p2pfile-sharinginhell ... · 2019. 12. 18. · introduction amplificationvulnerabilities...
TRANSCRIPT
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
P2P File-Sharing in Hell:Exploiting BitTorrent Vulnerabilities to Launch Distributed Reflective
DoS Attacks
Florian Adamsky, Syed Ali Khayam, Rudolf Jäger andMuttukrishnan Rajarajan
[email protected]://florian.adamsky.it/
9th USENIX Workshop on Offensive Technologies
1/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Outline
1 IntroductionBackground
2 Amplification VulnerabilitiesBitTorrentDHTBitTorrent Sync
3 Experimental Evaluation
4 Countermeasures
2/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Table of Contents
1 IntroductionBackground
2 Amplification VulnerabilitiesBitTorrentDHTBitTorrent Sync
3 Experimental Evaluation
4 Countermeasures
3/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
2013: DDoS attack record: 300 Gbps
4/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
2014: DDoS attack record: 400 Gbps
5/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
DRDoS Attacks Thread Model
PA
Attacker
PA
PA
PA
Amplifiers
PV
Victim
BA
BA
BA
BV
BV
BV
Bandwidth Amplification Factor (BAF)Christian Rossow introduced the Bandwidth Amplification Factor (BAF):
BAF =|Bv||Ba|
6/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
DRDoS Attacks Thread Model
PA
Attacker
PA
PA
PA
Amplifiers
PV
Victim
BA
BA
BA
BV
BV
BV
Bandwidth Amplification Factor (BAF)Christian Rossow introduced the Bandwidth Amplification Factor (BAF):
BAF =|Bv||Ba|
6/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
DRDoS Attacks Thread Model
PA
Attacker
PA
PA
PA
Amplifiers
PV
Victim
BA
BA
BA
BV
BV
BV
Bandwidth Amplification Factor (BAF)Christian Rossow introduced the Bandwidth Amplification Factor (BAF):
BAF =|Bv||Ba|
6/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
DRDoS Attacks Thread Model
PA
Attacker
PA
PA
PA
Amplifiers
PV
Victim
BA
BA
BA
BV
BV
BV
Bandwidth Amplification Factor (BAF)Christian Rossow introduced the Bandwidth Amplification Factor (BAF):
BAF =|Bv||Ba|
6/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Example: BAF = 5
PA
Attacker
PA
PA
PA
Amplifiers
PV
Victim
BA
BA
BA
BV
BV
BV
BA = 1 Gbps BV = 5 Gbps
7/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Example: BAF = 5
PA
Attacker
PA
PA
PA
Amplifiers
PV
Victim
BA
BA
BA
BV
BV
BV
BA = 1 Gbps
BV = 5 Gbps
7/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Example: BAF = 5
PA
Attacker
PA
PA
PA
Amplifiers
PV
Victim
BA
BA
BA
BV
BV
BV
BA = 1 Gbps BV = 5 Gbps
7/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Advantages of a DRDoS Attack
Attacker hides his own identity
It can be initiated by a single computer, results in a distributed attack
Amplifiers send a larger packet to the victim and therefore increase the impact of the attack
8/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Worldwide Application Usage
Source: Paloalto Networks9/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Worldwide Application Usage
BitTorrent% of total bandwidth: 3.35 %
Source: Paloalto Networks10/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
BitTorrent’s protocol overview
Variety of UDP-based protocols are used:Distributed Hash Table (DHT)Micro Transport Protocol (uTP)
11/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Micro Transport Protocol (uTP)
uTP is a reliable transport protocol which makes use of UDPSimilarities to TCP
Window based flow controlSequence numbers and ACK numbers
Differences to TCPSequence numbers and ACKs refer to packets, not bytesNo congestion control (Slow-start, congestion avoidance, …) → LEDBATTwo-way handshake instead of a three-way handshake
12/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
uTP’s two-way handshake
Initiator Receiver
SYN_SENT ST_SYN
CONNECTED
CONNECTED
ST_STATE
connection established
13/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
uTP’s two-way handshake
Initiator ReceiverSYN_SENT ST_SYN
CONNECTED
CONNECTED
ST_STATE
connection established
13/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
