BitTorrent clients can be made to participate in high-volume DoS attacks

A group of researchers have discovered a new type of DoS attack that can be pulled off by a single attacker exploiting weaknesses in the BitTorrent protocol family.

The weaknesses in the Micro Transport Protocol (uTP), Distributed Hash Table (DHT), Message Stream Encryption (MSE), and BitTorrent Sync (BTSync) protocols allow the attacker to insert the target’s IP address instead of his own in the malicious request.

To mount a Distributed Reflective DoS (DRDoS) attack, an attacker must simply send this malformed requests to other BitTorrent users, which then act as reflectors and amplifiers and flood the intended victim with responses.

“Our experiments reveal that an attacker is able to exploit BitTorrent peers to amplify the traffic up to a factor of 50 times and in case of BTSync [app] up to 120 times,” the researchers noted.

“With peer-discovery techniques like trackers, DHT or PEX, an attacker can collect millions of amplifiers. An attacker only needs a valid info-hash or secret to exploit the vulnerabilities.”

The researchers have found that uTorrent, Mainline and Vuze – the most popular BitTorrent clients – are vulnerable since they use the aforementioned protocols.

While there is no effective security risk for the users of the vulnerable clients, these flaws should be fixed in order to prevent DRDoS attacks in the future.

In the meantime, stopping these attacks requires the deployment of firewalls with Deep Packet Inspection (DPI).

UPDATE:

After pointing out that this type of attack has not yet been spotted in the wild, Christian Averill, VP of Comms & Brand at BitTorrent, has noted that attacks like this will always be possible due to the way UDP-based protocols work.

“Abuse of DNS is commonly known. And even as recent as February of 2014, public Network Time Protocol (NTP) servers across the world were leveraged to carry out such an attack,” he added. “Nonetheless we’ve taken the vulnerability reports seriously and have taken steps to harden our protocols and mitigate some weaknesses outlined in the research paper.”

He commended the researchers for responsibly sharing their findings with them a few weeks back, and said that the team at BitTorrent has already been able to address much of the issue prior to the paper’s publication and will soon have mitigated the matter completely.

“An important point regarding Sync: even before the recent updates to Sync, the severity of the vulnerability was reduced by a few factors,” he also pointed out. “First, the attacker would have to know the Sync user they are trying to exploit to get their ‘Secret’ – or the Sync user would have to have exposed that ‘Secret’ publicly in some way. In addition, Sync, by design, limits the amount of peers in a share making the attack surface much smaller. It would not serve as an effective source to mount large scale attacks.”