In a recently released paper by Florian Adamsky et al., it was revealed that the Bittorrent protocol can — in theory at least — be leveraged to perform devastating distributed denial of service attacks. Over the last couple of years, security researchers have seen a huge increase in the size of DDOS attacks, which regularly peak at several hundred gigabytes a second of data directed at network interfaces that can’t hope to handle the deluge.
Bittorrent — and the related sync protocol — join a roster of protocol weaknesses that can be exploited by malicious individuals to knock servers offline. Both DNS and the Network Time Protocol have been used to perform attacks of this sort, but the Bittorrent vulnerability is especially pernicious for a couple of reasons.
To understand why the Bittorrent DDOS vector has the potential to be so effective, let’s take a look at exactly what’s happening in this sort of attack.
Firstly, a simple distributed denial of service uses hundreds or thousands of computers — often compromised machines in a botnet — to send as much data as possible to a specific network interface. It’s difficult for the server to determine whether this data is a genuine request or an attack, but it doesn’t have the resources to handle the quantity of data. Multi-hundred gigabit attacks can knock even the largest enterprise network interfaces offline.
The Bittorrent attacks have a couple of twists. They are reflected attacks, and they are amplified attacks. Both of these are enabled because of the Bittorrent protocol and the underlying UDP protocol.
Reflected — the R in DRDOS — means that rather than sending data directly from machines under the control of the attacker to the victim, they are first “reflected” off an intermediate server. The attacker sends a packet of data to the reflector requesting some information. The “return address” of that request is spoofed — the packet asks the reflector to respond to the victim and not the origin of the request. This makes it difficult to determine who made the request in the first place.
Amplification is the reason an attacker with limited resources can send hundreds of gigabytes. The attacker sends a small packet of data as its request to the reflector. But the request prompts a response that is many times larger than the original request. That large payload is sent from the reflector to the spoofed IP of the victim. So for a small amount of bandwidth controlled by the attacker, the end result can be a huge amount of data battering the victim.
Back to the Bittorrent problem. By using Bittorrent services as the reflector, an attacker can amplify the data sent to the victim 50 times. Using BTSync services, it can be amplified 120 times!
Bittorrent is especially troublesome because it’s so common and because Bittorrent services are so easy to find — they’re designed to be easy to find. Trackers contain huge lists of available servers. One of the problems facing a would-be attacker is churn: the turnover of machines available for use as reflectors. In an DDOS attack using NTP, the servers can be quickly patched or have anti-DDOS measures put in place. That’s very difficult to do with Bittorrent servers because they are so common and under the control of millions of non-technical individuals that may not be inclined to update their Bittorrent applications.
Additionally, Bittorrent uses dynamic port ranges and encryption, which makes it hard to spot attacks. It’s impossible to block an attack from this vector with standard firewall technologies.
After the publication of the report, Bittorrent released a blog post discussing the factors they now have in place to limit the effectiveness of the attacks we’ve discussed here.
This is a serious issue and as with all security issues, we take it very seriously. We thank Florian for his work and will continue to both improve the security of these protocols and share information on these updates through our blog channels and forums.