Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
P2P File-Sharing in Hell: Exploiting BitTorrent Vulnerabilities to Launch Distributed Reflective DoS Attacks
Florian Adamsky, Syed Ali Khayam, Rudolf Jäger and Muttukrishnan Rajarajan
[email protected] http://florian.adamsky.it/
9th USENIX Workshop on Offensive Technologies
1/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Outline
1 Introduction Background
2 Amplification Vulnerabilities BitTorrent DHT BitTorrent Sync
3 Experimental Evaluation
4 Countermeasures
2/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Table of Contents
1 Introduction Background
2 Amplification Vulnerabilities BitTorrent DHT BitTorrent Sync
3 Experimental Evaluation
4 Countermeasures
3/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures 2013: DDoS attack record: 300 Gbps
4/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures 2014: DDoS attack record: 400 Gbps
5/34 B BA V Bandwidth Amplification Factor (BAF) BV Christian Rossow introducedBA the Bandwidth Amplification Factor (BAF): | | B Bv BV A BAF = |Ba|
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures DRDoS Attacks Thread Model
PA
PA PA PV
PA
Attacker Amplifiers Victim
6/34 B V Bandwidth Amplification Factor (BAF) B Christian Rossow introduced the Bandwidth AmplificationV Factor (BAF):
|B | BAF = v BV |Ba|
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures DRDoS Attacks Thread Model
PA
BA
BA PA PA PV B A
PA
Attacker Amplifiers Victim
6/34 Bandwidth Amplification Factor (BAF) Christian Rossow introduced the Bandwidth Amplification Factor (BAF):
|B | BAF = v |Ba|
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures DRDoS Attacks Thread Model
PA B BA V
BV BA PA PA PV
B V A B
PA
Attacker Amplifiers Victim
6/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures DRDoS Attacks Thread Model
PA B BA V Bandwidth Amplification Factor (BAF) BV Christian Rossow introducedBA the Bandwidth Amplification Factor (BAF): PA PA PV | | B Bv BV A BAF = |Ba|
PA
Attacker Amplifiers Victim
6/34 BA = 1 Gbps BV = 5 Gbps
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Example: BAF = 5
PA B BA V
BV BA PA PA PV
B V A B
PA
Attacker Amplifiers Victim
7/34 BV = 5 Gbps
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Example: BAF = 5
BA = 1 Gbps
PA B BA V
BV BA PA PA PV
B V A B
PA
Attacker Amplifiers Victim
7/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Example: BAF = 5
BA = 1 Gbps BV = 5 Gbps
PA B BA V
BV BA PA PA PV
B V A B
PA
Attacker Amplifiers Victim
7/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Advantages of a DRDoS Attack
Attacker hides his own identity It can be initiated by a single computer, results in a distributed attack Amplifiers send a larger packet to the victim and therefore increase the impact of the attack
8/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Worldwide Application Usage
9/34 Source: Paloalto Networks Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Worldwide Application Usage
BitTorrent % of total bandwidth: 3.35 %
10/34 Source: Paloalto Networks Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures BitTorrent’s protocol overview
Variety of UDP-based protocols are used: Distributed Hash Table (DHT) Micro Transport Protocol (uTP)
11/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Micro Transport Protocol (uTP)
uTP is a reliable transport protocol which makes use of UDP Similarities to TCP Window based flow control Sequence numbers and ACK numbers Differences to TCP Sequence numbers and ACKs refer to packets, not bytes No congestion control (Slow-start, congestion avoidance, …) → LEDBAT Two-way handshake instead of a three-way handshake
12/34 SYN_SENT ST_SYN
CONNECTED ST_STATE
CONNECTED connection established
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures uTP’s two-way handshake
Initiator Receiver
13/34 ST_STATE
CONNECTED connection established
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures uTP’s two-way handshake
