1 / 41

BotTorrent: Misusing BitTorrent to Launch DDoS Attacks

BotTorrent: Misusing BitTorrent to Launch DDoS Attacks. Karim El Defrawy, Minas Gjoka, Athina Markopoulou UC Irvine. Outline. Introduction How BitTorrent works Using BitTorrent to launch DDoS attacks Experiment details and results Can we fix BitTorrent to prevent such attacks?

wilma
Télécharger la présentation

BotTorrent: Misusing BitTorrent to Launch DDoS Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BotTorrent: Misusing BitTorrent to Launch DDoS Attacks Karim El Defrawy, Minas Gjoka, Athina Markopoulou UC Irvine

  2. Outline • Introduction • How BitTorrent works • Using BitTorrent to launch DDoS attacks • Experiment details and results • Can we fix BitTorrent to prevent such attacks? • Summary

  3. Introduction • In 2006, 60% of Internet traffic was due to peer-to-peer (P2P) protocols (Cache Logic) • BitTorrent is more than 35% by end of 2006 (Cache Logic) • Mininova torrent search engine hit 2 billion downloads (Mininova - June 13th 2007)

  4. P2P traffic is rising

  5. BitTorrent is responsible for a significant amount of P2P traffic

  6. P2P based DDoS attacks recently observed • announced on May 14th 2007 observing an increase in P2P based DDoS attacks • Attack based on the direct connect (DC) P2P system • Attack involved over 300 000 IPs • http://www.prolexic.com/news/20070514-alert.php

  7. P2P based DDoS attacks recently observed • announced on May 14th 2007 observing an increase in P2P based DDoS attacks • Attack based on the direct connect (DC) P2P system • Attack involved over 300 000 IPs • http://www.prolexic.com/news/20070514-alert.php P2P DDoS is already happening !

  8. Outline • Introduction • How BitTorrent works • Using BitTorrent to launch DDoS attacks • Experiment details and results • Can we fix BitTorrent to prevent such attacks? • Summary

  9. How BitTorrent works? - User publishes torrents - Set up a tracker to coordinate the download

  10. How BitTorrent works? - User publishes torrents - Set up a tracker to coordinate the download 1- Users download torrents

  11. How BitTorrent works? - User publishes torrents - Set up a tracker to coordinate the download 1- Users download torrents 2- Users’ clients contact tracker to join swarm and get list of peers in swarm

  12. How BitTorrent works? - User publishes torrents - Set up a tracker to coordinate the download 1- Users download torrents 2- Users’ clients contact tracker to join swarm and get list of peers in swarm 3- Download different parts of file from different peers

  13. Outline • Introduction • How BitTorrent works • Using BitTorrent to launch DDoS attacks • Experiment details and results • Can we fix BitTorrent to prevent such attacks? • Summary

  14. Different attacks

  15. Different attacks

  16. How an attack faking tracker works? - Attacker publishes fake torrents with multiple tracker entries (or single) - Set up a tracker to report high number of seeders and leechers for these torrents

  17. How an attack faking tracker works? - Attacker publishes fake torrents with multiple tracker entries (or single) - Set up a tracker to report high number of seeders and leechers for these torrents 1- Users download torrents with fake trackers pointing to victim

  18. How an attack faking tracker works? - Attacker publishes fake torrents with multiple tracker entries (or single) - Set up a tracker to report high number of seeders and leechers for these torrents 1- Users download torrents with fake trackers pointing to victim 2- Clients contact victim in hope of starting the download

  19. How an attack faking tracker works? - Attacker publishes fake torrents with multiple tracker entries (or single) - Set up a tracker to report high number of seeders and leechers for these torrents 1- Users download torrents with fake trackers pointing to victim 2- Clients contact victim in hope of starting the download ….

  20. Outline • Introduction • How BitTorrent works • Using BitTorrent to launch DDoS attacks • Experiment details and results • Can we fix BitTorrent to prevent such attacks? • Summary

  21. Experiment Setup • Victim machine: Pentium 2, 512 Mbps RAM, Debian Linux, 100Mbps Ethernet, running a light HTTP server • Modified tracker reports a fake (high) number of seeders and leechers to search engine • Publish fake torrents on search engines • Wait ….

  22. Proof of concept attack results a Excluding the initial transient period (6 hours) of the experiment

  23. Number of TCP connections per second

  24. Attack throughput

  25. Amount of traffic from clients

  26. Distribution of sources in the IP address space

  27. Mapping attack sources to ASs and BGP prefixes • Attack sources in 2433 ASs on the Internet • Attack sources in 12424 announced BGP prefixes

  28. Attack ports

  29. Related Work • Attack using Overnet : poison around 7000 files to be effective (Naoumov - 2006) • Attack faking client: poison swarms of 1119 torrents to generate several thousand TCP connections (Cheung Sia - 2006) • Attack faking tracker is more effective: tracker is a central point in the architecture

  30. Outline • Introduction • How BitTorrent works • Using BitTorrent to launch DDoS attacks • Experiment details and results • Can we fix BitTorrent to prevent such attacks? • Summary

  31. Reporting the problem • We contacted: • BitTorrent and Bram Cohen • Search Engines: Mininova, Pirate Bay, BitTorrent Monster • Clients developers: Azureus, Bitcomet • Prolexic • Response from Azureus developers only

  32. Solutions • Handshake between clients and trackers similar to the one between clients. • Clients exchange view of trackers similar to exchanging view of peers. • Mechanism to identify and trace the seeders of the fake torrents (based on hashes).

  33. Outline • Introduction • How BitTorrent works • Using BitTorrent to launch DDoS attacks • Experiment details and results • Can we fix BitTorrent to prevent such attacks? • Summary

  34. Summary • Presented misusing BitTorrent to launch DDoS attacks • Proof of concept attack implementation • Analyzed characteristics of the attack • Proposed fixes to BitTorrent to detect and prevent such attacks • Currently implementing fixes

  35. Questions ?

  36. Thank you! keldefra@uci.edu mgjoka@uci.edu athina@uci.edu

  37. Distribution of IPs on BGP Prefixes

  38. Distribution of IPs on ASs

  39. Unique hosts per second

More Related