TorrentFreak

The place where breaking news, BitTorrent and copyright collide

BotTorrent? Using BitTorrent as a DDoS Tool

A recent talk at the Chaos Communications Congress revealed how BitTorrent swarms can be exploited to take down large websites with relative ease. A vulnerability in the technology behind so called trackerless torrents makes it possible for someone to trick downloaders of popular files into send thousands of requests to a webserver of choice, taking it down as a result. Basically, this turns BitTorrent into a very effective DDoS tool.

bottorrentBitTorrent is one of the most effective technologies to transfer large digital files to many people at once. Unlike a central server, transfers actually tend to go faster as more people share the same files. This characteristic is one of the reasons why it has evolved into the dominant file-sharing platform in recent years.

Every day millions of people are downloading files via BitTorrent, and in some instances more than 100,000 people are sharing the same file at the same time. These large ‘swarms’ of peers are great for sharing, but they also pose a threat as became apparent at the Chaos Communications Congress (CCC) recently.

In a talk titled “Lying To The Neighbours” it was shown that the DHT technology which powers “trackerless torrents” can be abused to let BitTorrent downloaders effectively DDoS a webserver of choice. DHT’s normal function is to find peers who are downloading the same files, but without communicating with a central BitTorrent tracker. This ensures that downloads can continue even when the central tracker goes offline.

According to the presenter who goes by the name ‘Astro’, Kademlia based DHT can be exploited by a malicious peer to carry out a DDoS attack. If there are enough peers downloading the same file, this could easily take down medium to large websites. The worrying part is that the downloaders who are participating in the DDoS will not be aware of what’s going on.

“The core problem are the random NodeIDs. The address hashing and verification scheme works for scenarios like the old Internet, but becomes almost useless in the big address space of IPv6,” Astro told TorrentFreak in a comment. As a result, any BitTorrent swarm can be abused to target specific websites and potentially take them down.

This and other DHT vulnerabilities are not entirely new concepts for BitTorrent developers. They have been discussed in various places already, but no agreement on how they should be dealt with has yet been reached.

Over the last months DDoS attacks have been in the news regularly, mostly carried out under the flag of Anonymous’ Operation Payback. Initially anti-piracy targets such as the MPAA and RIAA were taken offline, and last month the focus switched to organizations that acted against Wikileaks, including Mastercard and Paypal.

While these attacks required hundreds of people to actively participate and fire up their LOIC application at the same time, the BitTorrent DDoS could take down the same sites from a single computer, using BitTorrent downloads as a ‘botnet’. But, where there’s a problem there’s a solution, and Astro has some pointers for BitTorrent developers.

“Not connecting to privileged ports (< 1024) where most critical services reside," is one ad-hoc solution, but Astro says that since it's a design error, the protocol has to be redefined eventually.

The idea of using BitTorrent as a DDoS tool is not entirely new. In fact, researchers have previously shown that adding a webserver’s IP address as a BitTorrent tracker could result in a similar DDoS. The downside of this method is, however, that it requires a torrent file to become popular, while the DHT method can simply exploit existing torrents that are already being downloaded by thousands of people.

It will be interesting to see if BitTorrent developers are going to act upon the DHT vulnerability in the coming months and come up with a solution to prevent this kind of abuse.

Related Posts

Previous Post | Next Post

  • G

    Interesting…….

  • Anonymous

    I hope they don’t try to use this as a way to call BitTorrent a hacking tool.

    Can’t the developers of the software just change their software to stop it from being allowed to spam people?

  • thepeople

    cant government officials just commit mass suicide already?

  • TerribleTony

    Very interesting problem. It’s so simple, it’s disturbing.

  • 781

    Giving ideas, I see …

  • DrDaxxy

    Couldn’t watch that talk for more than a few minutes. Astro was way too quiet, nervous and unprepared.

  • The Revolution is Coming

    @3 No they’re waiting for the people to rise up and start a revolution, just as our fore-fathers would have. It’s just talking longer because big brother has us so badly suppressed.