uTP’s two-way handshake
Initiator ReceiverSYN_SENT ST_SYN
CONNECTED
CONNECTED
ST_STATE
connection established
13/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
uTP’s two-way handshake
Initiator ReceiverSYN_SENT ST_SYN
CONNECTED
CONNECTED
ST_STATE
connection established
13/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Table of Contents
1 IntroductionBackground
2 Amplification VulnerabilitiesBitTorrentDHTBitTorrent Sync
3 Experimental Evaluation
4 Countermeasures
14/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
BitTorrent Handshake
<pstrlen><pstr><extensions><info_hash><peer_id>
pstrlen = 19
pstr = BitTorrent protocol
extensions 8 bytes reserved
info_hash 20 byte
peer_id 20 byte
15/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Exploiting uTP’s two-way handshake
Attacker Amplifier Victim
ST_SYNa)
ST_STATE
b)
ST_DATA (Handshake)c)
ST_DATA (Handshake)d)ST_DATA (Handshake)ST_DATA (Handshake)
16/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Exploiting uTP’s two-way handshake
Attacker Amplifier Victim
ST_SYNa)
ST_STATE
b)
ST_DATA (Handshake)c)
ST_DATA (Handshake)d)ST_DATA (Handshake)ST_DATA (Handshake)
16/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Exploiting uTP’s two-way handshake
Attacker Amplifier Victim
ST_SYNa)
ST_STATE
b)
ST_DATA (Handshake)c)
ST_DATA (Handshake)d)ST_DATA (Handshake)ST_DATA (Handshake)
16/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Exploiting uTP’s two-way handshake
Attacker Amplifier Victim
ST_SYNa)
ST_STATE
b)
ST_DATA (Handshake)c)
ST_DATA (Handshake)d)ST_DATA (Handshake)ST_DATA (Handshake)
16/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Exploiting uTP’s two-way handshake
Attacker Amplifier Victim
ST_SYNa)
ST_STATE
b)
ST_DATA (Handshake)c)
ST_DATA (Handshake)d)
ST_DATA (Handshake)ST_DATA (Handshake)
16/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Exploiting uTP’s two-way handshake
Attacker Amplifier Victim
ST_SYNa)
ST_STATE
b)
ST_DATA (Handshake)c)
ST_DATA (Handshake)d)ST_DATA (Handshake)
ST_DATA (Handshake)
16/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Exploiting uTP’s two-way handshake
Attacker Amplifier Victim
ST_SYNa)
ST_STATE
b)
ST_DATA (Handshake)c)
ST_DATA (Handshake)d)ST_DATA (Handshake)ST_DATA (Handshake)
16/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
BV > BA
Definition (Packet Stuffing)Try to cram as much BitTorrent messages into one packet as possible to minimize theconnection establishment protocol flow
17/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Amplification Factors (BitTorrent)
Description BAF PAFucat 351.5 6uTorrent w/o extensions 27.6 3.5Mainline w/o extensions 27.8 3.5uTorrent with LTEP 39.6 3Mainline with LTEP 39.6 3Vuze w/o extensions 13.9 2Vuze with LTEP 18.7 2Vuze with AMP 54.3 3.5Transmission w/o extensions 4.0 3.5Transmission with LTEP 4.0 3.5Transmission with AMP 4.0 3.5Libtorrent w/o extensions 5.2 4Libtorrent with LTEP 5.2 4
18/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Amplification Factors (BitTorrent)
Description BAF PAFucat 351.5 6uTorrent w/o extensions 27.6 3.5Mainline w/o extensions 27.8 3.5uTorrent with LTEP 39.6 3Mainline with LTEP 39.6 3Vuze w/o extensions 13.9 2Vuze with LTEP 18.7 2Vuze with AMP 54.3 3.5Transmission w/o extensions 4.0 3.5Transmission with LTEP 4.0 3.5Transmission with AMP 4.0 3.5Libtorrent w/o extensions 5.2 4Libtorrent with LTEP 5.2 4
18/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Amplification Factors (BitTorrent)
Description BAF PAFucat 351.5 6uTorrent w/o extensions 27.6 3.5Mainline w/o extensions 27.8 3.5uTorrent with LTEP 39.6 3Mainline with LTEP 39.6 3Vuze w/o extensions 13.9 2Vuze with LTEP 18.7 2Vuze with AMP 54.3 3.5Transmission w/o extensions 4.0 3.5Transmission with LTEP 4.0 3.5Transmission with AMP 4.0 3.5Libtorrent w/o extensions 5.2 4Libtorrent with LTEP 5.2 4
18/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Amplification Factors (BitTorrent)
