DDoS Vulnerability Analysis of BitTorrent Protocol

CS239 projectSpring 2006

Background

BitTorrent (BT) P2P file sharing protocol 30% of Internet traffic 6881- top 10 scanned port in the Internet

DDoS Distributed – hard to guard against by simply

filtering at upstream routers Application level (resources) Network level (bandwidth)

How BT works

.torrent file (meta-data) Information of files being shared Hashes of pieces of files

Trackers (coordinator) http, udp trackers Trackerless (DHT)

BT clients (participants) Azureus BitComet uTorrent etc.

Online forum (exchange medium) For user to announce and search for .torrent files

Communication with trackers

Tracker

seeder

clients

client

.torrent

.torrent

I have the file!

Who has the file?

Discussionforum

Who has the file?

Message exchange

HTTP/UDP tracker Get peer + announce combined (who is sharing files) Scrapping (information lookup)

DHT (trackerless) Ping/response (announcing participation in DHT network) Find node (location peers in DHT network)

Get peer (locate who is sharing files) Announce (announce who is sharing files)

Vulnerabilities

Spoofed information * Both http and udp trackers allow specified IP in announce DHT does not allow specified IP in announce

Allow spoofed information on who is participating in DHT network

Possible to redirect a lot of DHT query to a victim

Compromised tracker

Attack illustration

Tracker

victim

clients

attacker

Victim has the files!

Discussionforum

Who has the files?

.torrent.torrent

.torrent.torrent

.torrent.torrent

Experiments

Discussion forum (http://www.mininova.org) 1191 newly uploaded .torrent files in 2 days

Victim (131.179.187.205) Apache web server (configured to serve 400 clients) tcpdump, netstat

Attacker Python script to process .torrent files and contact trackers

Zombies Computers running BitTorrent clients in the Internet

Statistics

Total 1191

Corrupted 6

Single tracker 999

Multiple trackers 186

Support DHT 121

http trackers 1963

udp trackers 85

Unique http trackers 311

Unique udp trackers 21

Torrents

Trackers

Measurements (1)

Attacker 1191 torrent files used 30 concurrent threads, contact trackers once

Measurements (2)

Attacker 1191 torrent files used 40 concurrent threads, contact trackers 10 times Attack ends after 8 hours

Measurements (3)

30513 distinct IPs recorded Number of connection attempts per host

Retry 3,6,9,… seems a common implementation

Measurement (abnormal behavior)o Top 15 hosts with highest number of connection attempts

o 8995 202.156.6.67 Country: SINGAPORE (SG)o 8762 24.22.183.141 Country: UNITED STATES (US)o 1953 71.83.213.106 Country: (Unknown Country?) (XX)o 1841 24.5.44.13 Country: UNITED STATES (US)o 1273 147.197.200.44 Country: UNITED KINGDOM (UK)o 1233 82.40.167.116 Country: UNITED KINGDOM (UK)o 1183 194.144.130.220 Country: ICELAND (IS)o 1171 82.33.194.6 Country: UNITED KINGDOM (UK)o 1167 219.78.137.197 Country: HONG KONG (HK)o 1053 83.146.39.94 Country: UNITED KINGDOM (UK)o 1042 82.10.187.190 Country: UNITED KINGDOM (UK)o 896 65.93.12.152 Country: CANADA (CA)o 861 84.231.86.223 Country: FINLAND (FI)o 855 24.199.85.75 Country: UNITED STATES (US)o 753 207.210.96.205 Country: CANADA (CA)

o Content pollution agents?o Other researchers?

Top 15 countries

United States Canada United Kingdom Germany France Spain Australia Sweden Netherlands Malaysia Norway Poland Japan Brazil China

Countries with less BT clients running Albania Bermuda Bolivia Georgia Ghana Kenya Lao Lebanon Monaco Mongolia Nicaragua Nigeria Qatar Tanzania Uganda Zimbabwe

Solution

Better tracker implementation

Authentication with trackers Similar to the one used in DHT

Filtering packets by analyzing the protocol e.g. check [SYN|ACK|80] incoming packets for legitimate

HTTP header

End

Q and A

Tracker

seeder

client

.torrent

.torrent

I have the file!

Who has the file?

Discussionforum

Tracker

victim

clients

attacker

Victim has the files!

Discussionforum

Who has the files?

.torrent.torrent

.torrent.torrent

.torrent.torrent