BotTorrent: Misusing BitTorrent to Launch DDoS Attacks

BotTorrent: Misusing BitTorrent to Launch DDoS Attacks

Karim El Defrawy, Minas Gjoka, Athina Markopoulou

UC Irvine

Outline

o Introductiono How BitTorrent workso Using BitTorrent to launch DDoS attackso Experiment details and resultso Can we fix BitTorrent to prevent such attacks?o Summary

Introduction

o In 2006, 60% of Internet traffic was due to peer-to-peer (P2P) protocols (Cache Logic)

o BitTorrent is more than 35% by end of 2006 (Cache Logic)

o Mininova torrent search engine hit 2 billion downloads (Mininova - June 13th 2007)

P2P traffic is rising

BitTorrent is responsible for a significant amount of P2P traffic

P2P based DDoS attacks recently observed

o announced on May 14th 2007 observing an increase in P2P based DDoS attackso Attack based on the direct connect (DC) P2P systemo Attack involved over 300 000 IPso http://www.prolexic.com/news/20070514-alert.php

P2P based DDoS attacks recently observed

o announced on May 14th 2007 observing an increase in P2P based DDoS attackso Attack based on the direct connect (DC) P2P systemo Attack involved over 300 000 IPso http://www.prolexic.com/news/20070514-alert.php

P2P DDoS is already happening !

Outline


How BitTorrent works?- User publishes torrents

- Set up a tracker to coordinate the download



1- Users download torrents




2- Users’ clients contact tracker to join swarm and get list of peers in swarm




2- Users’ clients contact tracker to join swarm and get list of peers in swarm

3- Download different parts of file from different peers

Outline


Different attacks

Entity Faked BT Mode Requirements

Report Fake Peer Centralized Tracker Mode

Send a spoofed message to tracker announcing victim as peer

Report Fake Tracker Centralized Tracker Mode

Publish torrents pointing to victim as a tracker

(multi-tracker)

Report Fake Peer DHT Mode Send fake BT PING message to DHT network spoofing source address of victim

Different attacks

Entity Faked BT Mode Requirements

Report Fake Peer Centralized Tracker Mode

Send a spoofed message to tracker announcing victim as peer

Report Fake Tracker Centralized Tracker Mode

Publish torrents pointing to victim as a tracker

(multi-tracker)

Report Fake Peer DHT Mode Send fake BT PING message to DHT network spoofing source address of victim

How an attack faking tracker works?

- Attacker publishes fake torrents with multiple tracker entries (or single)

- Set up a tracker to report high number of seeders and leechers for these torrents




1- Users download torrents with fake trackers pointing to victim





2- Clients contact victim in hope of starting the download





2- Clients contact victim in hope of starting the download

….

Outline


Experiment Setup

o Victim machine: Pentium 2, 512 Mbps RAM, Debian Linux, 100Mbps Ethernet, running a light HTTP server

o Modified tracker reports a fake (high) number of seeders and leechers to search engine

o Publish fake torrents on search engines

o Wait ….

Proof of concept attack results

Exp. #

# Torrents

Ports Attacked Throughput (Kbps) Total Unique #

Hosts

TCP Conn. Avg/sec

New Host Interarrival Time (sec)

Open (Freq) Closed Avga Maxa

I 10 1 (1) 6 62.77 127.2 25331 753.93 7.89

II 25 1 (10) 10 137.78 520.4 55127 1400.74 3.62

III 25 1 (1) 501 132.97 380.3 86320 1580.88 2.31

IV 25 1 (50) + 1 (1) 49+201 176.69 482.8 58046 1440.17 3.44

a Excluding the initial transient period (6 hours) of the experiment

Number of TCP connections per second

Attack throughput

Amount of traffic from clients

Distribution of sources in the IP address space

o Attack sources in 2433 ASs on the Internet

o Attack sources in 12424 announced BGP

prefixes

Mapping attack sources to ASs and BGP prefixes

Attack ports

Related Work

o Attack using Overnet : poison around 7000 files to be effective (Naoumov - 2006)

o Attack faking client: poison swarms of 1119 torrents to generate several thousand TCP connections (Cheung Sia - 2006)

o Attack faking tracker is more effective: tracker is a central point in the architecture

Outline


We contacted:

o BitTorrent and Bram Cohen

o Search Engines: Mininova, Pirate Bay,

BitTorrent Monster

o Clients developers: Azureus, Bitcomet

o Prolexic

o Response from Azureus developers only

Reporting the problem

Solutions

o Handshake between clients and trackers similar to the one between clients.

o Clients exchange view of trackers similar to exchanging view of peers.

o Mechanism to identify and trace the seeders of the fake torrents (based on hashes).

Outline


Summary

o Presented misusing BitTorrent to launch DDoS attacks

o Proof of concept attack implementationo Analyzed characteristics of the attacko Proposed fixes to BitTorrent to detect and

prevent such attackso Currently implementing fixes

Questions ?

Thank you!

[email protected]

[email protected]

[email protected]

100

101

102

103

104

105

0

0.002

0.004

0.006

0.008

0.01

0.012

0.014

B G P P refix Rank

Fra

cti

on

of

IPs

th

at

we

re i

n A

tta

ck

Distribution of IPs on BGP Prefixes

100

101

102

103

104

0

0.005

0.01

0.015

0.02

0.025

0.03

0.035

0.04

A S Rank

Fra

cti

on

of

IPs

in

AS

th

at

we

re i

n A

tta

ck

Distribution of IPs on ASs

Unique hosts per second

BotTorrent: Misusing BitTorrent to Launch DDoS Attacks

Documents

BotTorrent: Misusing BitTorrent to Launch DDoS Attacks