P2P DoS
Friday 25th May, 2007 10:32 Comments: 0
I came across an article about how the DC++ client was being conned into performing Denial of Service attacks, and if a malicious person was an operator on a big Direct Connect hub then they could cause a lot of grief. They redirect the client to the target address, and the hub can change the IP address of other clients, so attempts to other peers will also flood the target. The redirect issue was fixed a few versions ago, but not all users will have upgraded. A suggestion was apparently made to block certain ports used in the redirect, such as 25 or 80, presumably as any running services would knock the server out far quicker than if the request were made to another port that was filtered; but it doesn't look like anyone went through with it.
And it got me thinking. What happens when The Next Big Thing turns up on BitTorrent? This could be something like the new Harry Potter movie. All you'd need to do is get hold of a nice TeleCine, create a new torrent using a well known public tracker, but also specify additional trackers that are your targets. Most BitTorrent clients will try to connect to all the trackers in a round robin fashion, typically because the legitimate (and semi-legitimate) trackers have a tendency to go down. The trackers use HTTP, so you arguably couldn't block ports like 80 (however, many trackers use different/non-standard ports). The torrent could look like a legitimate download of the new Harry Potter 5 TeleCine (and by legitimate I obviously mean the file is of the Harry Potter movie and not some dodgy porn or loaded with spyware, as copyright infringement is clearly illegal), and gain popularity very quickly (especially if you obtained the file from a private tracker and were first to share on a public one and/or you're seeding the file over a fast connection). If you controlled one of the trackers you could probably return the IP address of the target instead of some of the other seeds/peers. Otherwise you simply rely on the fact that the clients will try and connect all the freakin' time. Even when they're seeding it afterwards, which could last hours or days.
Thankfully, I don't think this will be a huge problem, as there are typically minimum intervals for connecting/reconnecting, and many clients will stop trying to reconnect to hosts that don't respond correctly. These safeguards are really there to protect the tracker from becoming overloaded, and to stop certain organisations and badly written clients from slowing down the swarm by sending bad data, but a side effect means it's unlikely to be used in a DoS attack. Which is pretty cool, and a relief seeing as BitTorrent makes up the majority of traffic sent over the internet.
And it got me thinking. What happens when The Next Big Thing turns up on BitTorrent? This could be something like the new Harry Potter movie. All you'd need to do is get hold of a nice TeleCine, create a new torrent using a well known public tracker, but also specify additional trackers that are your targets. Most BitTorrent clients will try to connect to all the trackers in a round robin fashion, typically because the legitimate (and semi-legitimate) trackers have a tendency to go down. The trackers use HTTP, so you arguably couldn't block ports like 80 (however, many trackers use different/non-standard ports). The torrent could look like a legitimate download of the new Harry Potter 5 TeleCine (and by legitimate I obviously mean the file is of the Harry Potter movie and not some dodgy porn or loaded with spyware, as copyright infringement is clearly illegal), and gain popularity very quickly (especially if you obtained the file from a private tracker and were first to share on a public one and/or you're seeding the file over a fast connection). If you controlled one of the trackers you could probably return the IP address of the target instead of some of the other seeds/peers. Otherwise you simply rely on the fact that the clients will try and connect all the freakin' time. Even when they're seeding it afterwards, which could last hours or days.
Thankfully, I don't think this will be a huge problem, as there are typically minimum intervals for connecting/reconnecting, and many clients will stop trying to reconnect to hosts that don't respond correctly. These safeguards are really there to protect the tracker from becoming overloaded, and to stop certain organisations and badly written clients from slowing down the swarm by sending bad data, but a side effect means it's unlikely to be used in a DoS attack. Which is pretty cool, and a relief seeing as BitTorrent makes up the majority of traffic sent over the internet.