P2P File-Sharing in Hell: Exploiting Bittorrent Vulnerabilities to Launch Distributed Reflective Dos Attacks
Total Page:16
File Type:pdf, Size:1020Kb
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures P2P File-Sharing in Hell: Exploiting BitTorrent Vulnerabilities to Launch Distributed Reflective DoS Attacks Florian Adamsky, Syed Ali Khayam, Rudolf Jäger and Muttukrishnan Rajarajan [email protected] http://florian.adamsky.it/ 9th USENIX Workshop on Offensive Technologies 1/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Outline 1 Introduction Background 2 Amplification Vulnerabilities BitTorrent DHT BitTorrent Sync 3 Experimental Evaluation 4 Countermeasures 2/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Table of Contents 1 Introduction Background 2 Amplification Vulnerabilities BitTorrent DHT BitTorrent Sync 3 Experimental Evaluation 4 Countermeasures 3/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures 2013: DDoS attack record: 300 Gbps 4/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures 2014: DDoS attack record: 400 Gbps 5/34 B BA V Bandwidth Amplification Factor (BAF) BV Christian Rossow introducedBA the Bandwidth Amplification Factor (BAF): j j B Bv BV A BAF = jBaj Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures DRDoS Attacks Thread Model PA PA PA PV PA Attacker Amplifiers Victim 6/34 B V Bandwidth Amplification Factor (BAF) B Christian Rossow introduced the Bandwidth AmplificationV Factor (BAF): jB j BAF = v BV jBaj Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures DRDoS Attacks Thread Model PA BA BA PA PA PV B A PA Attacker Amplifiers Victim 6/34 Bandwidth Amplification Factor (BAF) Christian Rossow introduced the Bandwidth Amplification Factor (BAF): jB j BAF = v jBaj Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures DRDoS Attacks Thread Model PA B BA V BV BA PA PA PV B V A B PA Attacker Amplifiers Victim 6/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures DRDoS Attacks Thread Model PA B BA V Bandwidth Amplification Factor (BAF) BV Christian Rossow introducedBA the Bandwidth Amplification Factor (BAF): PA PA PV j j B Bv BV A BAF = jBaj PA Attacker Amplifiers Victim 6/34 BA = 1 Gbps BV = 5 Gbps Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Example: BAF = 5 PA B BA V BV BA PA PA PV B V A B PA Attacker Amplifiers Victim 7/34 BV = 5 Gbps Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Example: BAF = 5 BA = 1 Gbps PA B BA V BV BA PA PA PV B V A B PA Attacker Amplifiers Victim 7/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Example: BAF = 5 BA = 1 Gbps BV = 5 Gbps PA B BA V BV BA PA PA PV B V A B PA Attacker Amplifiers Victim 7/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Advantages of a DRDoS Attack Attacker hides his own identity It can be initiated by a single computer, results in a distributed attack Amplifiers send a larger packet to the victim and therefore increase the impact of the attack 8/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Worldwide Application Usage 9/34 Source: Paloalto Networks Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Worldwide Application Usage BitTorrent % of total bandwidth: 3.35 % 10/34 Source: Paloalto Networks Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures BitTorrent’s protocol overview Variety of UDP-based protocols are used: Distributed Hash Table (DHT) Micro Transport Protocol (uTP) 11/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Micro Transport Protocol (uTP) uTP is a reliable transport protocol which makes use of UDP Similarities to TCP Window based flow control Sequence numbers and ACK numbers Differences to TCP Sequence numbers and ACKs refer to packets, not bytes No congestion control (Slow-start, congestion avoidance, …) ! LEDBAT Two-way handshake instead of a three-way handshake 12/34 SYN_SENT ST_SYN CONNECTED ST_STATE CONNECTED connection established Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures uTP’s two-way handshake Initiator Receiver 13/34 ST_STATE CONNECTED connection established Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures uTP’s two-way handshake Initiator Receiver SYN_SENT ST_SYN CONNECTED 13/34 connection established Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures uTP’s two-way handshake Initiator Receiver SYN_SENT ST_SYN CONNECTED