  • Pingback: Tweets that mention BotTorrent? Using BitTorrent as a DDoS Tool | TorrentFreak -- Topsy.com

  • anon

    @3 would save us a lot of time. Take all of their sheep with them too.

  • Phoenix

    french proverb “la simplicité fait la beauté”
    just the case for this… thing

  • Anonymous

    So … if you add.. lets say… http://www.xxxxxxxx.website.com:80
    as a tracker to a popular torrent with dht.

    all the peers in the swarm will , at sometime , send messages to that address ?

    .
    .
    Is that what the bug is ?

    or
    .

    peer sources suplied by another peer.. with a target address.

    or

    is the target address injected as a peer… and then shared with the swarm ?

  • BG

    TURN DHT OFF > PROBLEM SOLVED > PROFIT?! :)

  • REDDIT

    Interesting…….

  • Dr, Dre404

    Ladies and Gents, we have created a monster!!!!!MUHAHAAHAA!!!

  • Mark A.

    Finally a good excuse that DHT support wasn’t added to BitTornado. :)

  • Anonymous

    in some instances more than 100,000 people are sharing the same file at the same time

    Sounds like a botmasters wetdream

    So we’ve been sitting on the nuclear option all this time, just not many of us knew about it… OMG!!!

  • Ninja

    Well, it was bound to happen at sometime, bugs are a normal thing in evolution. Every good thing can be used for evil purposes given proper goals and (w)illpower. What’s very interesting is that the current popularity of DHT is a direct result of anti-piracy moronic antics.

    And I second this: gentleman, we have created a monster! And it’s a bloody damn hydra!

    I sincerely lol’d now ;)
    Hope they can fix it real soon.

  • An0nYm0uS

    This type of use isn’t “abuse” its using it as intended…
    Think about it.

  • Arb

    “The downside of this method is, however, that it requires a torrent file to become popular, while the DHT method can simply exploit existing torrents that are already being downloaded by thousands of people.”

    Um in theory couldn’t they just use a bunch of torrents and do it instead of just 1 that they seem to imply.

  • Anonymous

    @11fku, if you turn off dht, most of the files on bt will die, be smart, don’t be a retard

  • hahaha

    are they throwing a bone for others to execute this during these interesting cyber times?

  • Autonomous

    @19 by Anonymous

    if you turn off dht, most of the files on bt will die, be smart, don’t be a retard

    I’ve never, ever used DHT and have never, ever had a problem, even with older (greater than three years) torrents.

  • Anonymous

    What i if i put 0.0.0.0-255.255.255.255 in a torrent address, will i nuke the internet?

  • Anonymous

    @ 18

    Just what I was thinking ;)

  • Pingback: BotTorrent? Using BitTorrent as a DDoS Tool | Systema

  • Fake_Name_here

    Ways to curb this now.

    1. Turn off DHT when/if you can. Private trackers do not use DHT anyway. I only turn on DHT if I am using a public torrent and I can not get enough peers from the tracker.

    2. uTorrent (and I am sure other clients) let you put a list of ports not to connect to.
    uTorrent
    Preferences->Advance
    bt.no_connect_to_services true
    bt.no_connect_to_services_list 25,110,etc

    Adding 80,443,etc would stop that. That might effect webseeds though, not sure.

  • LeftKnuTt

    L@m3rz F@6637z

    This exploit has been know by true runners of the undernet for years. Just cause the Chaos Computer Fag shop says something everybody wet dreams…

    Nerdo fags^ they can suck my grannies drie tit.

  • Fake_Name_here

    Also it seems like no matter how you redesign the protocol some form of this always going to be there. Your client is relying on other clients to give you a list of peers that they can simply lie about.

    Using UDP, blocking ports 1-1024, banning clients that give you false info more than x times, etc is about all you can do.

  • McGyver

    Count me in. DDOSS the living crap out of the MAFIA using uTorrent would satisfy me very much.

  • Pingback: BotTorrent? Using BitTorrent as a DDoS Tool - Torrent Invites - Get your free private torrent tracker invites!

