P2P Networks Supplement Botnets

stuckinarut writes "Peer to peer file sharing network popularity is at an all time high, with hundreds of thousands of computers connected to a single P2P network at a given time. These networks are increasingly being used to trick PCs into attacking other machines, experts say. In fact, some reports indicate that peer-to-peer may actually exceed web traffic. Computer scientists have previously shown how P2P networks can be subverted so that several connected PCs gang up to attack a single machine, flooding it with enough traffic to make it crash. This can work even if the target is not part of the P2P network itself. Now, security experts are warning that P2P networks are increasingly being used to do just this. "Until January of this year we had never seen a peer-to-peer network subverted and used for an attack," says Darren Rennick of internet security company Prolexic in an advisory released recently. "We now see them constantly being subverted.""

BitTorrent

[TheSHAD0W]

The reason P2P lends itself to abuse is because peers typically depend on data from non-authoritative sources (other peers) for information. BitTorrent's classical tracker communication doesn't allow spurious inserted IP addresses to be broadcast to other peers, which prevents BitTorrent networks from being used as DoS amplifiers.

I can't say the same for certain non-standard extensions to BitTorrent, or for official's DHT-based trackerless system, unfortunately; I haven't studied them enough to assert their infallibility.

That doesn't sound THAT bad.

[khasim]

From TFA:

"In all file-sharing systems, you need a database to locate where these files are," Ross says. "The trick is to poison the database, to put bogus entries in that say that a very popular file is located at some target address that you want to attack."

Thousands of computers will then start contacting the target computer requesting, for example, the latest Britney Spears song or episodes of The Office.

Actually, that won't happen.

Computers do not AUTOMATICALLY hit the "target computer". A person has to CHOOSE to download whatever the content is supposed to be.

In order to get "thousands of computers" to attack the target, you'd have to claim that the content was something that "thousands" of people wanted ... RIGHT THEN!

Otherwise your "attack" will be limited to how many people are trying to download the content at any one time that have not timed out.

They created modified versions of BitTorrent files, and their own "tracker" a computer, which stores the databases that peers use to find one another on the network. Then, using 25 bogus files, they were able to trick more than 50,000 computers into cooperating within a few hours.

It's not how many TOTAL computers over a TOTAL time period.

If each of those 50,000 computers timed out and gave up in 60 seconds (a very reasonable time frame), then you're only looking at 278 (rounded up) "attacks" a minute.

Between 4 and 5 "attacks" a second.

It doesn't sound like much when you do the math, does it?

What probably gave the author the idea:

[MLS100]

I remember a while ago I went on vacation and lost the lease on my IP back when I had Comcast. I came home and booted up the router, it leased a new IP, business as usual.

That night I look over at my modem and the send/receive lights are flashing like crazy. I check my firewall logs and see mass connection attempts on some port I wasn't aware was associated with anything. I do some Google searching and come to find out it's that peer-to-peer edonkey crap.

I thought "Whatever, surely the client will stop making connection attempts after it times out for a few days." But no sir, it went on for literally months until I received a new IP lease (with a little intervention on my part). Granted the traffic was not enough to affect my connection all that much but if 'legitimate' usage generates such a high volume of traffic I can see how abuse could become a concern.

Who writes these clients anyway, connection/ping timeout for a month and the IP is not put on some sort of exclude list?

A bit of Older news

[maelfius]

I'm glad this finally made it to Slashdot. It's a bit of older news to those of us who work in the web hosting industry and have already been subjected to these types of attacks. The scale that the abuse of these networks causes the DDOS attacks to be is on a much larger scale than DDOS style attacks have been in the past (for the most part).

Thankfully some Peer to Peer network protocols aren't badly implemented (and the client software isn't as bad as others). Netcraft has a decent article about this with examples of the P2P networks that have been shown as exploitable.

http://news.netcraft.com/archives/2007/05/23/p2p_n etworks_hijacked_for_ddos_attacks.html [netcraft.com]

I can confidently say that these attacks can easily span the 800,000 pkt/sec (per link) and include millions of source addresses for a "cheap cost" compared to the botnets that previously have been almost exclusive to the attacks. Thankfully most P2P clients aren't hijackable in a way to simply pulse connections (all at once) or the more traditional SynFlooding. Connection (fully negotiated) tends to be easier to diagnose than the strictly syn-flooding style attacks can be, on top of it they tend to be more directed (single destination vs. rotating with some kind of intelligence across an entire netblock).

Geez.

[Anonymous Coward]

Did anyone ever read the friggin' advisory? They speak of a DC++ attack, not edonkey and not bittorrent. I know jack-shit about edonkey because thats typically only used for downloading "warez" and movies and such. But, yes, bittorrent is designed with certain security features in mind that prevent this. Those that use distributed trackers, I dunno, I dont use them and am not a liberty to discuss them.

I believe most everyone who has posted here must work at Best Buy in their Geek Squad. They use all the buzzwords. They write such a long rant full of geek-speak garbage that it distracts the majority and everyone assumes they know what they are speaking about.

Almost every reply here has been off-topic. Sad.