What is DDos Attack?
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.
Misuse of Bit-torrent:
BitTorrent is currently one of the most popular peer-to-peer (P2P) systems: its clients are widely spread all over the world and account for a large fraction of today’s Internet traffic.Every day millions of people are downloading files via BitTorrent, and in some instances more than 100,000 people are sharing the same file at the same time. In this article, I shall show that BitTorrent can be ex-ploited by misdirecting clients to send their traffic toward any host on the Internet. The volume of a BitTorrent swarm can thus be converted into firepower for launching a dis-tributed denial-of-service (DDOS) attack and the server can be crashed using this mis-use.
Now the problem occurs in DHT. DHT’s normal function is to find peers who are downloading the same files, but without communicating with a central BitTorrent tracker. This ensures that downloads can continue even when the central tracker goes offline and this is the base.
Kademlia(Click for wiki-pedia reference) based DHT can be exploited by a malicious peer to carry out a DDoS attack. If there are enough peers downloading the same file, this could easily take down medium to large websites. The worrying part is that the downloaders who are participating in the DDoS will not be aware of what’s going on.
The core problem are the random NodeIDs. The address hashing and verification scheme works for scenarios like the old Internet, but becomes almost useless in the big address space of IPv6, As a result, any BitTorrent swarm can be abused to target specific websites and potentially take them down.
This and other DHT vulnerabilities are not entirely new concepts for BitTorrent developers. They have been discussed in various places already, but no agreement on how they should be dealt with has yet been reached.
Over the last months DDoS attacks have been in the news regularly, mostly carried out under the flag of Anonymous’ Operation Payback. Initially anti-piracy targets such as the MPAA and RIAA were taken offline, and last month the focus switched to organizations that acted against Wikileaks, including Mastercard and Paypal.
While these attacks required hundreds of people to actively participate and fire up their LOIC (Click for wiki-pedia reference) application at the same time, the BitTorrent DDoS could take down the same sites from a single computer, using BitTorrent downloads as a ‘botnet’.
The idea of using BitTorrent as a DDoS tool is not entirely new. In fact, researchers have previously shown that adding a webserver’s IP address as a BitTorrent tracker could result in a similar DDoS. The downside of this method is, however, that it requires a torrent file to become popular, while the DHT method can simply exploit existing torrents that are already being downloaded by thousands of people.
It will be interesting to see if BitTorrent developers are going to act upon the DHT vulnerability in the coming months and come up with a solution to prevent this kind of abuse.
Architecture of a normal BitTorrent swarm
Architecture of our modified swarm (BitTorrent file exchange function is still working, but each peer would generate an additional connection to a victim target on a specified service port)
Explaining the process further :
Given the current usage of BitTorrent and the capability of providing clients with arbitrary addresses in the peer list, it is not difficult to envision a realistic attack scenario. An attacker would first set up a self-modified tracker, most likely on a server that he or she has previously compromised. Next, the attacker would need to obtain a file or a set of files that are likely to generate high demand like a new movie a set of pirated songs and free softwares etc. With these prerequisites in place, the attacker is now free to generate a torrent file for his/her payload and register the torrent with the modified tracker.
While the attacker could use any means to distribute the newly created torrent, the most straightforward approach would be to upload the torrent to a highly trafficked torrent directory, such as The Pirate Bay [7th Rank]. Upon upload to such a site, the torrent is made available for any user to download freely and join the swarm.
At that point, the peers in the swarm that are downloading the file will begin connecting to the supplied target or targets, while still retrieving the torrent payload data normally.
When the number of peers in the swarm with a connection open to an attacked target exceeds the maximum number of connections the target application is configured to accept, the victim service will no longer accept new TCP connections, rendering it unreachable and causing a successful denial-of-service attack.
Properties of such an attack:
1.It requires no modification whatsoever to the BitTorrent client software.
2.The attack is hidden from clients since the attack traffic volume from each client is very small and all clients can still upload and download files normally.
3.The attack can target multiple victims on arbitrary service ports specified by the attacker.
4.The attack does not expose an attacker’s real compromised machine (i.e., the tracker) to a victim.
