ddos vulnerability analysis of bittorrent protocol l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
DDoS Vulnerability Analysis of BitTorrent Protocol PowerPoint Presentation
Download Presentation
DDoS Vulnerability Analysis of BitTorrent Protocol

Loading in 2 Seconds...

play fullscreen
1 / 19

DDoS Vulnerability Analysis of BitTorrent Protocol - PowerPoint PPT Presentation


  • 252 Views
  • Uploaded on

DDoS Vulnerability Analysis of BitTorrent Protocol. CS239 project Spring 2006. Background. BitTorrent (BT) P2P file sharing protocol 30% of Internet traffic 6881- top 10 scanned port in the Internet DDoS Distributed – hard to guard against by simply filtering at upstream routers

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

DDoS Vulnerability Analysis of BitTorrent Protocol


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
background
Background
  • BitTorrent (BT)
    • P2P file sharing protocol
    • 30% of Internet traffic
    • 6881- top 10 scanned port in the Internet
  • DDoS
    • Distributed – hard to guard against by simply filtering at upstream routers
    • Application level (resources)
    • Network level (bandwidth)
how bt works
How BT works
  • .torrent file (meta-data)
    • Information of files being shared
    • Hashes of pieces of files
  • Trackers (coordinator)
    • http, udp trackers
    • Trackerless (DHT)
  • BT clients (participants)
    • Azureus
    • BitComet
    • uTorrent
    • etc.
  • Online forum (exchange medium)
    • For user to announce and search for .torrent files
communication with trackers

.torrent

I have the file!

Who has the file?

clients

Who has the file?

.torrent

Communication with trackers

seeder

Tracker

Discussionforum

client

message exchange
Message exchange
  • HTTP/UDP tracker
    • Get peer + announce combined (who is sharing files)
    • Scrapping (information lookup)
  • DHT (trackerless)
    • Ping/response (announcing participation in DHT network)
    • Find node (location peers in DHT network)
    • Get peer (locate who is sharing files)
    • Announce (announce who is sharing files)
vulnerabilities
Vulnerabilities
  • Spoofed information
    • * Both http and udp trackers allow specified IP in announce
    • DHT does not allow specified IP in announce
      • Allow spoofed information on who is participating in DHT network
      • Possible to redirect a lot of DHT query to a victim
  • Compromised tracker
attack illustration

Who has the files?

clients

.torrent

Victim has the files!

.torrent

.torrent

.torrent

.torrent

.torrent

Attack illustration

victim

Tracker

Discussionforum

attacker

experiments
Experiments
  • Discussion forum (http://www.mininova.org)
    • 1191 newly uploaded .torrent files in 2 days
  • Victim (131.179.187.205)
    • Apache web server (configured to serve 400 clients)
    • tcpdump, netstat
  • Attacker
    • Python script to process .torrent files and contact trackers
  • Zombies
    • Computers running BitTorrent clients in the Internet
statistics
Statistics

Torrents

Trackers

measurements 1
Measurements (1)
  • Attacker
    • 1191 torrent files used
    • 30 concurrent threads, contact trackers once
measurements 2
Measurements (2)
  • Attacker
    • 1191 torrent files used
    • 40 concurrent threads, contact trackers 10 times
    • Attack ends after 8 hours
measurements 3
Measurements (3)
  • 30513 distinct IPs recorded
  • Number of connection attempts per host
    • Retry 3,6,9,… seems a common implementation
measurement abnormal behavior
Measurement (abnormal behavior)
  • Top 15 hosts with highest number of connection attempts
    • 8995 202.156.6.67 Country: SINGAPORE (SG)
    • 8762 24.22.183.141 Country: UNITED STATES (US)
    • 1953 71.83.213.106 Country: (Unknown Country?) (XX)
    • 1841 24.5.44.13 Country: UNITED STATES (US)
    • 1273 147.197.200.44 Country: UNITED KINGDOM (UK)
    • 1233 82.40.167.116 Country: UNITED KINGDOM (UK)
    • 1183 194.144.130.220 Country: ICELAND (IS)
    • 1171 82.33.194.6 Country: UNITED KINGDOM (UK)
    • 1167 219.78.137.197 Country: HONG KONG (HK)
    • 1053 83.146.39.94 Country: UNITED KINGDOM (UK)
    • 1042 82.10.187.190 Country: UNITED KINGDOM (UK)
    • 896 65.93.12.152 Country: CANADA (CA)
    • 861 84.231.86.223 Country: FINLAND (FI)
    • 855 24.199.85.75 Country: UNITED STATES (US)
    • 753 207.210.96.205 Country: CANADA (CA)
  • Content pollution agents?
  • Other researchers?
top 15 countries
Top 15 countries
  • United States
  • Canada
  • United Kingdom
  • Germany
  • France
  • Spain
  • Australia
  • Sweden
  • Netherlands
  • Malaysia
  • Norway
  • Poland
  • Japan
  • Brazil
  • China
countries with less bt clients running
Countries with less BT clients running
  • Albania
  • Bermuda
  • Bolivia
  • Georgia
  • Ghana
  • Kenya
  • Lao
  • Lebanon
  • Monaco
  • Mongolia
  • Nicaragua
  • Nigeria
  • Qatar
  • Tanzania
  • Uganda
  • Zimbabwe
solution
Solution
  • Better tracker implementation
  • Authentication with trackers
    • Similar to the one used in DHT
  • Filtering packets by analyzing the protocol
    • e.g. check [SYN|ACK|80] incoming packets for legitimate HTTP header
slide17

End

Q and A

slide18

.torrent

I have the file!

Who has the file?

.torrent

seeder

1

2

Tracker

5

3

Discussionforum

4

client

slide19

Who has the files?

clients

.torrent

Victim has the files!

.torrent

.torrent

.torrent

.torrent

.torrent

4

victim

Tracker

3

1

Discussionforum

2

attacker