190 likes | 200 Views
Explore vulnerabilities in the BitTorrent protocol, the impact of DDoS attacks, and potential solutions for better protection. Includes experiments, statistics, and the importance of tracker security.
E N D
DDoS Vulnerability Analysis of BitTorrent Protocol CS239 projectSpring 2006
Background • BitTorrent (BT) • P2P file sharing protocol • 30% of Internet traffic • 6881- top 10 scanned port in the Internet • DDoS • Distributed – hard to guard against by simply filtering at upstream routers • Application level (resources) • Network level (bandwidth)
How BT works • .torrent file (meta-data) • Information of files being shared • Hashes of pieces of files • Trackers (coordinator) • http, udp trackers • Trackerless (DHT) • BT clients (participants) • Azureus • BitComet • uTorrent • etc. • Online forum (exchange medium) • For user to announce and search for .torrent files
.torrent I have the file! Who has the file? clients Who has the file? .torrent Communication with trackers seeder Tracker Discussionforum client
Message exchange • HTTP/UDP tracker • Get peer + announce combined (who is sharing files) • Scrapping (information lookup) • DHT (trackerless) • Ping/response (announcing participation in DHT network) • Find node (location peers in DHT network) • Get peer (locate who is sharing files) • Announce (announce who is sharing files)
Vulnerabilities • Spoofed information • * Both http and udp trackers allow specified IP in announce • DHT does not allow specified IP in announce • Allow spoofed information on who is participating in DHT network • Possible to redirect a lot of DHT query to a victim • Compromised tracker
Who has the files? clients .torrent Victim has the files! .torrent .torrent .torrent .torrent .torrent Attack illustration victim Tracker Discussionforum attacker
Experiments • Discussion forum (http://www.mininova.org) • 1191 newly uploaded .torrent files in 2 days • Victim (131.179.187.205) • Apache web server (configured to serve 400 clients) • tcpdump, netstat • Attacker • Python script to process .torrent files and contact trackers • Zombies • Computers running BitTorrent clients in the Internet
Statistics Torrents Trackers
Measurements (1) • Attacker • 1191 torrent files used • 30 concurrent threads, contact trackers once
Measurements (2) • Attacker • 1191 torrent files used • 40 concurrent threads, contact trackers 10 times • Attack ends after 8 hours
Measurements (3) • 30513 distinct IPs recorded • Number of connection attempts per host • Retry 3,6,9,… seems a common implementation
Measurement (abnormal behavior) • Top 15 hosts with highest number of connection attempts • 8995 202.156.6.67 Country: SINGAPORE (SG) • 8762 24.22.183.141 Country: UNITED STATES (US) • 1953 71.83.213.106 Country: (Unknown Country?) (XX) • 1841 24.5.44.13 Country: UNITED STATES (US) • 1273 147.197.200.44 Country: UNITED KINGDOM (UK) • 1233 82.40.167.116 Country: UNITED KINGDOM (UK) • 1183 194.144.130.220 Country: ICELAND (IS) • 1171 82.33.194.6 Country: UNITED KINGDOM (UK) • 1167 219.78.137.197 Country: HONG KONG (HK) • 1053 83.146.39.94 Country: UNITED KINGDOM (UK) • 1042 82.10.187.190 Country: UNITED KINGDOM (UK) • 896 65.93.12.152 Country: CANADA (CA) • 861 84.231.86.223 Country: FINLAND (FI) • 855 24.199.85.75 Country: UNITED STATES (US) • 753 207.210.96.205 Country: CANADA (CA) • Content pollution agents? • Other researchers?
Top 15 countries • United States • Canada • United Kingdom • Germany • France • Spain • Australia • Sweden • Netherlands • Malaysia • Norway • Poland • Japan • Brazil • China
Countries with less BT clients running • Albania • Bermuda • Bolivia • Georgia • Ghana • Kenya • Lao • Lebanon • Monaco • Mongolia • Nicaragua • Nigeria • Qatar • Tanzania • Uganda • Zimbabwe
Solution • Better tracker implementation • Authentication with trackers • Similar to the one used in DHT • Filtering packets by analyzing the protocol • e.g. check [SYN|ACK|80] incoming packets for legitimate HTTP header
End Q and A
.torrent I have the file! Who has the file? .torrent seeder 1 2 Tracker 5 3 Discussionforum 4 client
Who has the files? clients .torrent Victim has the files! .torrent .torrent .torrent .torrent .torrent 4 victim Tracker 3 1 Discussionforum 2 attacker