The Current Landscape of P2P File Sharing: Challenges and Future Directions

Kevin BauerPh.D. candidate

University of Colorado

2

Talk Outline

• P2P background• Past P2P investigations• Evading investigations with anonymity tools• Alternate techniques to identify file sharers• An emerging threat: “One-click” hosting services• Proposal for a future study

3

Context: The Rise of Peer-to-Peer

2000: Peer-to-peer (P2P) protocols like Gnutella, FastTrack, Napster, &BitTorrent becoming popular for file sharing

1993-2000: Early Internetsaw mostly web traffic

2006-Present:P2P traffic growing

Source: CacheLogic Research January 2006

Web

FTP

Email

Peer-to-Peer

4

Current P2P Landscape

Source: Ipoque Internet Study 2008/2009

P2P still most common protocol class in 2008/2009

BitTorrent dominates P2Paround the world

5

BitTorrent Background

1. Download torrent metadata for the file one wants to obtain2. Contact tracker server to get peer list3. Interact with other peers to share parts of the file

File sharer

Torrent metadata

Peer list

Implicitlyregisterwith tracker

What Kind of Content is Shared?

Source: Ipoque Internet Study 2008/2009

7

Past Copyright Investigations

• Experience has shown that BitTorrent is often used to distribute copyright-protected media files

• Copyright holders hire investigators to identify and even prosecute suspected file sharers

Investigators can query tracker for peer list

Distribute DMCAtake-down letters (US)to each IP address

Ping each peer’s IP address

Copyright investigators

Source: Piatek et al., HotSec 2008

8

Past Copyright Investigations

• Tracker lists can be corrupted with arbitrary IP addresses– Example: Register any IP addresses to the tracker lists

• Tracker lists cannot be trusted to prove file sharing

Source: Piatek et al., HotSec 2008

Copyright investigators

9

Consumer Advocate Reactions

10

Virtual Private Network Anonymizers

• Anonymous VPN services (BTGuard, IPREDator) are now available

Encrypted tunnel mitigates traffic shaping

Hides identity

Limitations of centralized VPN approach:1. Technically feasible to know and disclose both client and destination2. Susceptible to legal pressure

Single-hopVPN service

11

Defeating Peer Identification with Strong Anonymity: Tor

Client (file sharer)

Destination

Entry Guard

Middle Router

Exit Router

Directory ServerCircuit

Router List

Tor provides anonymity for TCP by tunneling traffic through a virtual circuit of three Tor routers using layered encryption

Tracker

First hop knows the client

Last hop knowsthe destination

Tor Network

Copyrightinvestigators

12

Can BitTorrent Users Hide with Tor?

• We characterized how Tor is used in practice and observed significant BitTorrent traffic over a four day observation period

Only 3.33%, but over 400,000 connections

Source: McCoy et al., Privacy Enhancing Technologies Symposium 2008

13

Can BitTorrent Users Hide with Tor?

• BitTorrent is using a disproportionate amount of Tor’s available bandwidth

Over 40% ofall Tor traffic

Source: McCoy et al., Privacy Enhancing Technologies Symposium 2008

14

Alternatives for Peer Identification

Tracker list queries are efficient, but not accurate

Instead, we could download the entire file from every peer

Accuracy

EfficiencyAccurate, but inefficient

We want a technique that is accurate, but still efficient

Worst

WorstBest

Best

15

Identification Through Active Probing• Our method accurately and

efficiently collects concrete forensic evidence of a peer’s participation in file sharing

Obtain list of suspected peers from tracker

Attempt a TCP connection

Attempt handshake exchange

Attempt bitfield exchange

Request a 16 KB data block

Increasingly strong levels of evidence

Peer is alive and listening on correct TCP port

Peer speaks BitTorrent, provides SHA1 hash describing content being shared

Provides list of all piecesthat the peer possesses

Concrete file data can be verified as the expected data

16

Experimental Setup

• We evaluate our approach with 10 real, large BitTorrent file shares– Popular TV shows and movies

Source: Bauer et al., 1st IEEE International Workshop on Information Forensics and Security 2009

17

Fraction of Peers that Respond to Probes

• Repeating the probing increases the fraction that respond• Over ten repetitions:

