A Measurement Study of Attacks on BitTorrent Leechers Prithula Dhungel, Di Wu, Brad Schonhorst, Keith W. Ross Polytechnic University, Brooklyn, NY, USA 11201 Email: [email protected], [email protected], [email protected], [email protected] Abstract the globe, all of which are defying legal threats, in- cluding PirateBay, Mininova, Snarf-it, and BiteNova. Anti-P2P companies have begun to launch Internet at- Moreover, torrent tracking can be decentralized us- tacks against BitTorrent swarms. In this paper, we an- ing DHTs, as is currently being done with clients like alyze how successful these attacks are at impeding the Azureus and uTorrent. distribution of targeted files. We present the results of Given that it is currently difficult, if not impossible, both passive and active measurements. For our active to stop BitTorrent by suing companies, and that suing measurements, we developed a crawler that contacts individual users is both painstaking and unpopular, the all the peers in any given swarm, determines whether only remaining way to stop BitTorrent is via Internet the swarm is under attack, and identifies the attack attacks. Not surprisingly, the music and film indus- peers in the swarm. We used the crawler to analyze tries have begun to hire anti-P2P companies to impede 8 top box-office movies. Using passive measurements, specific “assets” from being distributed in BitTorrent we performed a detailed analysis of a recent album swarms [6, 7]. that is under attack. In this paper, using Internet measurement, we ex- plore how successful these anti-P2P companies cur- rently are at impeding the distribution of targeted files 1. Introduction in BitTorrent. We present results for both passive and Over the past several years, the music industry has active measurement. For active measurements, we de- aggressively attempted to impede the distribution of veloped a crawler that contacts all the peers in any copyrighted content over P2P file distribution net- given swarm, determines whether the swarm is un- works. These attempts included numerous law suits der attack, and identifies the attack peers. We used against P2P file sharing companies (against Napster, the crawler to analyze 8 current top box-office movies. Kazaa and many others), tracking and suing users of Using passive measurements, we performed a detailed P2P file sharing systems [1], and most remarkably, analysis of a recent album that is under attack. For launching large-scale Internet attacks against the P2P the passive measurements, we developed a customized systems themselves. These large-scale Internet attacks packet parser, which identifies the peers that are at- were performed by specialized anti-P2P companies, tacking and the type of attack they employ. working on the behalf of the RIAA and specific record labels. Several studies showed that these attacks were successful at severely impeding the distribution of 2. Two BitTorrent Attacks targeted content over several P2P file sharing sys- BitTorrent swarms are susceptible to a number of dif- tems, including FastTrack/Kazaa, Overnet/eDonkey, ferent attack types. In our measurement work, we have and Gnutella [2, 3, 4]. These attacks, along with the observed two attacks that are frequently deployed to- law suits, have contributed to the demise of Kazaa and day, which we refer to as the fake-block attack and eDonkey file-sharing networks. the uncooperative-peer attack. In this section, we de- BitTorrent is one of the most popular P2P file dis- scribe these two attacks. tribution protocols today, particularly for the distri- bution of large files, such as high-definition movies, television series, record albums and open-source soft- 2.1. Fake-Block Attack ware distributions [5]. Unlike Napster and Kazaa, Bit- Recall that in BitTorrent, each file is divided into Torrent is nothing more than a protocol and about a pieces, where each piece is typically 256 KBytes. dozen clients that implement the protocol. BitTorrent Each piece is further divided into blocks, with typi- swarms and clients are not controlled by a small set of cally 16 blocks in a piece. When downloading a piece, companies which can be targeted for a lawsuit. Also a client requests different blocks for the piece from dif- included in the BitTorrent eco-system are torrent lo- ferent peers. cation and tracker services, which can potentially be In the fake-block attack, the goal of the attacker is legally attacked; in fact, in late 2004, Suprnova, the to prolong the download of a file at peers by wasting largest torrent locater at that time, was closed after le- their download bandwidths. In particular, an attacker gal threats. Today, however, there are many BitTorrent joins the swarm sharing the file by registering itself file location and tracking services, scattered around to the