Measurement and Diagnosis of Address Misconfigured P2P traffic

1. Measurement and Diagnosis of Address Misconfigured P2P traffic Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic Lab for Internet and Security Technology (LIST) Northwestern Univ.

2. What is P2P address misconfiguration? • Thousands of peers send P2P file downloading requests to a “random” target (even not in the P2P system) on the Internet Peers “random” target on the Internet Address-misconfigured P2P traffic

3. Motivations • P2P file sharing accounted for > 60% of traffic in USA and > 80% in Asia • P2P software DC++ has already been exploited by attackers for DoS • direct gigabit “junk” data per second to a victim host from more than 150,000 peers • End user perspective • Involve innocent users in DDoS attacks unconsciously • Anti-P2P arm-race • Downloading performance • ISP perspective • Reduce unwanted traffic for “green” InternetGet contacted by an ISP in Canada • P2P developer perspective • Identify the buggy software among a large number of variances. • Help design more robust P2P software

4. Outline • Motivation • Passive measurement results • P2PScope system design • Root cause diagnosis and analysis • Conclusion

5. Passive Measurement • Honeynet/honeyfarm datasets • Events: # of unique sources > 100 in 6 hours Scan traffic removal Target identification Event time window extraction

6. Measurement Results • Event characteristics: • Usually involve thousands of peers on average • Duration: A few hours to up to a month

7. 39%! Popularity • Growing Trend: • IP space: observed in three sensors in five different /8 IP prefixes The total numbers of connections that match the P2P signatures.

8. Further Diagnosis • Problems with passive measurement on archived data • Events have gone • Hard to backtrack the propagation • Root cause? • Need a real-time backtracking and diagnosis system!

9. Outline • Motivation • Passive measurement results • P2PScope system design • Root cause diagnosis and analysis • Conclusion

10. 10100101011101 infohash; ‘abc.avi’ Design of P2PScope System P2P-enabled Honeynet Backtracking system Root cause inference P2P payload signature based responder Event identification Protocol parsing for metadata

11. Design of P2P Doctor System P2P-enabled Honeynet Backtracking system Root cause inference Peer Exchange Protocol Crawling Index Server (tracker) Crawling BT: top 100, eMule: 185 DHT Crawling

12. Design of P2P Doctor System P2P-enabled Honeynet Backtracking system Root cause inference • Track the information flow for suspicious P2P software • Track how honeynet IPs propagated in P2P systems • Peer routability checking • Anti-P2P analysis • Hypothesis formulation and testing Totally ~7000 lines of Python, Perl and Bro

13. Outline • Motivation • Passive measurement results • P2P Doctor system design • Root cause diagnosis and analysis • Conclusion

14. Diagnosis & Analysis • Questions • What is the root cause? • Which peers spread misconfiguration? • How is misconfiguration disseminated? • How badly are individual clients affected? • Results • Data plane traffic radiation • Detailed results focus on eMule and BitTorrent

15. Peer Exchange DHT Index Server Data Plane Traffic Radiation 1.2.3.4 Resource mapping Who has avatar.avi? 1.2.3.4

16. eMule – Root Cause • Byte ordering is the problem! 4.3.2.1 1.2.3.4 1.2.3.4 4.3.2.1 4.3.2.1 4.3.2.1 4.3.2.1

17. eMule – Root Cause • Byte ordering is the problem! • 61% of the reverse honeynet peersindeed running eMule with the port number reported • For the backtracked peers which is in the unroutable IP space, 69.6% of them having reverse IPs run eMule • Locate bugs in source code • At least aMule 2.1.0 (a popular eMule alternative) has the byte order bug

18. eMule – Peers & Dissemination • Which peers spread misconfiguration? • 99.24% of misconfigured peers are normal peers • How is the misconfiguration disseminated? • Index Server? No • Peer exchange? Yes • DHT? No • Percentage of bogus peers in eMule network? • [12.7%, 25.0%] w/ a total of 37,079 backtracked peers

19. BitTorrent – Root Cause I • Anti-P2P companies deliberately inject bogus peers! • 20% of traffic we observed related to anti-P2P peers • Only return bogus peers or anti-P2P peers • Using UTorrent peer exchange protocol to disseminate • Find a particular peer farm • One /24 network, each IP run hundreds of peers • Run Azureus 2.5.0.0 and IPs also run VMware • Return peers even for non-existing file hashes.

20. BitTorrent – Root Cause II • KTorrent also has a byte-order bug • Discover using information flow tracking on KTorrent, UTorrent and Azureus • Identify the actual bug, report to KTorrent Developers and get confirmed. • Misconfiguration propagation • [fully] KTorrent: all peers exchanged from others • [partial] UTorrent: all peers that respond to TCP handshaking • [almost not] Azureus: all peers that respond to BitTorrent handshaking.

21. Conclusions • The first study to measure and diagnose large-scale address misconfigured P2P traffic • Find 39% Internet background radiation is caused by address misconfiguration • Popular in various P2P systems, increase 100% each year for four years, and scattered in the IPv4 space • For eMule, we found it is caused by network byte order problem • For BitTorrent • Anti-P2P companies deliberately inject bogus peers • KTorrent has a byte order bug

22. ? ? ?