DDoS Vulnerability Analysis of Bittorrent ProtocolKa Cheung [email protected] (BT) traffic had been reported to contribute to 30% of the Internet traffic nowa-days and the number of participants have been growing rapidly. For such a protocol that signif-icantly involved in the Internet traffic, the robustness and security must be evaluated carefully.In this paper, we analyze the BT protocol and identify several potential vulnerabilities availablefor malicious Internet users to exploit and leverage them and launch Distributed Denial of Ser-vice (DDoS) attack. We demonstrate such possibility by launching a DDoS attack using one ofthe methods studied and reveal some measurements recorded on such attack. We then proposefixes to the existing BT protocol and discuss critical issues when designing a peer-to-peer (P2P)network in the future.1 IntroductionBittorrent (BT) [2] traffic had been reported to contribute to 30% of the Internet traffic nowadaysand the number of participants have been growing rapidly. From the port history reported bySANS Internet Storm Center [9], port 6881, which is a commonly used BT port number, isalways in the top 10 list of port being scanned in the Internet. For such a widely used protocolin the Internet, its robustness and security must be evaluated carefully.As BT users, we have experienced traffic similar to DDoS attack occasionally when a popularBT seed is used. In certain scenarios, it had been recorded that more than 1000 clients are tryingto connect to a particular host simultaneously. Such a burst of connection attempts chokes thehost to be incapable of both sending and receiving legitimate traffic (which include the BT trafficitself). Although the host behaves as a legitimate participant within the peer-to-peer(P2P) BTnetwork and downloads only one file share, the amount of traffic generated is enough to stopthe host from running properly. We believe this may infer a vulnerability in the BT protocolfor Distributed Denial (DDoS) attackers and may require special attentions to avoid possibleattacks by this mean.Under the current BT protocol, clients discover and communicate with each others by firstcommunicating with trackers, which act as servers to host and exchange information about thefile segment locations. By providing tempered information to the trackers or hosting compro-mised trackers, it is possible to redirect huge amount of BT traffic to a victim under attack. Inthis work, we make the following contributions to provide a more secured use of P2P network:• We study the BT protocol and identify vulnerabilities for launching a DDoS attack.• We ran DDoS experiments, that statistics recorded in the victim side shows that suchvulnerability can be devastating.• We propose fixes to the current BT protocol and implementations and enumerate securityissues against DDoS attack when designing future P2P network.1Figure 1: Illustration of sharing files in BT network.In Section 2, we give an overview of the BT protocol and analyze some existing vulnerabilities.We detail the procedure of a DDoS attack in Section 3 and give measurements to project thetraffic under the scenario when a victim is under serious attack. In Section 4, we propose thefixes to the current BT protocol and implementations and discuss issues to be addressed whendesigning a more secure-aware P2P network in the future. We give overview of current relatedresearch finally in Section 52 BT protocol study and exploitBT is a P2P file sharing protocol. Unlike other popular P2P file sharing network protocols suchas Gnutella, KaZaa, etc., it separates the file discovery function from the P2P network, makingthe network serve only the purpose of exchanging file content. Figure 1 illustrate five key stepsfor an individual to share files in the BT network.1. A peer first generates a corresponding torrent file for the files he wants to share, whichconsists of names of the files to be shared, hashes of the file content, trackers to be used, etc.(we will explain the detail of these afterwards). It then publishes this torrent file throughsome other online communication channels such as newsgroups, discussion forums, or someWebsites dedicated for publishing and announcing torrent files.2. The initiating peer then notifies the tracker that it is sharing the files described in thetorrent he has just generated.3. Another peer who is also interested in the shared files looks up the torrent file from theonline communication channels and downloads to its local computer.4. This torrent file contains necessary information for a BT client program to initiate aconnection to the tracker in use. It then asks the tracker for a list of other peers who arecurrently sharing the files.5. It initiates connections to other participating peers and start requesting pieces of the filesuntil it finises. At the same time, if a file piece is completed, it will start serving otherpeer’s request for that piece.The torrent file contain hashes of pieces of the file, in which a piece is usually of size 128KB,256KB, 512KB, . . .. By doing this, a peer can request multiple pieces of a file from different2peers so that a peer can start sharing the content even when it is only partially completed. Also,the hashes are used to verify the validity of every piece upon finishing the download. A peeruses two methods in BT protocol to know which peers to contact and request for file pieces,namely tracker and trackerless.• tracker - There is a dedicated machine that keeps track of which computers are downloadingand uploading file pieces specified in the torrent file, every peer will ask for informationfrom this tracker. The URL of the tracker being used is stored in the torrent file and itcan run over HTTP or UDP protocol.• trackerless (or DHT) - A group of computers participating in the DHT network (thisnetwork is different from the BT file sharing network) share the responsibility of thetracker, i.e. every node in the DHT network act as the tracker for a certain torrent files.DHT lookup method is used to resolve the location of the node who is serving as thetracker of a file share.For the tracker protocol running over HTTP, a client sends a GET request to the trackerURL, indicated in the torrent file, to announce that it is sharing the files, the tracker thenreturns a list of other peers who are currently sharing the files in the BT network. The GETmessage takes the following input parameters.• infohash - A