  • Tamera Koots

    Oh wow, never really thought about it like that before. Makes sense.

  • XanderFlanders

    not on topic but what is up with torrentz.com. it has been a week since i have been able to access it. has it been seized.

  • IPv6?

    OK, can someone explain to me why they suddenly bring up IPv6? These guys sound like they’re pretending nobody still uses IPv4. Does this exploit only work over IPv6 or something? If that’s the case, it’s not going to be an issue for some time.

  • gbbt

    @30 it’s torrentz.eu now

  • Thanks

    Thanks for beating that Magnet Links drum so hard, torrentfreak.

  • Quartz

    This is way old and well known about news, I,m unimpressed guys.

  • Pingback: Un nouveau type d’attaque Ddos via Bittorrent

  • Anonymous

    fuck the MAFIAA

    fuck IPV6

    keep DDoSing

  • Whatever

    A bit strange that it would DDOS a website as anyone connected in a swarm would get the same traffic and be DDOS-ed ?

    Assuming it works, knowing which torrents becomes popular is not needed. One just gets to be on all (current popular) torrents. If a popular torrent is needed then WOW updates can be used for a weekly attack. Its also possible to attack all desired targets at once. A bittorrent DDOS might be very effective as there is no way to stop it and unknown how long it lasts. An IP address would become useless for a long time.

    Depending on how trackers work an attacker may or may not be easily identified. In case trackers accepts addresses from peers then it might be easy to find the attacker by seeing who is peer in all the torrents used for the attack (i know, a lot of “may” and “might”).

    BTW: Wouldn’t it be a problem of ANY P2P network including Freenet.

  • Whatever

    (Another awaiting moderation, how to prevent these ?)

    A disadvantage of attacking using torrents is that all real peers IP addresses in all those swarms will be known to the attacked websites. Applying that to the MAFIAA, the MAFIAA may setup an address for attack to collect IP addresses (would be a good reason for blocklists like peerblock to exist).

  • Pingback: Un nouveau type d’attaque Ddos via Bittorrent | AstucesTutos.fr

  • Pingback: 27C3 : Une nouvelle technique de DDoS exploitant BitTorrent

  • Frank Merton

    No one seems to ask whether this is a real threat or just an idea; in other words, has this ever actually been successfully done?

    I tend to see this sort of thing as needless worry about something far more difficult to actually do than to imagine.

  • Anonymous
  • Phillip

    Bittorrent has huge potential as a DDoS tool.

    I am actually surprised it hasn’t become a widespread problem yet.

    Basically several parts of the protocol spec can be abused to direct peers pretty much anywhere, it all depends on how clients and trackers implement those specs.

    This DHT/trackerless based attack is a new one to me though.

    A bittorrent based DDoS from my estimates and a couple of research papers Iv seen will take roughly 1/2 a hour to ramp up, and about 3 hours to ramp down.
    If done maliciously can literally direct hundreds of thousands, possibly millions of peers at a target indefinitely.

  • DDoSis4gays

    This is an extremely old concept that has been going on for over a year now. It already has been a widespread concept, especially DDoSing trackers and users.

    If you open up your firewall, and observe the active connections for your torrent client (and this is on any tracker, public or private – its worse on public trackers), you will notice a growing abundance of redundant connections to IP’s with 0/0 up/down transfers. They do not release, and they are persistent. Eventually all torrent activity will pretty much cease – uploading anyways.

    I have logged several thousand IP ranges that are being used to DDos trackers and the users specifically.

  • Fellow 3.14rate

    well think about it , It means that if it does come down to cyberwarfare again there is more of us and if its done on all the sheeple who buy all their fuxin myley cirus and whatever other crap they get eminem ,akon etc all the mindless crap . well they’ll be doing the dossing . A beautiful thing if you think about it really .

