BitTorrent is one of the most effective technologies to transfer large digital files to many people at once. Unlike a central server, transfers actually tend to go faster as more people share the same files. This characteristic is one of the reasons why it has evolved into the dominant file-sharing platform in recent years.
Every day millions of people are downloading files via BitTorrent, and in some instances more than 100,000 people are sharing the same file at the same time. These large ‘swarms’ of peers are great for sharing, but they also pose a threat as became apparent at the Chaos Communications Congress (CCC) recently.
In a talk titled “Lying To The Neighbours” it was shown that the DHT technology which powers “trackerless torrents” can be abused to let BitTorrent downloaders effectively DDoS a webserver of choice. DHT’s normal function is to find peers who are downloading the same files, but without communicating with a central BitTorrent tracker. This ensures that downloads can continue even when the central tracker goes offline.
According to the presenter who goes by the name ‘Astro’, Kademlia based DHT can be exploited by a malicious peer to carry out a DDoS attack. If there are enough peers downloading the same file, this could easily take down medium to large websites. The worrying part is that the downloaders who are participating in the DDoS will not be aware of what’s going on.
“The core problem are the random NodeIDs. The address hashing and verification scheme works for scenarios like the old Internet, but becomes almost useless in the big address space of IPv6,” Astro told TorrentFreak in a comment. As a result, any BitTorrent swarm can be abused to target specific websites and potentially take them down.
This and other DHT vulnerabilities are not entirely new concepts for BitTorrent developers. They have been discussed in various places already, but no agreement on how they should be dealt with has yet been reached.
Over the last months DDoS attacks have been in the news regularly, mostly carried out under the flag of Anonymous’ Operation Payback. Initially anti-piracy targets such as the MPAA and RIAA were taken offline, and last month the focus switched to organizations that acted against Wikileaks, including Mastercard and Paypal.
While these attacks required hundreds of people to actively participate and fire up their LOIC application at the same time, the BitTorrent DDoS could take down the same sites from a single computer, using BitTorrent downloads as a ‘botnet’. But, where there’s a problem there’s a solution, and Astro has some pointers for BitTorrent developers.
“Not connecting to privileged ports (< 1024) where most critical services reside," is one ad-hoc solution, but Astro says that since it's a design error, the protocol has to be redefined eventually. The idea of using BitTorrent as a DDoS tool is not entirely new. In fact, researchers have previously shown that adding a webserver’s IP address as a BitTorrent tracker could result in a similar DDoS. The downside of this method is, however, that it requires a torrent file to become popular, while the DHT method can simply exploit existing torrents that are already being downloaded by thousands of people.
It will be interesting to see if BitTorrent developers are going to act upon the DHT vulnerability in the coming months and come up with a solution to prevent this kind of abuse.