There are vulnerabilities in BitTorrent, the popular peer-to-peer (P2P) file sharing protocol, that could end up initiating distributed reflective denial-of-service (DRDoS) attacks, researchers said.
Attackers can abuse BitTorrent protocols such as Micro Transport Protocol (uTP), Distributed Hash Table (DHT), and Message Stream Encryption (MSE), and the BitTorrent Sync tool to reflect and amplify traffic, researchers said at the USENIX conference.
BitTorrent and BTSync use UDP protocols, which do not prevent the spoofing of source IP addresses. This allows an attacker to send small packets to amplifiers using the victim’s IP, which results in the amplifiers sending larger packets to the victim.
Potential amplifiers can end up identified using peer discovery techniques such as DHT, Peer Exchange (PEX) and trackers. These techniques allow attackers to collect millions of amplifiers, researchers said.
This type of DRDoS attack has three main advantages: The attacker can hide his identity, a distributed attack can initiate from a single computer, and the attack’s impact increases via the amplifiers.
“The impact of a DRDoS attack is proportional to the adoption of the protocol that it is exploiting, as wide adoption makes it easier to find and scale-out the amplifier population,” the researchers said in a paper presented at the conference.
Experiments conducted by the researchers revealed attackers can obtain an amplification factor of up to 50 in the case of BitTorrent clients and an amplification factor of up to 120 in the case of BTSync.
The most vulnerable BitTorrent clients are the most popular ones; namely uTorrent, Mainline and Vuze, the researchers said.
Attacks that abuse DNS and NTP for reflection are easy to block using a stateful packet inspection (SPI) firewall because DNS and NTP use known ports. However, attacks leveraging BitTorrent protocols can only end up mitigated using deep packet inspection (DPI) firewalls that can detect certain strings in the handshake. Attacks that exploit MSE cannot end up blocked even with DPI because the handshake is completely random, the researchers said.
“We think a working countermeasure must follow two parallel ways: Global ISP coordination to prevent IP spoofing and protocol defense mechanism to avoid protocol exploitation,” the researchers said in the paper.
Click here to download the paper.