5.An attacker can arbitrarily decide the start and end time of a DdoS attack by controlling the tracker.
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.
Misuse of Bit-torrent:
BitTorrent is currently one of the most popular peer-to-peer (P2P) systems: its clients are widely spread all over the world and account for a large fraction of today’s Internet traffic.Every day millions of people are downloading files via BitTorrent, and in some instances more than 100,000 people are sharing the same file at the same time. In this article, I shall show that BitTorrent can be ex-ploited by misdirecting clients to send their traffic toward any host on the Internet. The volume of a BitTorrent swarm can thus be converted into firepower for launching a dis-tributed denial-of-service (DDOS) attack and the server can be crashed using this mis-use.
Now the problem occurs in DHT. DHT’s normal function is to find peers who are downloading the same files, but without communicating with a central BitTorrent tracker. This ensures that downloads can continue even when the central tracker goes offline and this is the base.
Kademlia(Click for wiki-pedia reference) based DHT can be exploited by a malicious peer to carry out a DDoS attack. If there are enough peers downloading the same file, this could easily take down medium to large websites. The worrying part is that the downloaders who are participating in the DDoS will not be aware of what’s going on.
The core problem are the random NodeIDs. The address hashing and verification scheme works for scenarios like the old Internet, but becomes almost useless in the big address space of IPv6, As a result, any BitTorrent swarm can be abused to target specific websites and potentially take them down.
This and other DHT vulnerabilities are not entirely new concepts for BitTorrent developers. They have been discussed in various places already, but no agreement on how they should be dealt with has yet been reached.
Over the last months DDoS attacks have been in the news regularly, mostly carried out under the flag of Anonymous’ Operation Payback. Initially anti-piracy targets such as the MPAA and RIAA were taken offline, and last month the focus switched to organizations that acted against Wikileaks, including Mastercard and Paypal.
While these attacks required hundreds of people to actively participate and fire up their LOIC (Click for wiki-pedia reference) application at the same time, the BitTorrent DDoS could take down the same sites from a single computer, using BitTorrent downloads as a ‘botnet’.
The idea of using BitTorrent as a DDoS tool is not entirely new. In fact, researchers have previously shown that adding a webserver’s IP address as a BitTorrent tracker could result in a similar DDoS. The downside of this method is, however, that it requires a torrent file to become popular, while the DHT method can simply exploit existing torrents that are already being downloaded by thousands of people.
It will be interesting to see if BitTorrent developers are going to act upon the DHT vulnerability in the coming months and come up with a solution to prevent this kind of abuse.
Architecture of a normal BitTorrent swarm
Explaining the process further :
Given the current usage of BitTorrent and the capability of providing clients with arbitrary addresses in the peer list, it is not difficult to envision a realistic attack scenario. An attacker would first set up a self-modified tracker, most likely on a server that he or she has previously compromised. Next, the attacker would need to obtain a file or a set of files that are likely to generate high demand like a new movie a set of pirated songs and free softwares etc. With these prerequisites in place, the attacker is now free to generate a torrent file for his/her payload and register the torrent with the modified tracker.
While the attacker could use any means to distribute the newly created torrent, the most straightforward approach would be to upload the torrent to a highly trafficked torrent directory, such as The Pirate Bay [7th Rank]. Upon upload to such a site, the torrent is made available for any user to download freely and join the swarm.
At that point, the peers in the swarm that are downloading the file will begin connecting to the supplied target or targets, while still retrieving the torrent payload data normally.
When the number of peers in the swarm with a connection open to an attacked target exceeds the maximum number of connections the target application is configured to accept, the victim service will no longer accept new TCP connections, rendering it unreachable and causing a successful denial-of-service attack.
Properties of such an attack:
1.It requires no modification whatsoever to the BitTorrent client software.
2.The attack is hidden from clients since the attack traffic volume from each client is very small and all clients can still upload and download files normally.
3.The attack can target multiple victims on arbitrary service ports specified by the attacker.
4.The attack does not expose an attacker’s real compromised machine (i.e., the tracker) to a victim.
5.An attacker can arbitrarily decide the start and end time of a DdoS attack by controlling the tracker.
0 comments:
Post a Comment