P2P Networks Supplement Botnets

stuckinarut writes "Peer to peer file sharing network popularity is at an all time high, with hundreds of thousands of computers connected to a single P2P network at a given time. These networks are increasingly being used to trick PCs into attacking other machines, experts say. In fact, some reports indicate that peer-to-peer may actually exceed web traffic. Computer scientists have previously shown how P2P networks can be subverted so that several connected PCs gang up to attack a single machine, flooding it with enough traffic to make it crash. This can work even if the target is not part of the P2P network itself. Now, security experts are warning that P2P networks are increasingly being used to do just this. "Until January of this year we had never seen a peer-to-peer network subverted and used for an attack," says Darren Rennick of internet security company Prolexic in an advisory released recently. "We now see them constantly being subverted.""

It would be interesting...

[Tuxedo Jack]

Think about it. Make a false request for a file - and then do TONS of requests for it from hundreds and thousands of other people. It's a classic DDoS attack.

However, this will rule out a lot of corporate machines from being used as bots in this fashion; most decent sysadmins filter P2P traffic.

Re:

[Captain Splendid]

Yeah, I'm not sure how any of this is news. I mean, we're all well versed already:

• 1. Find p2p users, because they're more likely to run unpatched and vulnerable
• 2. Zombify said PC
• 3. Profit!

So what's new about this?

Re:It would be interesting...

[Bill Wong]

From what I understand, this sounds like a new DDoS technique.
Spoof some packets and forward them to a torrent tracker that so-and-so-IP-address is a seed for popular torrents.
Watch as requests for that file flood the target. Repeat as necessary (actually, probably will need to repeat a whole lot).

Re:

[complete loony]

And depending on the P2P protocol, if you point a standard client at a web server, the p2p client handshake could tie up a socket until the HTTP server times it out.

What seems to be needed is for the popular client implementations to refuse to connect to peers that have a standard protocol port number, eg SMTP, HTTP, FTP, HTTPS.

That doesn't sound THAT bad.

[khasim]

From TFA:

"In all file-sharing systems, you need a database to locate where these files are," Ross says. "The trick is to poison the database, to put bogus entries in that say that a very popular file is located at some target address that you want to attack."

Thousands of computers will then start contacting the target computer requesting, for example, the latest Britney Spears song or episodes of The Office.

Actually, that won't happen.

Computers do not AUTOMATICALLY hit the "target computer". A person has to CHOOSE to download whatever the content is supposed to be.

In order to get "thousands of computers" to attack the target, you'd have to claim that the content was something that "thousands" of people wanted ... RIGHT THEN!

Otherwise your "attack" will be limited to how many people are trying to download the content at any one time that have not timed out.

They created modified versions of BitTorrent files, and their own "tracker" a computer, which stores the databases that peers use to find one another on the network. Then, using 25 bogus files, they were able to trick more than 50,000 computers into cooperating within a few hours.

It's not how many TOTAL computers over a TOTAL time period.

If each of those 50,000 computers timed out and gave up in 60 seconds (a very reasonable time frame), then you're only looking at 278 (rounded up) "attacks" a minute.

Between 4 and 5 "attacks" a second.

It doesn't sound like much when you do the math, does it?

Re:That doesn't sound THAT bad.

[rtb61]

Dang, now why would you go and take apart a good old "P2P is evil and must be banned" story, just think of that wasted RIAA money going down the drain on a failed corporate viral marketing meme ;).

Re:

[pnutjam]

If they are poisoning the database, why would they only poison one entry?

Re:

[SpaceLifeForm]

Just another FUD attack by the darkside so they can attempt to legislate stupid laws to take control of the Internet.

Re:

[DavidSev]

Could it be that this is just another attempt at killing p2p? The using trackers as lists of IP's that probably wont be patched sounds like a much better plan.

Re:

[Simon (S2)]

If each of those 50,000 computers timed out and gave up in 60 seconds (a very reasonable time frame), then you're only looking at 278 (rounded up) "attacks" a minute.

Between 4 and 5 "attacks" a second.

How did you calculate that? If a new episode of office comes out, and say 10000 users want to download it in the first 10 minutes, that would be 10000 / 600 = 16,6 connections/second. that's a fair bit.

