BitTorrent Flaws Can Be Exploited for DRDoS Attacks: Researchers

Malicious actors can exploit vulnerabilities in BitTorrent, the popular peer-to-peer (P2P) file sharing protocol, to launch distributed reflective denial-of-service (DRDoS) attacks, researchers warned at the recent USENIX conference.

According to researchers, attackers can abuse BitTorrent protocols such as Micro Transport Protocol (uTP), Distributed Hash Table (DHT), and Message Stream Encryption (MSE), and the BitTorrent Sync tool to reflect and amplify traffic.

BitTorrent and BTSync use UDP protocols, which are not designed to prevent the spoofing of source IP addresses. This allows an attacker to send small packets to amplifiers using the victim's IP, which results in the amplifiers sending larger packets to the victim.

Potential amplifiers can be identified using peer discovery techniques such as DHT, Peer Exchange (PEX) and trackers. These techniques allow attackers to collect millions of amplifiers, experts said.

This type of DRDoS attack has three main advantages: the attacker can hide his identity, a distributed attack can be initiated from a single computer, and the attack's impact is increased by the amplifiers.

"The impact of a DRDoS attack is proportional to the adoption of the protocol that it is exploiting, as wide adoption makes it easier to find and scale-out the amplifier population," the researchers wrote in a paper.

Experiments conducted by the researchers revealed that attackers can obtain an amplification factor of up to 50 in the case of BitTorrent clients and an amplification factor of up to 120 in the case of BTSync.

According to experts, the most vulnerable BitTorrent clients are the most popular ones; namely uTorrent, Mainline and Vuze.

Attacks that abuse DNS and NTP for reflection can be the easily blocked using a stateful packet inspection (SPI) firewall because DNS and NTP use known ports. However, attacks leveraging BitTorrent protocols can only be mitigated using deep packet inspection (DPI) firewalls that can detect certain strings in the handshake. Attacks that exploit MSE cannot be blocked even with DPI because the handshake is completely random, researchers noted.

"We think a working countermeasure must follow two parallel ways: global ISP coordination to prevent IP spoofing and protocol defense mechanism to avoid protocol exploitation," experts said in their paper.

DRDoS attacks can be very damaging. In February 2014, content delivery network (CDN) CloudFlare reported that one of its customers was targeted in an NTP-based attack that peaked at 400Gbps.