BitTorrent DHT used for DDoS Attacks?

BitTorrent is slowly gaining a ubiquitous status as the go to protocol for downloads. A thorn in its side has been its reliance on a central tracker, which if taken down would result in peers being unable to connect to each other. Moving along a few years and the Distributed Hash Table or DHT system was implemented into the BitTorrent protocol, first by Azureus and then later by the BitTorrent standard as a derivative of Kademlia, allowing for peers to become nodes, each with its own ID and use hash keys to find files, these keys being stored by the nodes. It’s a case of using the ‘six degrees of separation’ principal (or 8 in the case of DHT) to find everyone and thus the files. No central server to take down. This is great, until someone starts putting ‘bad nodes’ into the system.

In the tracker based days of BitTtorrent (which is still common), it’s possible to set any IP address as a tracker in the torrent file, whether it is a tracker or not is another matter. So peers trying to download torrents via trackers would connect to this IP address, but nothing would happen, so it’ll retry again later. Multiply this out by a few thousand peers, and the IP address will start to be flooded by all these useless packet requests. Ramp it up to 100,000’s of peers and you have a distributed denial of service attack. This creates the equivalent of a dumb botnet, but can be easily corrected by simply removing the tracker from the torrent. This concept is not new and has been used many times, usually with no real effect.

As detailed by TorrentFreak’s article, DHT’s natural state is to find more peers. NodeIDs can be generated at random, and it’s possible for a single IP address to have multiple IDs. So a malicious DHT user could inject a whole mass of new NodeIDs into the swarm which all point to the same IP address, resulting in a DDoS attack and none of the current peers would even be aware. What makes this dangerous is the fact that these malicious peers do not need to create a new torrent, they can hijack an existing and popular torrent and use its peers as a giant botnet.

The flaw is in the design of the system, random NodeIDs and a large number of IDs per IP address can result in said attack. Correcting it is a little difficult with suggestions such as blocking the use of port numbers less than 1024 (major ports such as 80 and 21 used in web traffic), and limiting the number of IDs per IP, but the protocol would need a redesign eventually. These corrections could lead to another problem, reduced anonymity. Tracking becomes a lot easier when an IP address has a non-random ID.

It is not known if such an attack has taken place using this DHT exploit, but it’s only a matter of time. I wonder what kind of exploits would arise from this distributed DNS system that’s currently in development/use.

A recent talk at the Chaos Communications Congress revealed how BitTorrent swarms can be exploited to take down large websites with relative ease. A vulnerability in the technology behind so called trackerless torrents makes it possible for someone to trick downloaders of popular files into send thousands of requests to a webserver of choice, taking it down as a result. Basically, this turns BitTorrent into a very effective DDoS tool.