Description BAF PAFucat 351.5 6uTorrent w/o extensions 27.6 3.5Mainline w/o extensions 27.8 3.5uTorrent with LTEP 39.6 3Mainline with LTEP 39.6 3Vuze w/o extensions 13.9 2Vuze with LTEP 18.7 2Vuze with AMP 54.3 3.5Transmission w/o extensions 4.0 3.5Transmission with LTEP 4.0 3.5Transmission with AMP 4.0 3.5Libtorrent w/o extensions 5.2 4Libtorrent with LTEP 5.2 4
18/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Amplification Factors (BitTorrent)
Description BAF PAFucat 351.5 6uTorrent w/o extensions 27.6 3.5Mainline w/o extensions 27.8 3.5uTorrent with LTEP 39.6 3Mainline with LTEP 39.6 3Vuze w/o extensions 13.9 2Vuze with LTEP 18.7 2Vuze with AMP 54.3 3.5Transmission w/o extensions 4.0 3.5Transmission with LTEP 4.0 3.5Transmission with AMP 4.0 3.5Libtorrent w/o extensions 5.2 4Libtorrent with LTEP 5.2 4
18/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Amplification Factors (BitTorrent)
Description BAF PAFucat 351.5 6uTorrent w/o extensions 27.6 3.5Mainline w/o extensions 27.8 3.5uTorrent with LTEP 39.6 3Mainline with LTEP 39.6 3Vuze w/o extensions 13.9 2Vuze with LTEP 18.7 2Vuze with AMP 54.3 3.5Transmission w/o extensions 4.0 3.5Transmission with LTEP 4.0 3.5Transmission with AMP 4.0 3.5Libtorrent w/o extensions 5.2 4Libtorrent with LTEP 5.2 4
18/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Amplification Factors (BitTorrent)
Description BAF PAFucat 351.5 6uTorrent w/o extensions 27.6 3.5Mainline w/o extensions 27.8 3.5uTorrent with LTEP 39.6 3Mainline with LTEP 39.6 3Vuze w/o extensions 13.9 2Vuze with LTEP 18.7 2Vuze with AMP 54.3 3.5Transmission w/o extensions 4.0 3.5Transmission with LTEP 4.0 3.5Transmission with AMP 4.0 3.5Libtorrent w/o extensions 5.2 4Libtorrent with LTEP 5.2 4
18/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Amplification Factors (BitTorrent)
Description BAF PAFucat 351.5 6uTorrent w/o extensions 27.6 3.5Mainline w/o extensions 27.8 3.5uTorrent with LTEP 39.6 3Mainline with LTEP 39.6 3Vuze w/o extensions 13.9 2Vuze with LTEP 18.7 2Vuze with AMP 54.3 3.5Transmission w/o extensions 4.0 3.5Transmission with LTEP 4.0 3.5Transmission with AMP 4.0 3.5Libtorrent w/o extensions 5.2 4Libtorrent with LTEP 5.2 4
18/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Message Stream Encryption (MSE)
Aim of MSE is to obfuscate BitTorrent traffic to avoid shaping
MSE starts a Diffie-Hellman key exchange
After the key exchange BitTorrent packets are RC4 encrypted
Initiator ReceiverPA = ga mod pRA = 0 bytes ≤ RA ≤ 512 bytes PA, RA
PB = ga mod pRB = 0 bytes ≤ RB ≤ 512 bytesPB,RB
Amplification Factor (MSE)
4 ≤ BAFMSE ≤ 32.5
19/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Message Stream Encryption (MSE)
Aim of MSE is to obfuscate BitTorrent traffic to avoid shaping
MSE starts a Diffie-Hellman key exchange
After the key exchange BitTorrent packets are RC4 encrypted
Initiator Receiver
PA = ga mod pRA = 0 bytes ≤ RA ≤ 512 bytes PA, RA
PB = ga mod pRB = 0 bytes ≤ RB ≤ 512 bytesPB,RB
Amplification Factor (MSE)
4 ≤ BAFMSE ≤ 32.5
19/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Message Stream Encryption (MSE)
Aim of MSE is to obfuscate BitTorrent traffic to avoid shaping
MSE starts a Diffie-Hellman key exchange
After the key exchange BitTorrent packets are RC4 encrypted
Initiator ReceiverPA = ga mod pRA = 0 bytes ≤ RA ≤ 512 bytes
PA, RAPB = ga mod pRB = 0 bytes ≤ RB ≤ 512 bytesPB,RB
Amplification Factor (MSE)
4 ≤ BAFMSE ≤ 32.5
19/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Message Stream Encryption (MSE)
Aim of MSE is to obfuscate BitTorrent traffic to avoid shaping
MSE starts a Diffie-Hellman key exchange
After the key exchange BitTorrent packets are RC4 encrypted
Initiator ReceiverPA = ga mod pRA = 0 bytes ≤ RA ≤ 512 bytes PA, RA
PB = ga mod pRB = 0 bytes ≤ RB ≤ 512 bytesPB,RB
Amplification Factor (MSE)
4 ≤ BAFMSE ≤ 32.5
19/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Message Stream Encryption (MSE)
Aim of MSE is to obfuscate BitTorrent traffic to avoid shaping
MSE starts a Diffie-Hellman key exchange
After the key exchange BitTorrent packets are RC4 encrypted
Initiator ReceiverPA = ga mod pRA = 0 bytes ≤ RA ≤ 512 bytes PA, RA