Re:

[DrYak]

Computers do not AUTOMATICALLY hit the "target computer". A person has to CHOOSE to download whatever the content is supposed to be.
In order to get "thousands of computers" to attack the target, you'd have to claim that the content was something that "thousands" of people wanted ... RIGHT THEN!

This is easy. Just put PR0N or NAKED, or LESBIAN, or HOT ACTION, or a combination of thereof in the title of your fake file, put it on ThePirateBay and the download will be started by millions in the following couple

Re:

[HeroreV]

Computers do not AUTOMATICALLY hit the "target computer". A person has to CHOOSE to download whatever the content is supposed to be.

If a user has already chosen to download something, their client may try to connect to anybody who has it.

1) find a popular torrent
2) tell tracker a certain IP address has the entire file, lots of upload slots, and huge upload bandwidth
3) tens of thousands of bittorrent clients try to connect to the IP address
4) successful DDoS

Re:

[xouumalperxe]

What the fine article means, however, is that zombifying is an entirely extraneous step. You can just find a p2p server and subvert all its clients to attack a webserver (strategically directing all traffic to port 80).

Re:It would be interesting...

[necro2607]

What's new about it: The victims don't have to be P2P users at all (in fact, their PC could just be sitting there at the log in screen, not even in use).

We're talking about subverting P2P protocols in such a manner that completely legit P2P client software all over the net will be making regular requests to a certain target machine, because as far as the client software knows, that's where the requested file (SHREK_3_SCREENER_DVDRIP.AVI etc.) is supposedly located.

Re:

[shmlco]

So true. Back when I used a PC I'd occassionally run torrent and suddenly see firewall attacks peak like no one's business. Port probes, UDP probes, service attacks. Yuck.

It wouldn't surprise me at all to find many of the largest "information wants to be free" torrent sites being run by black hats in order to gather IP addresses and routing information for attacks.

Re:

[timmarhy]

this does not work very well for the simple reason that once people realise they aren't geting a useful download from the torrent they are connected to, they cancel it and there goes your bandwidth. the net effect of this is you don't get ANY seeds and people avoid your torrent and you don't get much upstream bandwidth.

Re:

[necro2607]

They won't cancel it if it's a totally valid torrent that they are getting 30kb/sec on, because that's what it will look like to all the users. Big deal - they are still downloading just fine, why would they cancel? See, the "target victim" IP will simply be another "seed" in the torrent (or perhaps another peer with, you know, 99% of the torrent or whatever). If it's an insanely popular torrent, it's going to get a TON of requests. Of course, my theoretical situation here might not actually even be tech

Re:

[jamstar7]

OK, so what exactly would this site be sending at 30k/sec? And exactly how do you sucker a target to send this data out when there's no P2P client installed on it? I'm having a seriously hard time believing this.

Re:

[Simon (S2)]

OK, so what exactly would this site be sending at 30k/sec?

Nothing. Another seed/peer is sending data at 30k/sec.

And exactly how do you sucker a target to send this data out when there's no P2P client installed on it?

You don't. You just send the requests to the target.

Re:

[deroby]

I think that what he means is that "in the total picture of your Torrent session" you get ca 30kbps because you are connected let's say 150 peers in total. Of those 150 peers, 149 are 'real' and some of them are uploading data to you. However, number 150 is actually not a real peer but an 'innocent' web server somewhere whose IP address has been 'tricked' into the Tracker list. All your peers will (regularly?) try to connect with that address and the idea is that this will 'overwhelm' the web server.

Now, to

Re:

[necro2607]

Most decent sysadmins filter P2P traffic? Sure, I guess, if these attacks use default ports and so on. However, I can pretty much guarantee that these DDoS methods will just use whatever random port, or in fact only use default ports when you specifically choose as such.

Actually analyzing every packet and trying to recognize the protocol used is excessively CPU intensive (for the firewall), and requires pretty powerful machines if you're expecting to catch every "P2P" protocol on the network.

Re:

[necro2607]

I can't see many, if any, companies running SNORT or similar "intrusion detection" software on every single workstation throughout their company...

