December 31, 2010 at 07:55BitTorrent DHT can be used for DDoS
The 27th CCC (Chaos Communication Congress) discussed the topic of DDoS attacks via DHT ( presentation of “Lying To The Neighbors” in PDF ).
They knew how to use BitTorrent for DDoS before : it was necessary to register the victim's IP address as a tracker - and he received many requests. But the problem is that for this method you need a popular torrent.
The new DHT exploit technique makes it possible to use an existing peer network. In short, the algorithm is this: you need to become a popular peer on the network to receive many find_node requests from neighboring peers.
Every day, millions of people download torrents, and in some cases more than 100,000 users download the same file at the same time. Such clusters of users quite naturally attract the attention of attackers who are looking for a way to use the crowd to good use.
The DHT protocol allows you to detect new peers downloading the same file without accessing the tracker. This allows you to continue downloading even if the tracker crashes and the original torrent is removed.
In his presentation on CCC, a hacker under the nickname Astro talks about how the Kademlia protocol for DHT works and why it is possible to trick neighboring peers using fake nodes (NodeID). In the commentfor TorrentFreak, he explained that “address hashing and a verification scheme is good for the old Internet, but it becomes almost useless in a large IPv6 address space.” As a result, false peers can be slipped into the peer network, and users will participate in the DDoS attack without noticing it.
Of course, the practical use of this method can be easily prevented. For example, to prohibit connecting to ports below the 1024th, where most critical services are located.
They knew how to use BitTorrent for DDoS before : it was necessary to register the victim's IP address as a tracker - and he received many requests. But the problem is that for this method you need a popular torrent.
The new DHT exploit technique makes it possible to use an existing peer network. In short, the algorithm is this: you need to become a popular peer on the network to receive many find_node requests from neighboring peers.
Every day, millions of people download torrents, and in some cases more than 100,000 users download the same file at the same time. Such clusters of users quite naturally attract the attention of attackers who are looking for a way to use the crowd to good use.
The DHT protocol allows you to detect new peers downloading the same file without accessing the tracker. This allows you to continue downloading even if the tracker crashes and the original torrent is removed.
In his presentation on CCC, a hacker under the nickname Astro talks about how the Kademlia protocol for DHT works and why it is possible to trick neighboring peers using fake nodes (NodeID). In the commentfor TorrentFreak, he explained that “address hashing and a verification scheme is good for the old Internet, but it becomes almost useless in a large IPv6 address space.” As a result, false peers can be slipped into the peer network, and users will participate in the DDoS attack without noticing it.
Of course, the practical use of this method can be easily prevented. For example, to prohibit connecting to ports below the 1024th, where most critical services are located.