PB = ga mod pRB = 0 bytes ≤ RB ≤ 512 bytes
PB,RB
Amplification Factor (MSE)
4 ≤ BAFMSE ≤ 32.5
19/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Message Stream Encryption (MSE)
Aim of MSE is to obfuscate BitTorrent traffic to avoid shaping
MSE starts a Diffie-Hellman key exchange
After the key exchange BitTorrent packets are RC4 encrypted
Initiator ReceiverPA = ga mod pRA = 0 bytes ≤ RA ≤ 512 bytes PA, RA
PB = ga mod pRB = 0 bytes ≤ RB ≤ 512 bytesPB,RB
Amplification Factor (MSE)
4 ≤ BAFMSE ≤ 32.5
19/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Message Stream Encryption (MSE)
Aim of MSE is to obfuscate BitTorrent traffic to avoid shaping
MSE starts a Diffie-Hellman key exchange
After the key exchange BitTorrent packets are RC4 encrypted
Initiator ReceiverPA = ga mod pRA = 0 bytes ≤ RA ≤ 512 bytes PA, RA
PB = ga mod pRB = 0 bytes ≤ RB ≤ 512 bytesPB,RB
Amplification Factor (MSE)
4 ≤ BAFMSE ≤ 32.5
19/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Distributed Hash Table
DHT implementation in BitTorrent is divided into two protocols:Mainline DHT (MLDHT)Vuze DHT (VDHT)
MLDHT is by far the biggest overlay network (around 15–27 million users per day)
Both protocols are not compatible with each other
20/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Amplification Factors (DHT)
Implementation Description BAFMLDHT ping 0.8
find_node with K = 8 3.1get_peers with 100 peers (IPv4) 11.9get_peers with 100 peers (IPv6) 24.5get_peers with scrapes 13.4
VDHT ping 0.8ping with Vivaldi coordinates 14.9
21/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Amplification Factors (DHT)
Implementation Description BAFMLDHT ping 0.8
find_node with K = 8 3.1get_peers with 100 peers (IPv4) 11.9get_peers with 100 peers (IPv6) 24.5get_peers with scrapes 13.4
VDHT ping 0.8ping with Vivaldi coordinates 14.9
21/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Amplification Factors (DHT)
Implementation Description BAFMLDHT ping 0.8
find_node with K = 8 3.1get_peers with 100 peers (IPv4) 11.9get_peers with 100 peers (IPv6) 24.5get_peers with scrapes 13.4
VDHT ping 0.8ping with Vivaldi coordinates 14.9
21/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Amplification Factors (DHT)
Implementation Description BAFMLDHT ping 0.8
find_node with K = 8 3.1get_peers with 100 peers (IPv4) 11.9get_peers with 100 peers (IPv6) 24.5get_peers with scrapes 13.4
VDHT ping 0.8ping with Vivaldi coordinates 14.9
21/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
BitTorrent Sync
Proprietary protocol to synchronize files in a P2P way
BTSync reached the 1 million users mark in 2013
BTSync also uses uTP as its transport protocol
22/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Amplification Vulnerabilities (BTSync)
Message BAFBTSync handshake 10.8ping 120
23/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Amplification Vulnerabilities (BTSync)
Message BAFBTSync handshake 10.8ping 120
23/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Amplification Vulnerabilities (BTSync)
Message BAFBTSync handshake 10.8ping 120
23/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
BTSync: ping flood
24/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Evadability
DNS’13
NTP
’14
BTH
MLD
HT
VDHT
BTSy
nc
MSE
SPI firwall X XDPI firewall X X X X
25/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Table of Contents
1 IntroductionBackground
2 Amplification VulnerabilitiesBitTorrentDHTBitTorrent Sync
3 Experimental Evaluation
4 Countermeasures
26/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Experimental Evaluation
0 100 200 300 400 500 600
0
0.5
1
1.5
2·104
Time in seconds (s)
Payloa
dsize
inby
tes
BV = Traffic to the victimBA = Traffic to the amplifiers
Figure: Amplification attack with 1 attacker, 31 amplifiers and 1 victim.27/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
BitTorrent Crawler
We wrote a BitTorrent Crawler in Elixir
Used PirateBay magnet link database fromFeb 2012We collected overall 9.6 million peers viaMLDHT
Beginning from 1st January 2015 until 1stFebruary 2015.