Re:

[jamstar7]

I can't see many, if any, companies running SNORT or similar "intrusion detection" software on every single workstation throughout their company...

Shouldn't have to do more than run SNORT and some packet analysis software on the gateway machine. We're assuming of course that all the workstations are properly NATed behind a gateway. Once you find out which machine's taken over, you can do what you need to do on it. No big deal.

Re:It would be interesting...

[Pedrito]

most decent sysadmins filter P2P traffic.

You should read the advisory. Apparently firewalls aren't generally enough to prevent an attack. I suspect I've actually been the victim of some of these attacks, though I have no idea why and it's possible that it's something else, but I've had "attacks" that appear to be related to the ED2K (eMule/eDonkey) network where I just get flooded with incoming ED2K packets and it quickly hoses my DSL modem, which obviously isn't designed to handle a DDOS attack. My iptables firewall seems to survive longer than the DSL modem. Fortunately, switching off the modem for a few seconds and firing it back up gives me a new address (one of the benefits of dynamic addresses).

I don't know why I'd be attacked. It's possible people are just testing out their botnets or something, but it's happened several times over the past few months. Since it's fairly simple for me to fix the problem (restarting the modem) and it's only happened a few times, I haven't really bothered to dig too deep into it.

Re:

[SuperNinjaMonkey]

I think the OP meant that most sysadmins block P2P, so those computers (business computers) couldn't be used in the botnet as part of the attacker.

Web traffic?

[kihjin]

Don't you mean P2P over port 80?

well

[mastershake_phd]

I know my connection sees more P2P traffic than web traffic. One 175mb TV show is a lot of web pages.

Re:

[eternalnyte]

It would seem you've never seen Myspace....

Re:

[Saikik]

Apparently you haven't been to myspace lately.

Re:

[jamstar7]

Apparently you haven't been to myspace lately.

Like I'm really missing something by not bothering to hit Myspace...

So please tell me about all the garbage pages I don't see cause I don't use Myspace. I can live without bad video, bad music, and teeniebopper angst...

Re:

[Saikik]

You're not missing anything there. But you did miss my point... 175 megs doesn't get you as far as you'd think.

Re:

[jamstar7]

Meh. it's about half an hour of an episode of Babylon 5 at decent resolution...

Re:

[MadMidnightBomber]

"One 175mb TV show is a lot of web pages." ... or one myspace page.

Re:

[AlgorithMan]

175mb TV show

simpsons? :-)

BitTorrent

[TheSHAD0W]

The reason P2P lends itself to abuse is because peers typically depend on data from non-authoritative sources (other peers) for information. BitTorrent's classical tracker communication doesn't allow spurious inserted IP addresses to be broadcast to other peers, which prevents BitTorrent networks from being used as DoS amplifiers.

I can't say the same for certain non-standard extensions to BitTorrent, or for official's DHT-based trackerless system, unfortunately; I haven't studied them enough to assert their infallibility.

Re:

[Ken_g6]

Once I noticed that a computer somewhere had pulled over 1GB of data for a Linux *CD* (700MB), in my uTorrent client. And, yes, I did have DHT on. At the time I figured it was just a rogue client, and blocked it in my firewall. Now I wonder...

Re:

[TheSHAD0W]

That is possible, but more likely the guy was behind a bad router. Some routers can cause consistent data corruption, and the client ends up downloading the same thing over and over. Difficult to fix.

Re:

[SpaceLifeForm]

Routers corrupting packets?
Care to share any names?

Re:

[Spand]

Its mentioned here so I guess theres some truth to it:
http://utorrent.com/faq.php#I_get_tons_of_hashfail s_on_my_torrents_and_the_torrent_never_finishes [utorrent.com]

Re:

[TheSHAD0W]

Most routers only do this when you're running in the DMZ. They assume you're playing a game, and many games send the local IP over TCP and won't work right if you're behind a firewall. The router helpfully replaces instances of the local IP with the remote IP, which usually doesn't cause much trouble in a game, but causes approx. 1 hash fail per gigabyte of data. If you update your router's firmware and forward ports rather than setting DMZ, you ought to be able to solve the problem.

