Exploiting BitTorrent flaws to run Distributed Reflective DDoS

Security researchers discovered a new technique to exploit BitTorrent to run powerful DDoS amplification attacks that could bring down great websites.

A weaknesses in the open BitTorrent protocol makes some of the most widely used BitTorrent applications, including uTorrent, Mainline, and Vuze vulnerable to a form of denial of service attack. The form of DDoS allows a single individual to run powerful attacks that could bring down large web sites.

The attacker can exploit the flaw to run a distributed reflective DoS (DRDoS) attack that allows a significant amplification of the malicious traffic that is used to flood the target site.

A single BitTorrent user with a limited amount of bandwidth can send malformed requests to other BitTorrent users and lauches the attack. When the BitTorrent applications receive the malformed request, in turn, flood a third-party target with data that is 50 to 120 fold the original request.

The attack exploits the lack of a mechanism to prevent the falsifying of IP addresses in the UDP protocol used in the BitTorrent.

The attacker then by replacing the attacker’s IP address in the malicious request with the spoofed address of the victim can flood it.

The newly discovered DDoS attack technique was detailed by researchers a paper recently presented at the Usenix Workshop on Offensive Technologies.

“An attacker which initiates a DRDoS does not send the traffic directly to the victim,” explained the researchers “Instead he/she sends it to amplifiers which reflect the traffic to the victim. The attacker does this by exploiting network protocols which are vulnerable to IP spoofing. A DRDoS attack results in a distributed attack which can be initiated by one or multiple attacker nodes.”

Such kind of attack presents a number of advantages for the hacker, it allows to run a DDoS even when the attacker use a single machine (the target is flooded by multiple machines having different IP addresses), it hides the identity of the attacker, and it allows an amplification factor up to 120 fold.

Amplification DDoS attacks exploit flawed protocols and poorly configured devices such as home routers, last year several reports registered an increase in Reflection DDoS Attacks.

Attackers are improving the DDoS amplification methods exploiting new protocols like SSDP, early 2014 the US-CERT issued an Alert (TA14-017A) related to the increase in the number of DDoS attacks abusing of the following protocols:

The researchers who presented the DRDoS technique based on the BitTorrent protocol explained that they have identified 2.1 million IP addresses using BitTorrent with an Internet scan.

They provided a number of suggestions to avoid the exploitation of the BitTorrent protocol and prevent the IP spoofing and to limit the amount of data that BitTorrent apps send in response to requests.

Pierluigi Paganini

(Security Affairs – BitTorrent, DDoS)