corresponding tracker. It then advertises that 1 it has a large number of pieces of the file. Upon re- [8], to prevent connections to and from the IP ranges ceiving this information, a victim peer sends a request in a specified blacklist. Our IP blacklist is based on to the attack peer for a block. The attacker, instead the ZipTorrent blacklist published on torrentfreak.com of sending the authentic block, sends a fake one. Af- [6]. Note that, since the anti-P2P companies (e.g., Me- ter downloading all the blocks in the piece (from the diaDefender [9]) change the IP range of their attack attack peer and from other benevolent peers), the vic- hosts, this blacklist is not always complete and may tim peer performs a hash check across the entire piece. not always eliminate all the attacker hosts. The hash check then fails due to the fake block from the attacker. This requires the victim peer to download the entire piece (16 blocks) again, delaying the down- 3.2. Passive Measurement Results load of the file. If the peer chooses to download any In this section we present measurement results for a of the blocks again from this or another fake-block at- torrent for the new album titled “Echoes, Silence, Pa- tacker, the download is further delayed. Note that an tience & Grace” from “Foo Fighters”, which we sus- attacker can cause a victim peer to waste 256 KBytes pected to be under attack. This popular album was re- of download bandwidth by only sending it a 16 KByte leased on September 25, 2007, a few weeks before our block (using typical numbers). experiments. At the time of the experiment, it held the number 1 position on the UK album chart and iTunes 2.2. Uncooperative-Peer Attack ranking list. The size of the file is 108MBytes. In our testing, we downloaded the file from this torrent 54 In this class of attacks, the attacker joins the targeted times. swarm and establishes TCP connections with many victim peers. However, it never provides any blocks (authentic or fake) to its victim peers. A common ver- 3.3. Azureus Client sion of this attack is the chatty peer attack. Here, the Because Azureus clients can import IP blacklist, we attack peer speaks the BitTorrent protocol with each use this Azureus feature to perform IP filtering. Within of the victim peers, starting with the handshake mes- one day, we performed downloads for this torrent mul- sage, and then followed by the bitmap message adver- tiple times using Azureus clients, and switched the IP tising that it has a number of pieces available for the filter on or off alternatively. First we present the basic file. When a victim peer requests one or more blocks, average download-time statistics in Table 1. the attack peer doesn’t upload the blocks. Moreover, the nature of the attacker is chatty. After the victim Azureus w/ IP-filtering w/o IP-filtering Delay Ratio peer sends one or more block requests, the attacker re- Ethernet 15.52 mins 20.99 mins 35.2% sends the handshake and bitmap messages. By resend- (6 downloads) (6 downloads) ing these BitTorrent control messages over and over DSL 19.98 mins 25.88 mins 29.5% again, the attacker persists as a neighbor, and the vic- (6 downloads) (6 downloads) tim peer wastes a considerable time dealing with the attack peer, when it could have instead downloaded Table 1: Average downloading time using Azureus blocks from other benevolent peers. The effectiveness clients of this attack is increased if a significant fraction of In Table 1, Delay Ratio is defined as follows to eval- victim’s neighbors are uncooperative. uate the effectiveness of attacks in lengthening BitTor- rent downloading time, 3. Effectiveness of BitTorrent Attacks T w/o IP-filtering ¡ T w/ IP-filtering In this section, we use passive measurements to evalu- Delay Ratio = d d ate the effectiveness of fake-block and uncooperative- Td w/ IP-filtering peer attacks on BitTorrent systems. In the next section, where Td is the average downloading time of Bit- we complement this evaluation with active, crawler- Torrent clients. From the table, we clearly observe that based measurements. the downloading time of the file is prolonged when at- tacked. For both DSL and Ethernet peers, the down- 3.1. Passive Measurement Methodology load time on average increased by about 30%. The While repeatedly downloading a file suspected to be actual increase in download time may be larger, since under attack, we collected multiple packet traces from we may not have blacklisted all the malicious peers. hosts connected to both Ethernet and DSL access net- However, given the download rate of the DSL client, works. For this testing, we used Azureus and uTor- the size of the file, and that the minimum observed rent, as they are the two most widely used BitTorrent download time was 17 minutes, it is unlikely that the clients.