14 DAY TRIAL // Florian Adamsky from the City University London has published a research paper which details how the family of protocols used with BitTorrent clients can be abused to carry out DRDoS (Distributed Reflective Denial of Service) attacks.
While most of us have a basic notion of what a DDoS attack is, a DRDoS is a little bit different.
While in a DDoS attack a hacker controls a set of zombie PCs that send traffic to a target, in a DRDoS, the attacker sends traffic to a legitimate network equipment (called a reflector), which then relays it to the victim.
The traffic sent to the reflector is spoofed to contain the victim's IP address as the packet's origin, and when the reflector follows the general rules of all Internet protocols and tries to establish a connection, it does so with the victim instead of the attacker.
Since this implies sending mass amounts of traffic to a reflector, attackers have devised ways of using the reflector to amplify traffic.
Protocols widely used in DRDoS attacks are TCP, DNS, and NTP. Mr. Adamsky's research paper shows how multiple protocols from the BitTorrent family can be used in DRDoS attacks, even with the possibility of amplifying traffic.
uTP, MSE, DHT, and BTSync protocols can be used in DRDoS attacks
According to Mr. Adamsky, the affected BitTorrent protocols are uTP (Micro Transport Protocol), DHT (Distributed Hash Table), and MSE (Message Stream Encryption). These protocols are used with the native BitTorrent client, uTorrent, and Vuze.
Additionally, the synchronization protocol BTSync used with the BitTorrent Sync file sharing application is vulnerable as well.
"Our experiments demonstrate that BitTorrent has a bandwidth amplification factor (BAF) of 50 times and in case of BTSync up to 120 times," said Florian Adamsky.
DRDoS attacks via BitTorrent protocols are undetectable to normal firewalls
But the bad news don't stop here. Besides amplifying traffic many times over, DRDoS attacks carried out via BitTorrent are undetectable to normal firewalls because of their "dynamic port ranges and encryption during handshake."
Mitigation services for this kind of attacks would require Deep Packet Inspection (DPI), a very resource-taxing solution for most server infrastructures.
As TorrentFreak reports, BitTorrent has patched some of the issues in a recent beta release, while Vuze and uTorrent are still working on the issue.
UPDATE: The BitTorrent team has contacted Softpedia and informed us of their recent updates to mitigate this issue.
"As of August 4th, 2015 uTorrent, BitTorrent and BitTorrent Sync clients using libµTP will now only transition into a connection state if they receive valid acknowledgments from the connection initiators. This means that any packets falling outside of an allowed window will be dropped by a reflector and will never make it to a victim. [...] Since the mitigation occurs at the libµTP level, other company protocols that can run over libµTP like Message Stream Encryption (MSE) are also serviced by the mitigation."
You can read more details on BitTorrent's blog and engineering team's blog.