Initiator Receiver SYN_SENT ST_SYN
CONNECTED
13/34 connection established
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures uTP’s two-way handshake
Initiator Receiver SYN_SENT ST_SYN
CONNECTED ST_STATE
CONNECTED
13/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures uTP’s two-way handshake
Initiator Receiver SYN_SENT ST_SYN
CONNECTED ST_STATE
CONNECTED connection established
13/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Table of Contents
1 Introduction Background
2 Amplification Vulnerabilities BitTorrent DHT BitTorrent Sync
3 Experimental Evaluation
4 Countermeasures
14/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures BitTorrent Handshake
15/34 a) ST_SYN ST_DATA (Handshake) c) ST_STATE ST_DATA (Handshake) b) ST_DATA (Handshake) d) ST_DATA (Handshake)
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Exploiting uTP’s two-way handshake
Attacker Amplifier Victim
16/34 ST_DATA (Handshake) c) ST_STATE ST_DATA (Handshake) b) ST_DATA (Handshake) d) ST_DATA (Handshake)
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Exploiting uTP’s two-way handshake
Attacker Amplifier Victim a) ST_SYN
16/34 ST_DATA c) (Handshake) ST_DATA (Handshake)
ST_DATA (Handshake) d) ST_DATA (Handshake)
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Exploiting uTP’s two-way handshake
Attacker Amplifier Victim a) ST_SYN
ST_STATE b)
16/34 ST_DATA (Handshake)
ST_DATA (Handshake) d) ST_DATA (Handshake)
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Exploiting uTP’s two-way handshake
Attacker Amplifier Victim a) ST_SYN ST_DATA (Handshake) c) ST_STATE b)
16/34 ST_DATA (Handshake) ST_DATA (Handshake)
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Exploiting uTP’s two-way handshake
Attacker Amplifier Victim a) ST_SYN ST_DATA (Handshake) c) ST_STATE ST_DATA (Handshake) b) d)
16/34 ST_DATA (Handshake)
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Exploiting uTP’s two-way handshake
Attacker Amplifier Victim a) ST_SYN ST_DATA (Handshake) c) ST_STATE ST_DATA (Handshake) b) ST_DATA (Handshake) d)
16/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Exploiting uTP’s two-way handshake
Attacker Amplifier Victim a) ST_SYN ST_DATA (Handshake) c) ST_STATE ST_DATA (Handshake) b) ST_DATA (Handshake) d) ST_DATA (Handshake)
16/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
BV > BA
Definition (Packet Stuffing) Try to cram as much BitTorrent messages into one packet as possible to minimize the connection establishment protocol flow
17/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (BitTorrent)
Description BAF PAF ucat 351.5 6 uTorrent w/o extensions 27.6 3.5 Mainline w/o extensions 27.8 3.5 uTorrent with LTEP 39.6 3 Mainline with LTEP 39.6 3 Vuze w/o extensions 13.9 2 Vuze with LTEP 18.7 2 Vuze with AMP 54.3 3.5 Transmission w/o extensions 4.0 3.5 Transmission with LTEP 4.0 3.5 Transmission with AMP 4.0 3.5 Libtorrent w/o extensions 5.2 4 Libtorrent with LTEP 5.2 4
18/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (BitTorrent)
Description BAF PAF ucat 351.5 6 uTorrent w/o extensions 27.6 3.5 Mainline w/o extensions 27.8 3.5 uTorrent with LTEP 39.6 3 Mainline with LTEP 39.6 3 Vuze w/o extensions 13.9 2 Vuze with LTEP 18.7 2 Vuze with AMP 54.3 3.5 Transmission w/o extensions 4.0 3.5 Transmission with LTEP 4.0 3.5 Transmission with AMP 4.0 3.5 Libtorrent w/o extensions 5.2 4 Libtorrent with LTEP 5.2 4
18/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (BitTorrent)
Description BAF PAF ucat 351.5 6 uTorrent w/o extensions 27.6 3.5 Mainline w/o extensions 27.8 3.5 uTorrent with LTEP 39.6 3 Mainline with LTEP 39.6 3 Vuze w/o extensions 13.9 2 Vuze with LTEP 18.7 2 Vuze with AMP 54.3 3.5 Transmission w/o extensions 4.0 3.5 Transmission with LTEP 4.0 3.5 Transmission with AMP 4.0 3.5 Libtorrent w/o extensions 5.2 4 Libtorrent with LTEP 5.2 4
18/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (BitTorrent)