– TCP connections: 26 – 44%– Handshakes and Bitfields: 18 – 36%– Block requests: 0.6 – 2.4%

Average fraction of peers identified by each probe type

Low because of BitTorrent’sreciprocity mechanisms

18

Tides are Changing from P2P Back to HTTP

Source: CacheLogic Research 2006

P2P

2006: P2P made up 70% of traffic2008/2009: P2P made up 43-70% of trafficSource: Ipoque Internet Study 2008/2009

2009/2010: P2P makes up < 14% of traffic HTTP makes up 57% of trafficSource: Maier et al., ACM Internet

Measurement Conference 2009

19

Beyond P2P: “One-Click” Hosting Services

Example “one-click” hosting services:

Source: Maier et al., ACM Internet Measurement Conference 2009

Distribution of HTTP Content Types Most Popular HTTP Destination Types

20

Beyond P2P: “One-Click” Hosting Services

Step 1. Transfer file to RapidShare

Step 2. Give uploader a URL for file

Step 3. Post URL to indexing site

Upload user

Download user

Indexing site

“One-click” hosting service

Step 4. Search

Step 5. Download

21

RapidShare vs. BitTorrent Throughput

One-Click Hosting vs. BitTorrentContent Availability for RapidShare vs. BitTorrent

Fraction of Content Copyrighted (n=100)

Source: Antoniades et al., ACM Internet Measurement Conference 2009

22

A Proposal for a Future Study

• File sharing trends change quickly

• We want to conduct a study aimed at identifying emerging file sharing trends

• One avenue of future study:

P2P traffic declined from > 43% in 2008 to < 14% in 2009/2010

The Road (2009) Up in the Air (2009)

23

Summary and Conclusion

• P2P is being replaced by file hosting services• New investigative tools need to be developed to

curb this new type of illegal file sharing– Monitor hosting sites for copyright-protected content– Partner with ISPs to identify file uploaders

• Up-to-date information on emerging file sharing trends is essential to proactively implement effective countermeasures

24

Questions?

Kevin Bauer (kevin.bauer@colorado.edu)Department of Computer Science, University of Colorado

http://systems.cs.colorado.edu/~bauerk

25

ReferencesDemetris Antoniades, Evangelos P. Markatos, Constantine Dovrolis. One-click hosting services: a file-sharing

hideout. Proceedings of the 9th ACM SIGCOMM conference on Internet measurement 2009. Kevin Bauer, Dirk Grunwald, Douglas Sicker. The Challenges of Stopping Illegal Peer-to-Peer File Sharing.

National Cable & Telecommunications Association Technical Papers 2009.Kevin Bauer, Dirk Grunwald, Douglas Sicker. The Arms Race in P2P. 37th Research Conference on

Communication, Information, and Internet Policy (TPRC) 2009.Kevin Bauer, Damon McCoy, Dirk Grunwald, Douglas Sicker. BitStalker: Accurately and Efficiently Monitoring

BitTorrent Traffic. 1st IEEE International Workshop on Information Forensics and Security 2009.Gregor Maier, Anja Reldmann, Vern Paxson, Mark Allman. On dominant characteristics of residential

broadband Internet traffic. Proceedings of the 9th ACM SIGCOMM conference on Internet measurement 2009.

Damon McCoy, Kevin Bauer, Dirk Grunwald, Tadayoshi Kohno, Douglas Sicker. Shining Light in Dark Places: Understanding the Tor Network. 8th Privacy Enhancing Technologies Symposium 2008.

Michael Piatek, Tadayoshi Kohno, Arvind Krishnamurthy. Challenges and Directions for Monitoring P2P File Sharing Networks –or– Why My Printer Received a DMCA Takedown Notice. 3rd USENIX Workshop on Hot Topics in Security 2008. http://dmca.cs.washington.edu.

Ipoque Internet Study 2008/2009.http://www.ipoque.com/resources/internet-studies/internet-study-2008_2009

P2P File Sharing-The Evolving Distribution Chain. CacheLogic Research 2006. http://www.dcia.info/activities/p2pmswdc2006/ferguson.pdf