BitTorrent kills bug that turns networks into a website-slaying weapon
#1
Reflective technique would let attacker amplify traffic and flood targets


BitTorrent has fixed a flaw in its technology that quietly turns file-sharing networks into weapons capable of blasting websites and other internet servers offline.

The San Francisco company said Thursday the patch for its libuTP software will stop miscreants from abusing the peer-to-peer protocol to launch distributed reflective denial-of-service (DRDoS) attacks.
LibuTP is an essential building block for BitTorrent apps, such as Vuze, uTorrent, Transmission and the BitTorrent's own client software. These applications must be updated to include the fix, and installed by netizens to fully kill off the DRDoS vulnerability. uTorrent version 3.4.4 40911, BitTorrent version 7.9.5 40912, and BitTorrent Sync version 2.1.3, were all patched up earlier this month.

First uncovered by researcher Florian Adamsky, the vulnerability allows a single attacker to amplify a small string of data into a much larger flood of garbage network traffic that is directed toward a single target.

"Thankfully, no such attack has yet been observed in the wild, and Florian responsibly contacted us to share his findings," BitTorrent spokesman Christian Averill wrote in a blog post.

"This gave our engineering team the opportunity to mitigate the possibility of such an attack."
By utilizing a flaw in the BitTorrent protocols, an attacker can send a small amount of data across the internet to force unsuspecting BitTorrent nodes to simultaneously transmit a much larger wad of network packets to a machine of the attacker's choosing – effectively amplifying the attacker's input and outputting it all to a victim's computer.

This, if repeated enough times with enough nodes, allows the attacker to potentially bombard a targeted IP address with huge amounts of data, thus washing away any legit traffic. Effectively, the attacked server would appear to be offline.

[Image: bittorrentdrdos.jpg]


How an attack would propagate through the BitTorrent network

"By spoofing the source address in a UDP packet, an attacker can trick an intermediate node into sending data to a third party," BitTorrent bod Francisco de la Cruz explained in a blog post.

"If an attacker can find a UDP protocol that sends responses larger than initial requests, it can amplify the traffic directed at a victim."

BitTorrent has tweaked its library code to address the design flaw in its protocol. Before, an attacker could start a connection with a BitTorrent node, and fake its IP address to be that of the victim. The node would acknowledge the connection to the victim, rather than the attacker. The attacker would then send a handshake message to the node. The node would try to repeatedly reply to the handshake to the hapless victim, rather than the attacker.

Now a node will generate a random acknowledgment value and send that to the victim, rather than the attacker, when the connection is initiated. The attacker can only guess what this value is, and without it, its handshake message to the node will be ignored. The node will refuse to reply to the handshake unless the sender knows the acknowledgment value to prove it initiated the connection.

This, in turn, will make reflecting large volumes of traffic far more difficult for an attacker, and will prevent the execution of DRDoS attacks.
BitTorrent noted that even before the vulnerability was disclosed, products such as its Sync tool were in large part safe against the attacks.
"Sync, by design, limits the amount of peers in a share, making the attack surface much smaller," added Averill. "It would not serve as an effective source to mount large-scale attacks."

http://www.theregister.co.uk/2015/08/28/...lasts_bug/
Reply
#2
Theoretically, the same attack can be orchestrated with the Tor software.

I have not (yet?) seen this type of attack, but lucky for Bit-torrent they stopped this exploit before anybody could have executed it. Hopefully we will get to see this get integrated as a defense for other networks/websites. Anyone right now could launch this type of attack by opening multiple relays, in a large, modified, connected point-to-point protocol.

Good article.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  If an intruder comes into your home what would you say, do etc.? Octo 51 85,802 May 25, 2023, 16:40 pm
Last Post: stormium
  Remote Bittorrent not working surferbroadband 0 5,585 Mar 31, 2023, 00:03 am
Last Post: surferbroadband
  Can someone explain to me like I'm 5 how to hook up a CDN to a website? Ladyanne3 2 9,569 Mar 11, 2022, 17:21 pm
Last Post: Moe
  BitTorrent v2 Matthew 5 13,190 Jan 13, 2022, 19:04 pm
Last Post: Matthew
  ThePirateBay best torrenting website? bruvver 8 16,863 Nov 15, 2020, 18:41 pm
Last Post: RobertX



Users browsing this thread: 1 Guest(s)