Another reason to better utilize P2P networks

[Freed]

P2P has too much potential at stake to just being associated with massive copyright infringements and now botnets.

These associations will only be used as excuses to involve clueless regulators to inflict even more damage than they already do.

P2P also is used to distribute OS images, large collections of data, etc. Companies and organizations--especially involved with free software--need to get on the ball and rely more on P2P. There's more than just bandwidth savings at stake.

Re:

[the_womble]

There are alrady FTP clients that download different pieces of the same file from different servers. The only thing P2P does well is hide content, and destination.

P2P spreads the load much more widely, and with less effort.

I cannot run an FTP server over my NATed ADSL connection, but when I use bit-torrent I can see uploads happening.

FTP only spreads the load to those who deliberately mirror you. P2P spreads the load over everyone who is downloading.

How do you explain the fact that P2P (bittorrent es

Re:

[Abcd1234]

Once the popularity wears off, it's no better than FTP.

Show me an FTP server or client whose transfer rate scales superlinearly with popularity, and I'll be very very impressed.

Time?

[gmuslera]

That starting amount of people will try to connect to that site could be high, ok, but as soon the p2p client realizes that is not talking with a p2p server all ends there, the attack said by Bittorrent author in the article could be better. How long could be a p2p attack that way? Or maybe, how much retries/time do usual the p2p clients to make that worrysome?

What does it look like?

[Jah-Wren Ryel]

So the article mentions two cases:

1) Edonkey/Emule
2) Bittorrent

In the second case, it sounds a lot like the attacker needs to run their own tracker, which means they have convince people to come to their tracker in the first place, making it relatively easy to avoid.

But the first case, with Edonkey, sounds like it might only need a naughty client. But they don't go into details, instead referencing an academic paper which I am too lazy to read and suspect it won't answer my ultimate question anyway, which

What probably gave the author the idea:

[MLS100]

I remember a while ago I went on vacation and lost the lease on my IP back when I had Comcast. I came home and booted up the router, it leased a new IP, business as usual.

That night I look over at my modem and the send/receive lights are flashing like crazy. I check my firewall logs and see mass connection attempts on some port I wasn't aware was associated with anything. I do some Google searching and come to find out it's that peer-to-peer edonkey crap.

I thought "Whatever, surely the client will sto

A bit of Older news

[maelfius]

I'm glad this finally made it to Slashdot. It's a bit of older news to those of us who work in the web hosting industry and have already been subjected to these types of attacks. The scale that the abuse of these networks causes the DDOS attacks to be is on a much larger scale than DDOS style attacks have been in the past (for the most part).

Thankfully some Peer to Peer network protocols aren't badly implemented (and the client software isn't as bad as others). Netcraft has a decent article about this with examples of the P2P networks that have been shown as exploitable.

http://news.netcraft.com/archives/2007/05/23/p2p_n etworks_hijacked_for_ddos_attacks.html [netcraft.com]

I can confidently say that these attacks can easily span the 800,000 pkt/sec (per link) and include millions of source addresses for a "cheap cost" compared to the botnets that previously have been almost exclusive to the attacks. Thankfully most P2P clients aren't hijackable in a way to simply pulse connections (all at once) or the more traditional SynFlooding. Connection (fully negotiated) tends to be easier to diagnose than the strictly syn-flooding style attacks can be, on top of it they tend to be more directed (single destination vs. rotating with some kind of intelligence across an entire netblock).

Re:

[shdragon]

Will you share what clients/p2p protocols are not affected? What clients should people avoid?

Re:

[maelfius]

DC++ appears to be the most affected from what I've seen. Unfortunately I can only go by what I'm seeing on the destination end (at this time), which makes discovery of the source software a bit difficult at times. I'll say the article I linked details a bit of the exploitable software, usually Hubs and clients that are far from patched (later versions tend to close some of the holes). However, people never update P2P software (as a broad generalization) in comparison to more mission critical application

Geez.

[Anonymous Coward]

Did anyone ever read the friggin' advisory? They speak of a DC++ attack, not edonkey and not bittorrent. I know jack-shit about edonkey because thats typically only used for downloading "warez" and movies and such. But, yes, bittorrent is designed with certain security features in mind that prevent this. Those that use distributed trackers, I dunno, I dont use them and am not a liberty to discuss them.