Description BAF PAF ucat 351.5 6 uTorrent w/o extensions 27.6 3.5 Mainline w/o extensions 27.8 3.5 uTorrent with LTEP 39.6 3 Mainline with LTEP 39.6 3 Vuze w/o extensions 13.9 2 Vuze with LTEP 18.7 2 Vuze with AMP 54.3 3.5 Transmission w/o extensions 4.0 3.5 Transmission with LTEP 4.0 3.5 Transmission with AMP 4.0 3.5 Libtorrent w/o extensions 5.2 4 Libtorrent with LTEP 5.2 4
18/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (BitTorrent)
Description BAF PAF ucat 351.5 6 uTorrent w/o extensions 27.6 3.5 Mainline w/o extensions 27.8 3.5 uTorrent with LTEP 39.6 3 Mainline with LTEP 39.6 3 Vuze w/o extensions 13.9 2 Vuze with LTEP 18.7 2 Vuze with AMP 54.3 3.5 Transmission w/o extensions 4.0 3.5 Transmission with LTEP 4.0 3.5 Transmission with AMP 4.0 3.5 Libtorrent w/o extensions 5.2 4 Libtorrent with LTEP 5.2 4
18/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (BitTorrent)
Description BAF PAF ucat 351.5 6 uTorrent w/o extensions 27.6 3.5 Mainline w/o extensions 27.8 3.5 uTorrent with LTEP 39.6 3 Mainline with LTEP 39.6 3 Vuze w/o extensions 13.9 2 Vuze with LTEP 18.7 2 Vuze with AMP 54.3 3.5 Transmission w/o extensions 4.0 3.5 Transmission with LTEP 4.0 3.5 Transmission with AMP 4.0 3.5 Libtorrent w/o extensions 5.2 4 Libtorrent with LTEP 5.2 4
18/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (BitTorrent)
Description BAF PAF ucat 351.5 6 uTorrent w/o extensions 27.6 3.5 Mainline w/o extensions 27.8 3.5 uTorrent with LTEP 39.6 3 Mainline with LTEP 39.6 3 Vuze w/o extensions 13.9 2 Vuze with LTEP 18.7 2 Vuze with AMP 54.3 3.5 Transmission w/o extensions 4.0 3.5 Transmission with LTEP 4.0 3.5 Transmission with AMP 4.0 3.5 Libtorrent w/o extensions 5.2 4 Libtorrent with LTEP 5.2 4
18/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (BitTorrent)
Description BAF PAF ucat 351.5 6 uTorrent w/o extensions 27.6 3.5 Mainline w/o extensions 27.8 3.5 uTorrent with LTEP 39.6 3 Mainline with LTEP 39.6 3 Vuze w/o extensions 13.9 2 Vuze with LTEP 18.7 2 Vuze with AMP 54.3 3.5 Transmission w/o extensions 4.0 3.5 Transmission with LTEP 4.0 3.5 Transmission with AMP 4.0 3.5 Libtorrent w/o extensions 5.2 4 Libtorrent with LTEP 5.2 4
18/34 Amplification Factor (MSE)
4 ≤ BAFMSE ≤ 32.5
Initiator Receiver a PA = g mod p P , = 0 ≤ ≤ 512 A RA RA bytes RA bytes a PB = g mod p B ≤ ≤ PB, R RB = 0 bytes RB 512 bytes
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Message Stream Encryption (MSE)
Aim of MSE is to obfuscate BitTorrent traffic to avoid shaping MSE starts a Diffie-Hellman key exchange After the key exchange BitTorrent packets are RC4 encrypted
19/34 Amplification Factor (MSE)
a PA = g mod p P , = 0 ≤ ≤ 512 4 ≤ BAFA RA≤ 32.5 RA bytes RA bytes MSE a PB = g mod p B ≤ ≤ PB, R RB = 0 bytes RB 512 bytes
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Message Stream Encryption (MSE)
Aim of MSE is to obfuscate BitTorrent traffic to avoid shaping MSE starts a Diffie-Hellman key exchange After the key exchange BitTorrent packets are RC4 encrypted
Initiator Receiver
19/34 Amplification Factor (MSE)
P , 4 ≤ BAFA RA≤ 32.5 MSE a PB = g mod p B ≤ ≤ PB, R RB = 0 bytes RB 512 bytes
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Message Stream Encryption (MSE)
Aim of MSE is to obfuscate BitTorrent traffic to avoid shaping MSE starts a Diffie-Hellman key exchange After the key exchange BitTorrent packets are RC4 encrypted
Initiator Receiver a PA = g mod p RA = 0 bytes ≤ RA ≤ 512 bytes
19/34 Amplification Factor (MSE)
4 ≤ BAF ≤ 32.5 MSE a PB = g mod p B ≤ ≤ PB, R RB = 0 bytes RB 512 bytes
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Message Stream Encryption (MSE)
Aim of MSE is to obfuscate BitTorrent traffic to avoid shaping MSE starts a Diffie-Hellman key exchange After the key exchange BitTorrent packets are RC4 encrypted
Initiator Receiver a PA = g mod p PA, R RA = 0 bytes ≤ RA ≤ 512 bytes A
19/34 Amplification Factor (MSE)
4 ≤ BAFMSE ≤ 32.5
B PB, R
