Upon reflection, BitTorrent amplifies DDoS attacks

New DRDos attack using BitTorrent investigated: able to amplify traffic up to a factor of 50 times on average, and 120 times in the case of BTSync.

Upon reflection, BitTorrent amplifies DDoS attacks
Upon reflection, BitTorrent amplifies DDoS attacks

Distributed Denial of Service (DDoS) attacks are the plat du jour for cyber-criminals looking to deflect attention and resources from a breach elsewhere within the target enterprise, as well as hacktivists taking sites down with political or just plain malicious motivation alike. According to the Q2 2015 State of the Internet report from Akamai, the number of DDoS attacks has grown by 132 per cent compared to the same time last year.

Not only is that a record high, or low depending upon which side of the security fence you are positioned, the number of 'almost indefensible' mega-attacks, those peaking in excess of 1,000Gbps/50Mpps, was also on the up. Anything that can help the bad guys to make a DDoS attack easier, bigger and more destructive is never good news; enter stage left, the villain of the piece in the shape of the Distributed Reflective DoS (DRDos) attack.

Although DRDos attacks are not exactly new, new methods to launch them are always high on the agenda of both those out to cause problems, and to prevent them. So when we heard that a new DRDos attack using BitTorrent  was being demonstrated, SCMagazineUK.com decided to investigate further. This particular DRDos methodology was published by City University London researcher Florian Adamsky along with cloud security outfit Plumgrid, in a paper rather extravagantly entitled "P2P File-Sharing in Hell: Exploiting BitTorrent Vulnerabilities to Launch Distributed Reflective DoS Attacks".

A quick look at the abstract of the paper reveals that what Adamsky is talking about here is how the BitTorrent protocol family, specifically the Micro Transport Protocol (uTP), Distributed Hash Table (DHT), Message Stream Encryption (MSE) and BitTorrent Sync (BTSync), can be exploited to reflect and amplify traffic from peers in a DRDos attack scenario. Under lab test conditions, the researchers were able to amplify traffic up to a factor of 50 times on average, and 120 times in the case of BTSync.

This wasn't some irresponsible disclosure though, as Adamsky had already revealed his findings with BitTorrent some weeks earlier. Which is just as well, considering that he reckons an attacker could put all this theoretical stuff into practice by collecting millions of potential amplifiers using trackers or peer exchange for example. A single BTSync ping message would then be all it takes to amplify the traffic by more than 100 times.

A BitTorrent spokesperson has stated that it has "taken steps to harden our protocols and mitigate some weaknesses outlined in the research paper." According to the TorrentFreak (https://torrentfreak.com) website, however, "uTorrent is still vulnerable." Adamsky had stated that the most popular BitTorrent clients were amongst those that were most vulnerable, including uTorrent.

With BitTorrent admitting that attacks like this will always be possible courtesy of the way UDP-based protocols works, it also says that it "will soon have mitigated the matter completely" although quite how is yet to be seen. Cris Thomas, a strategist with Tenable Network Security, agrees that the notion of utilising BitTorrent to reflect DDoS attacks isn't anything new but did suggest that what is unique about this research is the claimed level of amplification achieved by the researchers.

We asked Thomas how big a deal this is likely to be in the real world? "Considering that such attacks have not yet been seen in the wild it is not too much of a concern" he told us, continuing "however attackers read the same research as everyone else and it will not take them long to implement this attack." Jean-Phillippe Taggart, senior intelligence analyst at Malwarebytes, is also concerned that there is an inevitability that script kiddie applications leveraging the techniques described will hit the scene at some point, and the DDoS landscape will see "a quantifiable change" when the research becomes so weaponised. "Effectively defending against these attacks will be challenging" Taggart told SCMagazineUK.com, "the reflection technique not only amplifies the denial of service, but also effectively shields the IP address of the attacker making attribution difficult. Detecting and dropping BitTorrent traffic still creates a significant load on the potential victims infrastructure, so while this may help mitigate a DRDoS attack it isn't an ideal solution."

Speaking to SCMagazineUK.com, OPSWAT software engineering manager Dave Patt was at pains to point out that we shouldn't consider distributed mechanisms to be inherently bad or necessarily more vulnerable than non-distributed mechanisms. "I would hate to play into anti-P2P fear-mongering" he says "though it is likely that there are specific security concerns that are particular to distributed architectures just as there are for non-distributed architectures." And Darren Anstee, chief security technologist at Arbor Networks, agrees that "BitTorrent is just another protocol that can be leveraged, along with DNS, NTP, SSDP, Chargen, SNMP, Portmap, but with the advantage that the source port of the amplified, reflected traffic is dynamic."

Anstee suggests that BitTorrent should investigate whether its protocol could be modified to use a three-way handshake like TCP, rather than the two-way handshake used currently. This would reduce the capability, because the protocol would be able to detect the use of a spoofed source IP due to a lack of acknowledgement to the initial hand-shake message. "This would reduce the amplification factor available to the attacker" Anstee says. For all we know, that could be precisely what BitTorrent has been doing by way of 'hardening' the protocol in mitigation.

Talking of Portmap, in related news Level 3 has discovered that the service has also become a vector of DRDoS attacks. Researchers observed attacks on gaming and hosting sites using the Portmap methodology. This, it says, is worrying as "Portmap has no business being exposed on internet-facing systems." Ashley Stephenson, CEO at Corero Network Security, says: "If the RPCbind/portmap service is queried, it can in some cases respond with a considerable amount of data that exceeds the size of the query, hence the use of the term amplification. This is another classic example of a reflective DDoS attack using standard UDP accessible Internet services. Disabling or blocking Internet facing RPCbind/portmap services is a trivial task on any single system but it is unlikely to occur anytime soon on the potentially millions of vulnerable systems accessible on the Internet today."