I believe most everyone who has posted here must work at Best Buy in their Geek Squad. They use all the

Re:

[maelfius]

And sadly I don't have any mod points to spend on this topic where I actually could see use of them.

Reference to the actual studies

[slashdotmsiriv]

The advisory indeed speaks only of using DC++ to launch DDoS http://www.prolexic.com/news/20070514-alert.php [prolexic.com] However, the New Scientist article refers to two academic studies that discuss how eMule and BitTorrent can be misused for the same purpose:

a) N. Naoumov, and K.W. Ross, Exploiting P2P Systems for DDoS Attacks, International Workshop on Peer-to-Peer Information Management, May 2006 http://cis.poly.edu/~ross/papers/p2pddos.pdf [poly.edu]
They show that one can subvert Overnet traffic (applicable to eMule th

Re:

[deroby]

AFAIK : OverNet and eMule share the same protocol but differ quite a bit in the way they handle stuff. What's true for OverNet might not be true for eMule. (and vice versa)

(and isn't OverNet officially dead ?)

Not that new

[Kaenneth]

A couple years ago while studying p2p protocols, and contemplating writing one myself to release anonymously. I wrote a program that emulated a Kazaa node with the ability to monitor and modify traffic passing through it.

I then added the ability to query and download files, and while experimenting with making it cache queries to others, added a slight bug, in that instead of giving the actual address of the resource, it kept spitting out my address... Shortly after, I realized I had a dandy means for a DOS

P2P-ize everything!

[suv4x4]

Well here's what: P2P is just a hack. That's all it is. It's a scheme to avoid central authority, and avoid a central point of load...

While in some cases this is an attempt to avoid legal repercussions of hosting illegal content, on other cases, where content is legal, it's an attempt for the content providers to make their very big bandwidth problem, someone else's bandwidth problem.

Because this is all P2P is doing, moving the problem elsewhere, and actually multiplying it. Downloading a 100 MB file via bittorent will generate far more traffic and connection on the Internet as a whole, than a direct download from a proper server farm. No wonder ISP-s are stressed out from this whole P2P deal.

And then there's the security problems. I wonder: where did all those guys shouting with full throat "P2P-ize everything" do? I've read here on Slashdot, bold commenters proclaim boldly how lame it is that there are still things that aren't P2P yet. We need P2P search engines! P2P hosting! P2P banking! All of those are actual things I've read.

But back to the beginning, P2P means no central authority. Hence, it means no central trusted entity, no trust, no security.

Re:

[Shadow-isoHunt]

But I thought we had p2p search engines...

Re:

[ratboy666]

Your assertion that P2P is (just) a hack to avoid central authority and move bandwidth is partly right.

Yers, I use "P2P" (bittorrent) as a hack. But the DIRECT problem I use bittorrent to address is the disparity between my download speed (5ish mbits/second) vs. my upload speed (256ish kbits/second).

I prefer to be in control of my own network resources -- and not rely on "central authority". So, yes, that is the "end reason" for using bittorrent.

But there would be no reason to use a "P2P" solution if my upl

Re:

[pehrs]

Time to feed the troll.

Well, I would suggest you take a basic course in network design. Peer to Peer is not just a hack. It's the fundamental principle of how Internet is designed.

Internet architecture is built on the principle that all nodes are created equal and should be able to communicate. There are no specific addresses for producers of content and consumer of content... Unlike for example TV. All traffic on the Internet should, according to the original design, be peer to peer.

If you look at the capa

Re:

[Abcd1234]

P2P is just a hack.

Damn right it's a hack. A hack to get around the fact that ISPs have refused to properly deploy IP multicasting. Until then, I'll take my hack, thanks.

P2P traffic dominant since 2002

[Alomex]

In fact, some reports indicate that peer-to-peer may actually exceed web traffic.

This was already the case in most of the measurements we collected in 2002. In fact by 2003, video traffic was the largest by volume, followed by audio, followed by web traffic. Our numbers came from sophisticated measurement devices that could, among other things, tell apart web pages from audio/video traffic on port 80.