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Message Stream Encryption (MSE)
Aim of MSE is to obfuscate BitTorrent traffic to avoid shaping MSE starts a Diffie-Hellman key exchange After the key exchange BitTorrent packets are RC4 encrypted
Initiator Receiver a PA = g mod p P , = 0 ≤ ≤ 512 A RA RA bytes RA bytes a PB = g mod p RB = 0 bytes ≤ RB ≤ 512 bytes
19/34 Amplification Factor (MSE)
4 ≤ BAFMSE ≤ 32.5
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Message Stream Encryption (MSE)
Aim of MSE is to obfuscate BitTorrent traffic to avoid shaping MSE starts a Diffie-Hellman key exchange After the key exchange BitTorrent packets are RC4 encrypted
Initiator Receiver a PA = g mod p P , = 0 ≤ ≤ 512 A RA RA bytes RA bytes a PB = g mod p B ≤ ≤ PB, R RB = 0 bytes RB 512 bytes
19/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Message Stream Encryption (MSE)
Aim of MSE is to obfuscate BitTorrent traffic to avoid shaping MSE starts a Diffie-Hellman key exchange After the key exchange BitTorrent packets are RC4 encrypted Amplification Factor (MSE) Initiator Receiver a PA = g mod p P , = 0 ≤ ≤ 512 4 ≤ BAFA RA≤ 32.5 RA bytes RA bytes MSE a PB = g mod p B ≤ ≤ PB, R RB = 0 bytes RB 512 bytes
19/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Distributed Hash Table
DHT implementation in BitTorrent is divided into two protocols: Mainline DHT (MLDHT) Vuze DHT (VDHT) MLDHT is by far the biggest overlay network (around 15–27 million users per day) Both protocols are not compatible with each other
20/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (DHT)
Implementation Description BAF MLDHT ping 0.8 find_node with K = 8 3.1 get_peers with 100 peers (IPv4) 11.9 get_peers with 100 peers (IPv6) 24.5 get_peers with scrapes 13.4 VDHT ping 0.8 ping with Vivaldi coordinates 14.9
21/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (DHT)
Implementation Description BAF MLDHT ping 0.8 find_node with K = 8 3.1 get_peers with 100 peers (IPv4) 11.9 get_peers with 100 peers (IPv6) 24.5 get_peers with scrapes 13.4 VDHT ping 0.8 ping with Vivaldi coordinates 14.9
21/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (DHT)
Implementation Description BAF MLDHT ping 0.8 find_node with K = 8 3.1 get_peers with 100 peers (IPv4) 11.9 get_peers with 100 peers (IPv6) 24.5 get_peers with scrapes 13.4 VDHT ping 0.8 ping with Vivaldi coordinates 14.9
21/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (DHT)
Implementation Description BAF MLDHT ping 0.8 find_node with K = 8 3.1 get_peers with 100 peers (IPv4) 11.9 get_peers with 100 peers (IPv6) 24.5 get_peers with scrapes 13.4 VDHT ping 0.8 ping with Vivaldi coordinates 14.9
21/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures BitTorrent Sync
Proprietary protocol to synchronize files in a P2P way BTSync reached the 1 million users mark in 2013 BTSync also uses uTP as its transport protocol
22/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Vulnerabilities (BTSync)
Message BAF BTSync handshake 10.8 ping 120
23/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Vulnerabilities (BTSync)
Message BAF BTSync handshake 10.8 ping 120
23/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Vulnerabilities (BTSync)
Message BAF BTSync handshake 10.8 ping 120
23/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures BTSync: ping flood
24/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Evadability
DNS’13 NTP’14 BTH MLDHT VDHT BTSync MSE SPI firwall X X DPI firewall XXXX
25/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Table of Contents
1 Introduction Background
2 Amplification Vulnerabilities BitTorrent DHT BitTorrent Sync
3 Experimental Evaluation
4 Countermeasures
26/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Experimental Evaluation
·104 2 BV = Traffic to the victim
BA = Traffic to the amplifiers 1.5
1
0.5 Payload size in bytes 0 0 100 200 300 400 500 600 Time in seconds (s)
Figure: Amplification attack with 1 attacker, 31 amplifiers and 1victim.