ST_STATE CONNECTED 13/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures uTP’s two-way handshake Initiator Receiver SYN_SENT ST_SYN CONNECTED ST_STATE CONNECTED connection established 13/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Table of Contents 1 Introduction Background 2 Amplification Vulnerabilities BitTorrent DHT BitTorrent Sync 3 Experimental Evaluation 4 Countermeasures 14/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures BitTorrent Handshake <pstrlen><pstr><extensions><info_hash><peer_id> pstrlen = 19 pstr = BitTorrent protocol extensions 8 bytes reserved info_hash 20 byte peer_id 20 byte 15/34 a) ST_SYN ST_DATA (Handshake) c) ST_STATE ST_DATA (Handshake) b) ST_DATA (Handshake) d) ST_DATA (Handshake) Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Exploiting uTP’s two-way handshake Attacker Amplifier Victim 16/34 ST_DATA (Handshake) c) ST_STATE ST_DATA (Handshake) b) ST_DATA (Handshake) d) ST_DATA (Handshake) Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Exploiting uTP’s two-way handshake Attacker Amplifier Victim a) ST_SYN 16/34 ST_DATA c) (Handshake) ST_DATA (Handshake) ST_DATA (Handshake) d) ST_DATA (Handshake) Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Exploiting uTP’s two-way handshake Attacker Amplifier Victim a) ST_SYN ST_STATE b) 16/34 ST_DATA (Handshake) ST_DATA (Handshake) d) ST_DATA (Handshake) Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Exploiting uTP’s two-way handshake Attacker Amplifier Victim a) ST_SYN ST_DATA (Handshake) c) ST_STATE b) 16/34 ST_DATA (Handshake) ST_DATA (Handshake) Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Exploiting uTP’s two-way handshake Attacker Amplifier Victim a) ST_SYN ST_DATA (Handshake) c) ST_STATE ST_DATA (Handshake) b) d) 16/34 ST_DATA (Handshake) Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Exploiting uTP’s two-way handshake Attacker Amplifier Victim a) ST_SYN ST_DATA (Handshake) c) ST_STATE ST_DATA (Handshake) b) ST_DATA (Handshake) d) 16/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Exploiting uTP’s two-way handshake Attacker Amplifier Victim a) ST_SYN ST_DATA (Handshake) c) ST_STATE ST_DATA (Handshake) b) ST_DATA (Handshake) d) ST_DATA (Handshake) 16/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures BV > BA Definition (Packet Stuffing) Try to cram as much BitTorrent messages into one packet as possible to minimize the connection establishment protocol flow 17/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (BitTorrent) Description BAF PAF ucat 351.5 6 uTorrent w/o extensions 27.6 3.5 Mainline w/o extensions 27.8 3.5 uTorrent with LTEP 39.6 3 Mainline with LTEP 39.6 3 Vuze w/o extensions 13.9 2 Vuze with LTEP 18.7 2 Vuze with AMP 54.3 3.5 Transmission w/o extensions 4.0 3.5 Transmission with LTEP 4.0 3.5 Transmission with AMP 4.0 3.5 Libtorrent w/o extensions 5.2 4 Libtorrent with LTEP 5.2 4 18/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (BitTorrent) Description BAF PAF ucat 351.5 6 uTorrent w/o extensions 27.6 3.5 Mainline w/o extensions 27.8 3.5 uTorrent with LTEP 39.6 3 Mainline with LTEP 39.6 3 Vuze w/o extensions 13.9 2 Vuze with LTEP 18.7 2 Vuze with AMP 54.3 3.5 Transmission w/o extensions 4.0 3.5 Transmission with LTEP 4.0 3.5 Transmission with AMP 4.0 3.5 Libtorrent w/o extensions 5.2 4 Libtorrent with LTEP 5.2 4 18/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (BitTorrent) Description BAF PAF ucat 351.5 6 uTorrent w/o extensions 27.6 3.5 Mainline w/o extensions 27.8 3.5 uTorrent with LTEP 39.6 3 Mainline with LTEP 39.6 3 Vuze w/o extensions 13.9 2 Vuze with LTEP 18.7 2 Vuze with AMP 54.3 3.5 Transmission w/o extensions 4.0 3.5 Transmission with LTEP 4.0 3.5 Transmission with AMP 4.0 3.5 Libtorrent w/o extensions 5.2 4 Libtorrent with LTEP 5.2 4 18/34 Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures Amplification Factors (BitTorrent) Description BAF PAF ucat 351.5 6 uTorrent w/o extensions 27.6 3.5 Mainline w/o extensions 27.8 3.5 uTorrent with LTEP 39.6 3 Mainline with LTEP 39.6 3 Vuze w/o extensions 13.9 2 Vuze with LTEP 18.7 2 Vuze with AMP 54.3 3.5 Transmission w/o extensions 4.0 3.5 Transmission with LTEP 4.0 3.5 Transmission with AMP 4.0 3.5 Libtorrent w/o extensions 5.2 4 Libtorrent with LTEP 5.2 4 18/34 Introduction Amplification Vulnerabilities Experimental