DDoS Vulnerability Analysis of BitTorrent ProtocolBackgroundHow BT worksCommunication with trackersMessage exchangeVulnerabilitiesAttack illustrationExperimentsStatisticsMeasurements (1)Measurements (2)Measurements (3)Measurement (abnormal behavior)Top 15 countriesCountries with less BT clients runningSolutionEndSlide 18Slide 19DDoS Vulnerability Analysis of BitTorrent ProtocolCS239 projectSpring 2006BackgroundBitTorrent (BT)P2P file sharing protocol30% of Internet traffic6881- top 10 scanned port in the InternetDDoSDistributed – hard to guard against by simply filtering at upstream routersApplication level (resources)Network level (bandwidth)How BT works.torrent file (meta-data)Information of files being sharedHashes of pieces of filesTrackers (coordinator)http, udp trackersTrackerless (DHT)BT clients (participants)AzureusBitCometuTorrentetc.Online forum (exchange medium)For user to announce and search for .torrent filesCommunication with trackersTrackerseederclientsclient.torrent.torrentI have the file!Who has the file?DiscussionforumWho has the file?Message exchangeHTTP/UDP trackerGet peer + announce combined (who is sharing files)Scrapping (information lookup)DHT (trackerless)Ping/response (announcing participation in DHT network)Find node (location peers in DHT network)Get peer (locate who is sharing files)Announce (announce who is sharing files)VulnerabilitiesSpoofed information* Both http and udp trackers allow specified IP in announceDHT does not allow specified IP in announceAllow spoofed information on who is participating in DHT networkPossible to redirect a lot of DHT query to a victimCompromised trackerAttack illustrationTrackervictimclientsattackerVictim has the files!DiscussionforumWho has the files?.torrent.torrent.torrent.torrent.torrent.torrentExperimentsDiscussion forum (http://www.mininova.org)1191 newly uploaded .torrent files in 2 daysVictim (131.179.187.205)Apache web server (configured to serve 400 clients)tcpdump, netstatAttackerPython script to process .torrent files and contact trackersZombiesComputers running BitTorrent clients in the InternetStatisticsTotal 1191Corrupted 6Single tracker 999Multiple trackers 186Support DHT 121http trackers 1963udp trackers 85Unique http trackers 311Unique udp trackers 21TorrentsTrackersMeasurements (1)Attacker1191 torrent files used30 concurrent threads, contact trackers onceMeasurements (2)Attacker1191 torrent files used40 concurrent threads, contact trackers 10 timesAttack ends after 8 hoursMeasurements (3)30513 distinct IPs recordedNumber of connection attempts per hostRetry 3,6,9,… seems a common implementationMeasurement (abnormal behavior)oTop 15 hosts with highest number of connection attemptso8995 202.156.6.67 Country: SINGAPORE (SG)o8762 24.22.183.141 Country: UNITED STATES (US)o1953 71.83.213.106 Country: (Unknown Country?) (XX)o1841 24.5.44.13Country: UNITED STATES (US)o1273 147.197.200.44 Country: UNITED KINGDOM (UK)o1233 82.40.167.116 Country: UNITED KINGDOM (UK)o1183 194.144.130.220 Country: ICELAND (IS)o1171 82.33.194.6 Country: UNITED KINGDOM (UK)o1167 219.78.137.197 Country: HONG KONG (HK)o1053 83.146.39.94 Country: UNITED KINGDOM (UK)o1042 82.10.187.190 Country: UNITED KINGDOM (UK)o896 65.93.12.152 Country: CANADA (CA)o861 84.231.86.223 Country: FINLAND (FI)o855 24.199.85.75 Country: UNITED STATES (US)o753 207.210.96.205 Country: CANADA (CA)oContent pollution agents?oOther researchers?Top 15 countriesUnited StatesCanadaUnited KingdomGermanyFranceSpainAustraliaSwedenNetherlandsMalaysiaNorwayPolandJapanBrazilChinaCountries with less BT clients runningAlbaniaBermudaBoliviaGeorgiaGhanaKenyaLaoLebanonMonacoMongoliaNicaraguaNigeriaQatarTanzaniaUgandaZimbabweSolutionBetter tracker implementationAuthentication with trackersSimilar to the one used in DHTFiltering packets by analyzing the protocole.g. check [SYN|ACK|80] incoming packets for legitimate HTTP headerEndQ and ATrackerseederclient.torrent.torrentI have the file!Who has the file?DiscussionforumTrackervictimclientsattackerVictim has the files!DiscussionforumWho has the
View Full Document