SuperVisor
SuperVisor SuperVisorDB Worker
DHTHarvester
PeerRequesterDB
Internet
1:1
1:1 1:1
1:1
1:n
1:n
28/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Payload size from the DHT responses
0 500 1,000 1,500 2,000 2,500 3,000
0
2
4
·104
1.0
3.1
5.37.4 9.5 11.6
Payload size in bytes
Num
berof
rece
ived
pack
ets
Figure: Histogram of the payload size from the DHT responses which are caused by get_peers requests.The numbers on top of the bars are the average BAF values.
29/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
BitTorrent handshake size from the uTP responses
300 400 500 600 700 800 900 1,000 1,100 1,200 1,300 1,400 1,500
0
100
200
300
BitTorrent Handshake size in bytes
Num
berof
rece
ived
pack
ets
Figure: Histogram of the BitTorrent handshake size from the uTP responses.30/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
BitTorrent handshake size from the uTP responses
300 400 500 600 700 800 900 1,000 1,100 1,200 1,300 1,400 1,500
0
100
200
300
31.2 (15.7 %)
BitTorrent Handshake size in bytes
Num
berof
rece
ived
pack
ets
Figure: Histogram of the BitTorrent handshake size from the uTP responses.30/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
BitTorrent handshake size from the uTP responses
300 400 500 600 700 800 900 1,000 1,100 1,200 1,300 1,400 1,500
0
100
200
300
31.2 (15.7 %)
46.7 (2.2 %)
BitTorrent Handshake size in bytes
Num
berof
rece
ived
pack
ets
Figure: Histogram of the BitTorrent handshake size from the uTP responses.30/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
BitTorrent handshake size from the uTP responses
300 400 500 600 700 800 900 1,000 1,100 1,200 1,300 1,400 1,500
0
100
200
300
31.2 (15.7 %)
46.7 (2.2 %)
66.9 (3.9 %)
BitTorrent Handshake size in bytes
Num
berof
rece
ived
pack
ets
Figure: Histogram of the BitTorrent handshake size from the uTP responses.30/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Table of Contents
1 IntroductionBackground
2 Amplification VulnerabilitiesBitTorrentDHTBitTorrent Sync
3 Experimental Evaluation
4 Countermeasures
31/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Coutermeasures
ISP sideBCP 38 (ingress filtering)
2015: more than 70 % of the publicnetworks deployed BCP 38
Protocol sideuTP
Three-way handshakeVerify the second acknowledgment
DHTToken scheme (similar to announce_peer)
32/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Coutermeasures
ISP sideBCP 38 (ingress filtering)
2015: more than 70 % of the publicnetworks deployed BCP 38
Protocol sideuTP
Three-way handshakeVerify the second acknowledgment
DHTToken scheme (similar to announce_peer)
32/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Conclusion
BitTorrent and BitTorrent Sync are vulnerable to DRDoS attacks
Attacker is able to amplify traffic up to 50 times and with BTSync up to 120 times
With Trackers, DHT and PEX, an attacker can collect millions of amplifiersHard to circumvent, as the found vulnerabilities can only be defended with a DPI firewall
in case of MSE it is even harder
Responsible DisclosureuTorrent 3.4.4 49854 (beta) is released today!
33/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Conclusion
BitTorrent and BitTorrent Sync are vulnerable to DRDoS attacks
Attacker is able to amplify traffic up to 50 times and with BTSync up to 120 times
With Trackers, DHT and PEX, an attacker can collect millions of amplifiersHard to circumvent, as the found vulnerabilities can only be defended with a DPI firewall
in case of MSE it is even harder
Responsible DisclosureuTorrent 3.4.4 49854 (beta) is released today!
33/34
Introduction Amplification Vulnerabilities Experimental Evaluation Countermeasures
Thank You
http://florian.adamsky.it/
Institutions:
34/34