DDoS Vulnerability Analysis of BitTorrent Protocol

1
DDoS Vulnerability Analysis of BitTorrent Protocol

• CS239 projectSpring 2006

2
Background

• BitTorrent (BT)
• P2P file sharing protocol
• 30 of Internet traffic
• 6881- top 10 scanned port in the Internet
• DDoS
• Distributed hard to guard against by simply
  filtering at upstream routers
• Application level (resources)
• Network level (bandwidth)

3
How BT works

• .torrent file (meta-data)
• Information of files being shared
• Hashes of pieces of files
• Trackers (coordinator)
• http, udp trackers
• Trackerless (DHT)
• BT clients (participants)
• Azureus
• BitComet
• uTorrent
• etc.
• Online forum (exchange medium)
• For user to announce and search for .torrent files

4
Communication with trackers
seeder
Tracker
Discussionforum
client
5
Message exchange

• HTTP/UDP tracker
• Get peer announce combined (who is sharing
  files)
• Scrapping (information lookup)
• DHT (trackerless)
• Ping/response (announcing participation in DHT
  network)
• Find node (location peers in DHT network)
• Get peer (locate who is sharing files)
• Announce (announce who is sharing files)

6
Vulnerabilities

• Spoofed information
• Both http and udp trackers allow specified IP
  in announce
• DHT does not allow specified IP in announce
• Allow spoofed information on who is participating
  in DHT network
• Possible to redirect a lot of DHT query to a
  victim
• Compromised tracker

7
Attack illustration
victim
Tracker
Discussionforum
attacker
8
Experiments

• Discussion forum (http//www.mininova.org)
• 1191 newly uploaded .torrent files in 2 days
• Victim (131.179.187.205)
• Apache web server (configured to serve 400
  clients)
• tcpdump, netstat
• Attacker
• Python script to process .torrent files and
  contact trackers
• Zombies
• Computers running BitTorrent clients in the
  Internet

9
Statistics
Torrents
Total 1191
Corrupted 6
Single tracker 999
Multiple trackers 186
Support DHT 121
Trackers
http trackers 1963
udp trackers 85
Unique http trackers 311
Unique udp trackers 21
10
Measurements (1)

• Attacker
• 1191 torrent files used
• 30 concurrent threads, contact trackers once

11
Measurements (2)

• Attacker
• 1191 torrent files used
• 40 concurrent threads, contact trackers 10 times
• Attack ends after 8 hours

12
Measurements (3)

• 30513 distinct IPs recorded
• Number of connection attempts per host
• Retry 3,6,9, seems a common implementation

13
Measurement (abnormal behavior)

• Top 15 hosts with highest number of connection
  attempts
• 8995 202.156.6.67 Country SINGAPORE (SG)
• 8762 24.22.183.141 Country UNITED STATES (US)
• 1953 71.83.213.106 Country (Unknown Country?)
  (XX)
• 1841 24.5.44.13 Country UNITED STATES (US)
• 1273 147.197.200.44 Country UNITED KINGDOM (UK)
• 1233 82.40.167.116 Country UNITED KINGDOM (UK)
• 1183 194.144.130.220 Country ICELAND (IS)
• 1171 82.33.194.6 Country UNITED KINGDOM (UK)
• 1167 219.78.137.197 Country HONG KONG (HK)
• 1053 83.146.39.94 Country UNITED KINGDOM (UK)
• 1042 82.10.187.190 Country UNITED KINGDOM (UK)
• 896 65.93.12.152 Country CANADA (CA)
• 861 84.231.86.223 Country FINLAND (FI)
• 855 24.199.85.75 Country UNITED STATES (US)
• 753 207.210.96.205 Country CANADA (CA)
• Content pollution agents?
• Other researchers?

14
Top 15 countries

• United States
• Canada
• United Kingdom
• Germany
• France
• Spain
• Australia
• Sweden
• Netherlands
• Malaysia
• Norway
• Poland
• Japan
• Brazil
• China

15
Countries with less BT clients running

• Albania
• Bermuda
• Bolivia
• Georgia
• Ghana
• Kenya
• Lao
• Lebanon
• Monaco
• Mongolia
• Nicaragua
• Nigeria
• Qatar
• Tanzania
• Uganda
• Zimbabwe

16
Solution

• Better tracker implementation
• Authentication with trackers
• Similar to the one used in DHT
• Filtering packets by analyzing the protocol
• e.g. check SYNACK80 incoming packets for
  legitimate HTTP header

17
End

• Q and A

18
seeder
1
2
Tracker
5
3
Discussionforum
4
client
19
4
victim
Tracker
3
1
Discussionforum
2
attacker