limit the messages that they include in their first uTP packet to one, which some clients already do. This wouldn’t prevent the attack, but would reduce the amplification factor to around 4 or 5, the researchers said.

Join the CSO newsletter!

Error: Please check your email address.

More about SNMPTransport

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place