  • Pingback: Radiohead Charity Pay-What-You-Want DVD On BitTorrent | PornDL News

  • Pingback: Bittorrent niet zonder risico | MEDIAMEUk.net

  • dun dun dun

    um it’s fine when persistent latent non-up-down connexions appear, you can weed those out. but when someone hooks up some automated script to hit every user in a large swarm for vulnerabilities to exploit as part of a botnet, um, that’s another thing. knock knock! who’s there? it’s your router address, spoof!

  • bart

    How exactly doesthis work? obviously, reporting a site to be a downloader wouldn’t work, otherwise any torrent woud effectifely be DDOSsing the entire swarm.

  • foobar

    Just the slide show from the seminar is online, so it’s unclear exactly how this is supposed to work via DHT.

    Perhaps they are talking about exploiting peer exchange, so that their node would answer a request and feed the peer an IP to hit. The problem with that exploit is, you’d have to reply to all 100,000 (or whatever) peers with that IP in order for all them to hit it. I imagine most intelligent bt apps these days won’t propagate a peer IP if they can’t connect to it first. Plus if you wanted a true DDOS, you’d have to tell all 100,000 peers at once (or X timed out over how long you want to DDOS), so they all hit the IP at about the right time

    How would this be any different than you downloading a torrent with 100,000 peers and thus get on the peer exchange list and getting hit? Why aren’t we seeing everyone’s computers suffer DDOS on popular torrents?

    Similar for injecting a false node id (I assume that’s possible).. how do you get one client (even if it has thousands of DHT ports avail) to tell other nodes all at once of an IP to attack? Can you even guarantee those other nodes will try to connect to this new faked node in a timely manner?

    In summary, I call FUD until there’s specifics

  • NoName

    @37:

    This attack has been used in the wild at least once AFAIK on blog.fefe.de directing numerous clients to the site’s SSL port. This caused a major slowdown and even a short downtime for that particular site. As many SSL implementations produce a high load in this case even fast server implementations (as the one used by that guy) can be brought down.

  • Information must be free!

    “Capitalism carries with it the seeds of its own ultimate destruction”
    Karl Marx

    -that process has now started..

  • Anonymous

    @46 At least it’s self-assured that revolution usually brings about better government in the end. All we must do is wait.

  • Anonymous

    again nothing new
    this was designed ten years ago buy NON bit torrent technology….YOUR just hearing of it now because someone is leaking it out finally.

    anyhting based on a neural network technology has at least 8 principal applications for bandwidth sharing.

    YOU guess what they are.

  • Anonymous

    also you get a file you open it if it shows a NON torrent site you know the file is hacked
    and why are you getitng the files from mpaa.org….the most trusted place after mastercard.

  • Anonymous

    i wonder how the bell canada DPI box that takes and droppes the bit torrent packets would appreciate this level of joy

  • Huggybaby

    It’s not a design failure, it’s a feature.

  • CuntyMcFartPants

    dht is for noobs anyway…they are all cabbage!!

  • Frank Merton

    Actually, if you look at history, revolutions rarely produce better governments and tend to always be betrayed into dictatorship sooner or later.

    The Roman Revolution produced Caesar, the French produced Napoleon, the Russian produced Stalin, the Chinese produced Mao, the Cuban produced Castro, etc.

    To get on topic, it looks to me the file sharing revolution is producing more and more autocratic copyright laws. However, calling this a “revolution” is a very thin metaphor at best.

  • Nonsense

    This HAS BEEN DONE before. I’ve tested this before. It is NOT a very effective way to DDoS, even if you eclipse a torrent with a hundred thousand peers.

    At best, even if you can eclipse over 50% of the lookups, you’re not going to generate enough connections to bring down any site bigger than a small single-server dynamically-generated site. Even then it is not a sure thing, this is why others had to attack SSL port 443 instead because there wasn’t enough to take down even the slowest servers on port 80.

    Furthermore, some clients (Tixati and a few other newer ones) are very well designed as far as making connections to unknown peers. If the address is obtained via DHT and it doesn’t work on the first try, it’s not tried again for a long long time, especially if there’s other IPs to try in the queue. So at most you’d see a single connection attempt from a Tixati peer. The other mainstream clients are not as well behaved yet, but if their devs get it together they can easy put in the more intelligent heuristics.

