This preview shows page 1-2-3-4-5-6 out of 19 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

DDoS Vulnerability Analysis of BitTorrent ProtocolBackgroundHow BT worksCommunication with trackersMessage exchangeVulnerabilitiesAttack illustrationExperimentsStatisticsMeasurements (1)Measurements (2)Measurements (3)Measurement (abnormal behavior)Top 15 countriesCountries with less BT clients runningSolutionEndSlide 18Slide 19DDoS Vulnerability Analysis of BitTorrent ProtocolCS239 projectSpring 2006BackgroundBitTorrent (BT)P2P file sharing protocol30% of Internet traffic6881- top 10 scanned port in the InternetDDoSDistributed – hard to guard against by simply filtering at upstream routersApplication level (resources)Network level (bandwidth)How BT works.torrent file (meta-data)Information of files being sharedHashes of pieces of filesTrackers (coordinator)http, udp trackersTrackerless (DHT)BT clients (participants)AzureusBitCometuTorrentetc.Online forum (exchange medium)For user to announce and search for .torrent filesCommunication with trackersTrackerseederclientsclient.torrent.torrentI have the file!Who has the file?DiscussionforumWho has the file?Message exchangeHTTP/UDP trackerGet peer + announce combined (who is sharing files)Scrapping (information lookup)DHT (trackerless)Ping/response (announcing participation in DHT network)Find node (location peers in DHT network)Get peer (locate who is sharing files)Announce (announce who is sharing files)VulnerabilitiesSpoofed information* Both http and udp trackers allow specified IP in announceDHT does not allow specified IP in announceAllow spoofed information on who is participating in DHT networkPossible to redirect a lot of DHT query to a victimCompromised trackerAttack illustrationTrackervictimclientsattackerVictim has the files!DiscussionforumWho has the files?.torrent.torrent.torrent.torrent.torrent.torrentExperimentsDiscussion forum (http://www.mininova.org)1191 newly uploaded .torrent files in 2 daysVictim (131.179.187.205)Apache web server (configured to serve 400 clients)tcpdump, netstatAttackerPython script to process .torrent files and contact trackersZombiesComputers running BitTorrent clients in the InternetStatisticsTotal 1191Corrupted 6Single tracker 999Multiple trackers 186Support DHT 121http trackers 1963udp trackers 85Unique http trackers 311Unique udp trackers 21TorrentsTrackersMeasurements (1)Attacker1191 torrent files used30 concurrent threads, contact trackers onceMeasurements (2)Attacker1191 torrent files used40 concurrent threads, contact trackers 10 timesAttack ends after 8 hoursMeasurements (3)30513 distinct IPs recordedNumber of connection attempts per hostRetry 3,6,9,… seems a common implementationMeasurement (abnormal behavior)oTop 15 hosts with highest number of connection attemptso8995 202.156.6.67 Country: SINGAPORE (SG)o8762 24.22.183.141 Country: UNITED STATES (US)o1953 71.83.213.106 Country: (Unknown Country?) (XX)o1841 24.5.44.13Country: UNITED STATES (US)o1273 147.197.200.44 Country: UNITED KINGDOM (UK)o1233 82.40.167.116 Country: UNITED KINGDOM (UK)o1183 194.144.130.220 Country: ICELAND (IS)o1171 82.33.194.6 Country: UNITED KINGDOM (UK)o1167 219.78.137.197 Country: HONG KONG (HK)o1053 83.146.39.94 Country: UNITED KINGDOM (UK)o1042 82.10.187.190 Country: UNITED KINGDOM (UK)o896 65.93.12.152 Country: CANADA (CA)o861 84.231.86.223 Country: FINLAND (FI)o855 24.199.85.75 Country: UNITED STATES (US)o753 207.210.96.205 Country: CANADA (CA)oContent pollution agents?oOther researchers?Top 15 countriesUnited StatesCanadaUnited KingdomGermanyFranceSpainAustraliaSwedenNetherlandsMalaysiaNorwayPolandJapanBrazilChinaCountries with less BT clients runningAlbaniaBermudaBoliviaGeorgiaGhanaKenyaLaoLebanonMonacoMongoliaNicaraguaNigeriaQatarTanzaniaUgandaZimbabweSolutionBetter tracker implementationAuthentication with trackersSimilar to the one used in DHTFiltering packets by analyzing the protocole.g. check [SYN|ACK|80] incoming packets for legitimate HTTP headerEndQ and ATrackerseederclient.torrent.torrentI have the file!Who has the file?DiscussionforumTrackervictimclientsattackerVictim has the files!DiscussionforumWho has the


View Full Document

UCLA COMSCI 239 - DDoS

Download DDoS
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view DDoS and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view DDoS 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?