1 / 19

DDoS Vulnerability Analysis of BitTorrent Protocol

DDoS Vulnerability Analysis of BitTorrent Protocol. CS239 project Spring 2006. Background. BitTorrent (BT) P2P file sharing protocol 30% of Internet traffic 6881- top 10 scanned port in the Internet DDoS Distributed – hard to guard against by simply filtering at upstream routers

jbenedict
Download Presentation

DDoS Vulnerability Analysis of BitTorrent Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DDoS Vulnerability Analysis of BitTorrent Protocol CS239 projectSpring 2006

  2. Background • BitTorrent (BT) • P2P file sharing protocol • 30% of Internet traffic • 6881- top 10 scanned port in the Internet • DDoS • Distributed – hard to guard against by simply filtering at upstream routers • Application level (resources) • Network level (bandwidth)

  3. How BT works • .torrent file (meta-data) • Information of files being shared • Hashes of pieces of files • Trackers (coordinator) • http, udp trackers • Trackerless (DHT) • BT clients (participants) • Azureus • BitComet • uTorrent • etc. • Online forum (exchange medium) • For user to announce and search for .torrent files

  4. .torrent I have the file! Who has the file? clients Who has the file? .torrent Communication with trackers seeder Tracker Discussionforum client

  5. Message exchange • HTTP/UDP tracker • Get peer + announce combined (who is sharing files) • Scrapping (information lookup) • DHT (trackerless) • Ping/response (announcing participation in DHT network) • Find node (location peers in DHT network) • Get peer (locate who is sharing files) • Announce (announce who is sharing files)

  6. Vulnerabilities • Spoofed information • * Both http and udp trackers allow specified IP in announce • DHT does not allow specified IP in announce • Allow spoofed information on who is participating in DHT network • Possible to redirect a lot of DHT query to a victim • Compromised tracker

  7. Who has the files? clients .torrent Victim has the files! .torrent .torrent .torrent .torrent .torrent Attack illustration victim Tracker Discussionforum attacker

  8. Experiments • Discussion forum (http://www.mininova.org) • 1191 newly uploaded .torrent files in 2 days • Victim (131.179.187.205) • Apache web server (configured to serve 400 clients) • tcpdump, netstat • Attacker • Python script to process .torrent files and contact trackers • Zombies • Computers running BitTorrent clients in the Internet

  9. Statistics Torrents Trackers

  10. Measurements (1) • Attacker • 1191 torrent files used • 30 concurrent threads, contact trackers once

  11. Measurements (2) • Attacker • 1191 torrent files used • 40 concurrent threads, contact trackers 10 times • Attack ends after 8 hours

  12. Measurements (3) • 30513 distinct IPs recorded • Number of connection attempts per host • Retry 3,6,9,… seems a common implementation

  13. Measurement (abnormal behavior) • Top 15 hosts with highest number of connection attempts • 8995 202.156.6.67 Country: SINGAPORE (SG) • 8762 24.22.183.141 Country: UNITED STATES (US) • 1953 71.83.213.106 Country: (Unknown Country?) (XX) • 1841 24.5.44.13 Country: UNITED STATES (US) • 1273 147.197.200.44 Country: UNITED KINGDOM (UK) • 1233 82.40.167.116 Country: UNITED KINGDOM (UK) • 1183 194.144.130.220 Country: ICELAND (IS) • 1171 82.33.194.6 Country: UNITED KINGDOM (UK) • 1167 219.78.137.197 Country: HONG KONG (HK) • 1053 83.146.39.94 Country: UNITED KINGDOM (UK) • 1042 82.10.187.190 Country: UNITED KINGDOM (UK) • 896 65.93.12.152 Country: CANADA (CA) • 861 84.231.86.223 Country: FINLAND (FI) • 855 24.199.85.75 Country: UNITED STATES (US) • 753 207.210.96.205 Country: CANADA (CA) • Content pollution agents? • Other researchers?

  14. Top 15 countries • United States • Canada • United Kingdom • Germany • France • Spain • Australia • Sweden • Netherlands • Malaysia • Norway • Poland • Japan • Brazil • China

  15. Countries with less BT clients running • Albania • Bermuda • Bolivia • Georgia • Ghana • Kenya • Lao • Lebanon • Monaco • Mongolia • Nicaragua • Nigeria • Qatar • Tanzania • Uganda • Zimbabwe

  16. Solution • Better tracker implementation • Authentication with trackers • Similar to the one used in DHT • Filtering packets by analyzing the protocol • e.g. check [SYN|ACK|80] incoming packets for legitimate HTTP header

  17. End Q and A

  18. .torrent I have the file! Who has the file? .torrent seeder 1 2 Tracker 5 3 Discussionforum 4 client

  19. Who has the files? clients .torrent Victim has the files! .torrent .torrent .torrent .torrent .torrent 4 victim Tracker 3 1 Discussionforum 2 attacker

More Related