BotTorrent: Misusing BitTorrent to Launch DDoS Attacks
Post on 18-Jan-2016
45 Views
Preview:
DESCRIPTION
Transcript
BotTorrent: Misusing BitTorrent to Launch DDoS Attacks
Karim El Defrawy, Minas Gjoka, Athina Markopoulou
UC Irvine
Outline
o Introductiono How BitTorrent workso Using BitTorrent to launch DDoS attackso Experiment details and resultso Can we fix BitTorrent to prevent such attacks?o Summary
Introduction
o In 2006, 60% of Internet traffic was due to peer-to-peer (P2P) protocols (Cache Logic)
o BitTorrent is more than 35% by end of 2006 (Cache Logic)
o Mininova torrent search engine hit 2 billion downloads (Mininova - June 13th 2007)
P2P traffic is rising
BitTorrent is responsible for a significant amount of P2P traffic
P2P based DDoS attacks recently observed
o announced on May 14th 2007 observing an increase in P2P based DDoS attackso Attack based on the direct connect (DC) P2P systemo Attack involved over 300 000 IPso http://www.prolexic.com/news/20070514-alert.php
P2P based DDoS attacks recently observed
o announced on May 14th 2007 observing an increase in P2P based DDoS attackso Attack based on the direct connect (DC) P2P systemo Attack involved over 300 000 IPso http://www.prolexic.com/news/20070514-alert.php
P2P DDoS is already happening !
Outline
o Introductiono How BitTorrent workso Using BitTorrent to launch DDoS attackso Experiment details and resultso Can we fix BitTorrent to prevent such attacks?o Summary
How BitTorrent works?- User publishes torrents
- Set up a tracker to coordinate the download
How BitTorrent works?- User publishes torrents
- Set up a tracker to coordinate the download
1- Users download torrents
How BitTorrent works?- User publishes torrents
- Set up a tracker to coordinate the download
1- Users download torrents
2- Users’ clients contact tracker to join swarm and get list of peers in swarm
How BitTorrent works?- User publishes torrents
- Set up a tracker to coordinate the download
1- Users download torrents
2- Users’ clients contact tracker to join swarm and get list of peers in swarm
3- Download different parts of file from different peers
Outline
o Introductiono How BitTorrent workso Using BitTorrent to launch DDoS attackso Experiment details and resultso Can we fix BitTorrent to prevent such attacks?o Summary
Different attacks
Entity Faked BT Mode Requirements
Report Fake Peer Centralized Tracker Mode
Send a spoofed message to tracker announcing victim as peer
Report Fake Tracker Centralized Tracker Mode
Publish torrents pointing to victim as a tracker
(multi-tracker)
Report Fake Peer DHT Mode Send fake BT PING message to DHT network spoofing source address of victim
Different attacks
Entity Faked BT Mode Requirements
Report Fake Peer Centralized Tracker Mode
Send a spoofed message to tracker announcing victim as peer
Report Fake Tracker Centralized Tracker Mode
Publish torrents pointing to victim as a tracker
(multi-tracker)
Report Fake Peer DHT Mode Send fake BT PING message to DHT network spoofing source address of victim
How an attack faking tracker works?
- Attacker publishes fake torrents with multiple tracker entries (or single)
- Set up a tracker to report high number of seeders and leechers for these torrents
How an attack faking tracker works?
- Attacker publishes fake torrents with multiple tracker entries (or single)
- Set up a tracker to report high number of seeders and leechers for these torrents
1- Users download torrents with fake trackers pointing to victim
How an attack faking tracker works?
- Attacker publishes fake torrents with multiple tracker entries (or single)
- Set up a tracker to report high number of seeders and leechers for these torrents
1- Users download torrents with fake trackers pointing to victim
2- Clients contact victim in hope of starting the download
How an attack faking tracker works?
- Attacker publishes fake torrents with multiple tracker entries (or single)
- Set up a tracker to report high number of seeders and leechers for these torrents
1- Users download torrents with fake trackers pointing to victim
2- Clients contact victim in hope of starting the download
….
Outline
o Introductiono How BitTorrent workso Using BitTorrent to launch DDoS attackso Experiment details and resultso Can we fix BitTorrent to prevent such attacks?o Summary
Experiment Setup
o Victim machine: Pentium 2, 512 Mbps RAM, Debian Linux, 100Mbps Ethernet, running a light HTTP server
o Modified tracker reports a fake (high) number of seeders and leechers to search engine
o Publish fake torrents on search engines
o Wait ….
Proof of concept attack results
Exp. #
# Torrents
Ports Attacked Throughput (Kbps) Total Unique #
Hosts
TCP Conn. Avg/sec
New Host Interarrival Time (sec)
Open (Freq) Closed Avga Maxa
I 10 1 (1) 6 62.77 127.2 25331 753.93 7.89
II 25 1 (10) 10 137.78 520.4 55127 1400.74 3.62
III 25 1 (1) 501 132.97 380.3 86320 1580.88 2.31
IV 25 1 (50) + 1 (1) 49+201 176.69 482.8 58046 1440.17 3.44
a Excluding the initial transient period (6 hours) of the experiment
Number of TCP connections per second
Attack throughput
Amount of traffic from clients
Distribution of sources in the IP address space
o Attack sources in 2433 ASs on the Internet
o Attack sources in 12424 announced BGP
prefixes
Mapping attack sources to ASs and BGP prefixes
Attack ports
Related Work
o Attack using Overnet : poison around 7000 files to be effective (Naoumov - 2006)
o Attack faking client: poison swarms of 1119 torrents to generate several thousand TCP connections (Cheung Sia - 2006)
o Attack faking tracker is more effective: tracker is a central point in the architecture
Outline
o Introductiono How BitTorrent workso Using BitTorrent to launch DDoS attackso Experiment details and resultso Can we fix BitTorrent to prevent such attacks?o Summary
We contacted:
o BitTorrent and Bram Cohen
o Search Engines: Mininova, Pirate Bay,
BitTorrent Monster
o Clients developers: Azureus, Bitcomet
o Prolexic
o Response from Azureus developers only
Reporting the problem
Solutions
o Handshake between clients and trackers similar to the one between clients.
o Clients exchange view of trackers similar to exchanging view of peers.
o Mechanism to identify and trace the seeders of the fake torrents (based on hashes).
Outline
o Introductiono How BitTorrent workso Using BitTorrent to launch DDoS attackso Experiment details and resultso Can we fix BitTorrent to prevent such attacks?o Summary
Summary
o Presented misusing BitTorrent to launch DDoS attacks
o Proof of concept attack implementationo Analyzed characteristics of the attacko Proposed fixes to BitTorrent to detect and
prevent such attackso Currently implementing fixes
Questions ?
Thank you!
keldefra@uci.edu
mgjoka@uci.edu
athina@uci.edu
100
101
102
103
104
105
0
0.002
0.004
0.006
0.008
0.01
0.012
0.014
B G P P refix Rank
Fra
cti
on
of
IPs
th
at
we
re i
n A
tta
ck
Distribution of IPs on BGP Prefixes
100
101
102
103
104
0
0.005
0.01
0.015
0.02
0.025
0.03
0.035
0.04
A S Rank
Fra
cti
on
of
IPs
in
AS
th
at
we
re i
n A
tta
ck
Distribution of IPs on ASs
Unique hosts per second
top related