How BitTorrent could let lone DDoS attackers bring down big sites

sharktech news banner 1

Some of the most widely used BitTorrent applications, including uTorrent, Mainline, and Vuze are also the most vulnerable to a newly discovered form of denial of service attack that makes it easy for a single person to bring down large sites.

The distributed reflective DoS (DRDoS) attacks exploit weaknesses found in the open BitTorrent protocol, which millions of people rely on to exchange files over the Internet. But it turns out that features found uTorrent, Mainline, and Vuze make them especially suitable for the technique. DRDoS allows a single BitTorrent user with only modest amounts of bandwidth to send malformed requests to other BitTorrent users.

The BitTorrent applications receiving the request, in turn, flood a third-party target with data that’s 50 to 120 times bigger than the original request. Key to making the attack possible is BitTorrent’s use of the user datagram protocol, which provides no mechanism to prevent the falsifying of IP addresses. By replacing the attacker’s IP address in the malicious request with the spoofed address of the target, the attacker causes the data flood to hit victim’s computer.

“An attacker which initiates a DRDoS does not send the traffic directly to the victim,” researchers wrote in a research paper recently presented at the 9th Usenix Workshop on Offensive Technologies. “Instead he/she sends it to amplifiers which reflect the traffic to the victim. The attacker does this by exploiting network protocols which are vulnerable to IP spoofing. A DRDoS attack results in a distributed attack which can be initiated by one or multiple attacker nodes.”

The reflective form of DoS has three main advantages for the attacker, including:

  • it hides the identity of the attacker;
  • it can be initiated by a single computer while resulting in a distributed
  • attack, that is, one that’s carried out by multiple computers with many different IP addresses; and
  • it amplifies the original attack packet, in some cases by as much as 120 fold.

Dos amplification techniques are by no means new. So-called Smurf attacks and DNS amplification attacks take advantage of misconfigured routers and domain name system servers respectively to bounce traffic greatly magnify the fire power visited on an unlucky target. As the number of poorly configured servers has fallen in recent years, those types of attacks have become less common, although DNS amplification still remain a problem. Last year, miscreants targeting gaming sites turned their attention to a previously never-before-seen amplification technique that abused large numbers of time-synchronization servers running the network time protocol. The technique has on occasionachieved volumes as high as 400 gigabytes of data per second, believed have been a record when it was measured in early 2014.

DoS amplification attacks are most effective when they abuse widely used applications or services that are vulnerable by default. The researchers who describe the DRDoS technique said one Internet scan they performed identified 2.1 million IP addresses using BitTorrent. They recommended several countermeasures be added to the BitTorrent protocol to prevent IP spoofing and to prevent amplifying the amount of data that BitTorrent apps send in response to requests.