27/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures BitTorrent Crawler
Internet
We wrote a BitTorrent Crawler in Elixir
Used PirateBay magnet link database from DHT Peer DB Feb 2012 Harvester Requester We collected overall 9.6 million peers via 1:1 MLDHT 1:n 1:n
Beginning from 1st January 2015 until 1st DB Worker SuperVisor SuperVisor February 2015. 1:1 1:1 1:1
SuperVisor
28/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Payload size from the DHT responses
·104 3.1
4
2
1.0 5.3 7.4 9.5 11.6 0 Number of received packets 0 500 1,000 1,500 2,000 2,500 3,000 Payload size in bytes
Figure: Histogram of the payload size from the DHT responses which are caused by get_peers requests.
29/34The numbers on top of the bars are the average BAF values. Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures BitTorrent handshake size from the uTP responses
300
200
100
0 Number of received packets 300 400 500 600 700 800 900 1,000 1,100 1,200 1,300 1,400 1,500 BitTorrent Handshake size in bytes
Figure: Histogram of the BitTorrent handshake size from the uTP responses. 30/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures BitTorrent handshake size from the uTP responses
31.2 (15.7 %)
300
200
100
0 Number of received packets 300 400 500 600 700 800 900 1,000 1,100 1,200 1,300 1,400 1,500 BitTorrent Handshake size in bytes
Figure: Histogram of the BitTorrent handshake size from the uTP responses. 30/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures BitTorrent handshake size from the uTP responses
31.2 (15.7 %)
300
200 46.7 (2.2 %) 100
0 Number of received packets 300 400 500 600 700 800 900 1,000 1,100 1,200 1,300 1,400 1,500 BitTorrent Handshake size in bytes
Figure: Histogram of the BitTorrent handshake size from the uTP responses. 30/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures BitTorrent handshake size from the uTP responses
31.2 (15.7 %)
300 66.9 (3.9 %)
200 46.7 (2.2 %) 100
0 Number of received packets 300 400 500 600 700 800 900 1,000 1,100 1,200 1,300 1,400 1,500 BitTorrent Handshake size in bytes
Figure: Histogram of the BitTorrent handshake size from the uTP responses. 30/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Table of Contents
1 Introduction Background
2 Amplification Vulnerabilities BitTorrent DHT BitTorrent Sync
3 Experimental Evaluation
4 Countermeasures
31/34 Protocol side uTP Three-way handshake Verify the second acknowledgment DHT Token scheme (similar to announce_peer)
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Coutermeasures
ISP side BCP 38 (ingress filtering) 2015: more than 70 % of the public networks deployed BCP 38
32/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Coutermeasures
ISP side Protocol side BCP 38 (ingress filtering) uTP 2015: more than 70 % of the public Three-way handshake networks deployed BCP 38 Verify the second acknowledgment DHT Token scheme (similar to announce_peer)
32/34 Responsible Disclosure uTorrent 3.4.4 49854 (beta) is released today!
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Conclusion
BitTorrent and BitTorrent Sync are vulnerable to DRDoS attacks Attacker is able to amplify traffic up to 50 times and with BTSync upto120times With Trackers, DHT and PEX, an attacker can collect millions of amplifiers Hard to circumvent, as the found vulnerabilities can only be defended with a DPI firewall in case of MSE it is even harder
33/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Conclusion
BitTorrent and BitTorrent Sync are vulnerable to DRDoS attacks Attacker is able to amplify traffic up to 50 times and with BTSync upto120times With Trackers, DHT and PEX, an attacker can collect millions of amplifiers Hard to circumvent, as the found vulnerabilities can only be defended with a DPI firewall in case of MSE it is even harder
Responsible Disclosure uTorrent 3.4.4 49854 (beta) is released today!
33/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Thank You
Questions?
[email protected] http://florian.adamsky.it/
Institutions:
34/34