Exploiting BitTorrent flaws to run Distributed Reflective DDoS

Security researchers discovered a new technique to exploit BitTorrent to run powerful DDoS amplification attacks that could bring down great websites.

A weaknesses in the open BitTorrent protocol makes some of the most widely used BitTorrent applications, including uTorrent, Mainline, and Vuze vulnerable to a form of denial of service attack. The form of DDoS allows a single individual to run powerful attacks that could bring down large web sites.

The attacker can exploit the flaw to run a distributed reflective DoS (DRDoS) attack that allows a significant amplification of the malicious traffic that is used to flood the target site.

A single BitTorrent user with a limited amount of bandwidth can send malformed requests to other BitTorrent users and lauches the attack. When the BitTorrent applications receive the malformed request, in turn, flood a third-party target with data that is 50 to 120 fold the original request.

The attack exploits the lack of a mechanism to prevent the falsifying of IP addresses in the UDP protocol used in the BitTorrent.

The attacker then by replacing the attacker’s IP address in the malicious request with the spoofed address of the victim can flood it.

The newly discovered DDoS attack technique was detailed by researchers a paper recently presented at the Usenix Workshop on Offensive Technologies.

“An attacker which initiates a DRDoS does not send the traffic directly to the victim,” explained the researchers “Instead he/she sends it to amplifiers which reflect the traffic to the victim. The attacker does this by exploiting network protocols which are vulnerable to IP spoofing. A DRDoS attack results in a distributed attack which can be initiated by one or multiple attacker nodes.”

Such kind of attack presents a number of advantages for the hacker, it allows to run a DDoS even when the attacker use a single machine (the target is flooded by multiple machines having different IP addresses), it hides the identity of the attacker, and it allows an amplification factor up to 120 fold.

Amplification DDoS attacks exploit flawed protocols and poorly configured devices such as home routers, last year several reports registered an increase in Reflection DDoS Attacks.

Attackers are improving the DDoS amplification methods exploiting new protocols like SSDP, early 2014 the US-CERT issued an Alert (TA14-017A) related to the increase in the number of DDoS attacks abusing of the following protocols:

DNS
NTP
SNMPv2
NetBIOS
SSDP
CharGEN
QOTD
BitTorrent
Kad
Quake Network Protocol
Steam Protocol

The researchers who presented the DRDoS technique based on the BitTorrent protocol explained that they have identified 2.1 million IP addresses using BitTorrent with an Internet scan.

They provided a number of suggestions to avoid the exploitation of the BitTorrent protocol and prevent the IP spoofing and to limit the amount of data that BitTorrent apps send in response to requests.

Pierluigi Paganini

(Security Affairs – BitTorrent, DDoS)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.