    This is inaccurate sensationalism at best.

  • Frank Merton

    To #54

    Thanks. What you say is what I kinda figured. Things that are really hairy tend to show up in reality real fast: not just get talked about.

  • Pingback: BotTorrent? Using BitTorrent as a DDoS Tool (Ernesto/TorrentFreak) | BuyElectro.com

  • Pingback: Il BitTorrent sarà la nuova frontiera per l’hacktivism?

  • Pingback: BitTorrent-based DDoS tool outlined at hacker convention - SlashGear

  • Pingback: BitTorrent-based DDoS tool outlined at hacker convention « Mobile Technology Monster

  • Wink Wink

  • Pingback: BitTorrent DHT ????? ???????????? ??? DDoS / Peer-to-Peer / ????????? | ???? ?????????????? l2db.com.ua

  • Pingback: » Blog Archive » BotTorrent? Using BitTorrent as a DDoS Tool

  • Pingback: FBI raids ISP in DDoS investigation of “Anonymous” – Hammer of Truth

  • fact

    did u guys know that u can kill with an orange if used the correct way?

    Why isnt the orange banned?

  • Pingback: Vote My Story, BitTorrent-based DDoS tool outlined at hacker convention | Vote My Story

  • x3style

    2011′s torrent blockbuster will bust some block’s and will therefor be named 2011 Sitebuster.

    Tagline?

    Download the best movie in 2011 and DDoS the current bad guy at the same time -> PROFIT!?!?

    So why donwload a torrent a fire the LOIC when u can do both with one click?

  • CrackieJackie

    “Smiles” I thort about this a long time ago bout 5 years actually, “What if this could do this kinda thing” And yes i think some people were thinkin the same thing, Scary but extremely Cool in a way….

  • Antagonist

    Maybe it’s something that the torrent program creators should leave in as if when the people have had enough of the oppressive plebes trying to silence us, we will have a tool to poke them with.

    More seriously, if they did get rid of it, just use an old program copy and give it a blast lol trouble is once things get out on the web you can guess there will be a more specific program sourced and be freely available lol

    Kinda makes it the webs version of a taser lmao

  • Pingback: ?? BitTorrent ???????… | Gea-Suan Lin's BLOG

  • Anonymous

    If this literally works I wish it was used more often. I feel insecure as long as sites like PayPal, MAFIAA and Amazon are still online and well.

  • hahafunny

    Yep, seen this one comming from a mile away. Hmmm, seed a file that thousands of people start downloading, start bouncing those peoples packets to a site you hate. couldn’t be any easier.

  • BTGuard - BitTorrent Anonymously

NewsBits

Even more news...

  • Pirate Bay Founder Gottfrid Svartholm on Freedom of Speech

    Freedom of speech is a highly valued commodity, but should people be allowed to say whatever...

  • Blu-ray Anti-Piracy Tech Stops Discs and Promotes Purchases

    An anti-piracy system present in all official Blu-ray players since 2012 has received a fresh update...

  • Foxtel Breeds Pirates by Locking Up Game of Thrones

    One of the main reasons why people turn to piracy is the lack of legal alternatives....

  • UK Student Admits Breaching Sony Copyrights With Leak of PS3 SDK

    Last year an Internet user known as El Nomeo leaked version 3.70 of Sony’s Playstation3 SDK...

  • Pirates Can Be Identified Despite Sharing IP Addresses, ISP Claims

    Carrier-Grade Network Address Translation is a network mechanism through which many Internet subscribers can share the...

MostDiscussed

Below are TorrentFreak's most discussed articles of the past month. Join the discussion if you like.

CopyQuote

Left Quote

“The Pirate Bay has been one of the most important movements in Sweden for freedom of speech, working against corruption and censorship.

Peter Sunde Left Quote

PopularArticles

A selection of some TorrentFreak's classics dug up from our archives.