DRDOS Attacks Can Now Propagate via BitTorrent Clients

[Karamjit]

BitTorrent, Vuze, and uTorrent clients are vulnerable

Florian Adamsky from the City University London has published a research paper which details how the family of protocols used with BitTorrent clients can be abused to carry out DRDOS (Distributed Reflective Denial of Service) attacks.

While most of us have a basic notion of what a DDOS attack is, a DRDOS is a little bit different.

While in a DDOS attack a hacker controls a set of zombie PCs that send traffic to a target, in a DRDOS, the attacker sends traffic to a legitimate network equipment (called a reflector), which then relays it to the victim.

The traffic sent to the reflector is spoofed to contain the victim's IP address as the packet's origin, and when the reflector follows the general rules of all Internet protocols and tries to establish a connection, it does so with the victim instead of the attacker.

Since this implies sending mass amounts of traffic to a reflector, attackers have devised ways of using the reflector to amplify traffic.

Protocols widely used in DRDOS attacks are TCP, DNS, and NTP. Mr. Adamsky's research paper shows how multiple protocols from the BitTorrent family can be used in DRDOS attacks, even with the possibility of amplifying traffic.

uTP, MSE, DHT, and BTSync protocols can be used in DRDOS attacks

According to Mr. Adamsky, the affected BitTorrent protocols are uTP (Micro Transport Protocol), DHT (Distributed Hash Table), and MSE (Message Stream Encryption). These protocols are used with the native BitTorrent client, uTorrent, and Vuze.

Additionally, the synchronization protocol BTSync used with the BitTorrent Sync file sharing application is also vulnerable as well.

"Our experiments demonstrate that BitTorrent has a bandwidth amplification factor (BAF) of 50 times and in case of BTSync up to 120 times," said Florian Adamsky.

DRDOS attacks via BitTorrent protocols are undetectable to normal firewalls

But the bad news don't stop here. Besides amplifying traffic many times over, DRDOS attacks carried out via BitTorrent are undetectable to normal firewalls because of their "dynamic port ranges and encryption during handshake."

Mitigation services for these kind of attacks would require Deep Packet Inspection (DPI), a very resource-taxing solution for most server infrastructures.

As TorrentFreak reports, BitTorrent has patched some of the issues in a recent beta release, while Vuze and uTorrent are still working on the issue

From

[Holmes]

Not good not good I use vuze and I love it. I have seen from time to time traffic moving in the background when Im not downloading anything and when Im not seeding and I dont keep vuze running now from knowing it. If DPI can go against DRDOS I wonder if a SPI can work to. A SPI firefall isnt deep but its packet inspection fifty percent of something is better than a one hundred percent of nothing..