ddos vulnerability analysis of bittorrent protocol cs239 project spring 2006
Post on 19-Dec-2015
228 views
TRANSCRIPT
DDoS Vulnerability Analysis of BitTorrent Protocol
CS239 projectSpring 2006
Background
BitTorrent (BT) P2P file sharing protocol 30% of Internet traffic 6881- top 10 scanned port in the Internet
DDoS Distributed – hard to guard against by simply
filtering at upstream routers Application level (resources) Network level (bandwidth)
How BT works
.torrent file (meta-data) Information of files being shared Hashes of pieces of files
Trackers (coordinator) http, udp trackers Trackerless (DHT)
BT clients (participants) Azureus BitComet uTorrent etc.
Online forum (exchange medium) For user to announce and search for .torrent files
Communication with trackers
Tracker
seeder
clients
client
.torrent
.torrent
I have the file!
Who has the file?
Discussionforum
Who has the file?
Message exchange
HTTP/UDP tracker Get peer + announce combined (who is sharing files) Scrapping (information lookup)
DHT (trackerless) Ping/response (announcing participation in DHT network) Find node (location peers in DHT network)
Get peer (locate who is sharing files) Announce (announce who is sharing files)
Vulnerabilities
Spoofed information * Both http and udp trackers allow specified IP in announce DHT does not allow specified IP in announce
Allow spoofed information on who is participating in DHT network
Possible to redirect a lot of DHT query to a victim
Compromised tracker
Attack illustration
Tracker
victim
clients
attacker
Victim has the files!
Discussionforum
Who has the files?
.torrent.torrent
.torrent.torrent
.torrent.torrent
Experiments
Discussion forum (http://www.mininova.org) 1191 newly uploaded .torrent files in 2 days
Victim (131.179.187.205) Apache web server (configured to serve 400 clients) tcpdump, netstat
Attacker Python script to process .torrent files and contact trackers
Zombies Computers running BitTorrent clients in the Internet
Statistics
Total 1191
Corrupted 6
Single tracker 999
Multiple trackers 186
Support DHT 121
http trackers 1963
udp trackers 85
Unique http trackers 311
Unique udp trackers 21
Torrents
Trackers
Measurements (1)
Attacker 1191 torrent files used 30 concurrent threads, contact trackers once
Measurements (2)
Attacker 1191 torrent files used 40 concurrent threads, contact trackers 10 times Attack ends after 8 hours
Measurements (3)
30513 distinct IPs recorded Number of connection attempts per host
Retry 3,6,9,… seems a common implementation
Measurement (abnormal behavior)o Top 15 hosts with highest number of connection attempts
o 8995 202.156.6.67 Country: SINGAPORE (SG)o 8762 24.22.183.141 Country: UNITED STATES (US)o 1953 71.83.213.106 Country: (Unknown Country?) (XX)o 1841 24.5.44.13 Country: UNITED STATES (US)o 1273 147.197.200.44 Country: UNITED KINGDOM (UK)o 1233 82.40.167.116 Country: UNITED KINGDOM (UK)o 1183 194.144.130.220 Country: ICELAND (IS)o 1171 82.33.194.6 Country: UNITED KINGDOM (UK)o 1167 219.78.137.197 Country: HONG KONG (HK)o 1053 83.146.39.94 Country: UNITED KINGDOM (UK)o 1042 82.10.187.190 Country: UNITED KINGDOM (UK)o 896 65.93.12.152 Country: CANADA (CA)o 861 84.231.86.223 Country: FINLAND (FI)o 855 24.199.85.75 Country: UNITED STATES (US)o 753 207.210.96.205 Country: CANADA (CA)
o Content pollution agents?o Other researchers?
Top 15 countries
United States Canada United Kingdom Germany France Spain Australia Sweden Netherlands Malaysia Norway Poland Japan Brazil China
Countries with less BT clients running Albania Bermuda Bolivia Georgia Ghana Kenya Lao Lebanon Monaco Mongolia Nicaragua Nigeria Qatar Tanzania Uganda Zimbabwe
Solution
Better tracker implementation
Authentication with trackers Similar to the one used in DHT
Filtering packets by analyzing the protocol e.g. check [SYN|ACK|80] incoming packets for legitimate
HTTP header
End
Q and A
Tracker
seeder
client
.torrent
.torrent
I have the file!
Who has the file?
Discussionforum
Tracker
victim
clients
attacker
Victim has the files!
Discussionforum
Who has the files?
.torrent.torrent
.torrent.torrent
.torrent.torrent