BitTorrent moves to patch reflective DDoS attack flaw

Vulnerable libuTP protocol could have been used to force torrent apps to send malicious traffic

torrent
torrent

BitTorrent has moved to fix a flaw that would have enabled hackers to hijack file sharing applications to carry out DDoS attacks.        

The flaw was found in libuTP, which is used in many BitTorrent applications including uTorrent, Vuze and the BitTorrent client itself.

The flaw affects protocols that rely on the User Datagram Protocol (UDP) for data transmission as UDP does not perform source address validation.

A hacker could send a connection request with spoofed address to a BitTorrent client forcing this to send an acknowledgement packet to an unsuspecting victim. A second request could be sent with the same spoof address and a random acknowledgement to start a BitTorrent handshake.

The client would accept the second request and send a handshake response to the victim as well. As the victim wouldn't respond, the BitTorrent client would resend the data up to four times, amplifying the attack.

The technique was disclosed in a research paper two weeks ago and submitted to the 9th Usenix Workshop on Offensive Technologies. The flaw could by exploited by sending maliciously modified data to vulnerable BitTorrent applications and force them to flood a victim with data up to 120 times bigger than the original request.

In a blog post, engineers at BitTorrent said the flaw was the result of a weakness in a reference implementation called libuTP. The flaw was fixed by an update that forces BitTorrent clients to require acknowledgments from connection initiators before providing long responses.

“Many BitTorrent products make use of libµTP because it can detect network congestion and automatically throttle itself. This self-throttling characteristic makes BitTorrent, µTorrent and BitTorrent Sync friendlier to home networks. However, a flaw in the way libuTP handles incoming connections may leave many clients vulnerable to become unknowing accomplices in amplification attacks as reflectors,” said the blog post.

The fix, while not preventing DDoS reflection, does stop the effects of amplification.

Gavin Reid, vice president of threat intelligence at Lancope, told SCMagazineUK.com that even though the protocol is patched, the problem will still exist until all the installed clients are patched. “There are many different BitTorrent clients, many with no automatic update capabilities,” he said.

Reid added that organisations need to have strong DDoS detection and mitigation technologies and processes in place to detect if their users are being misused in an attack.

“With the correct network telemetry being captured, a simple query or alert for many clients packets vs. few server packets can provide that detection,” said Reid.