Reflective technique would let attacker amplify traffic and flood targets.
BitTorrent has fixed a flaw in its technology that quietly turns file-sharing networks into weapons capable of blasting websites and other internet servers offline.
The San Francisco company said Thursday the patch for its libuTP software will stop miscreants from abusing the peer-to-peer protocol to launch distributed reflective denial-of-service (DRDoS) attacks.
LibuTP is an essential building block for BitTorrent apps, such as Vuze, uTorrent, Transmission and the BitTorrent’s own client software. These applications must be updated to include the fix, and installed by netizens to fully kill off the DRDoS vulnerability. uTorrent version 3.4.4 40911, BitTorrent version 7.9.5 40912, and BitTorrent Sync version 2.1.3, were all patched up earlier this month.
First uncovered by researcher Florian Adamsky, the vulnerability allows a single attacker to amplify a small string of data into a much larger flood of garbage network traffic that is directed toward a single target.
“Thankfully, no such attack has yet been observed in the wild, and Florian responsibly contacted us to share his findings,” BitTorrent spokesman Christian Averill wrote in a blog post.
“This gave our engineering team the opportunity to mitigate the possibility of such an attack.”
By utilizing a flaw in the BitTorrent protocols, an attacker can send a small amount of data across the internet to force unsuspecting BitTorrent nodes to simultaneously transmit a much larger wad of network packets to a machine of the attacker’s choosing – effectively amplifying the attacker’s input and outputting it all to a victim’s computer.
This, if repeated enough times with enough nodes, allows the attacker to potentially bombard a targeted IP address with huge amounts of data, thus washing away any legit traffic. Effectively, the attacked server would appear to be offline.
“By spoofing the source address in a UDP packet, an attacker can trick an intermediate node into sending data to a third party,” BitTorrent bod Francisco de la Cruz explained in a blog post.
“If an attacker can find a UDP protocol that sends responses larger than initial requests, it can amplify the traffic directed at a victim.”
BitTorrent has tweaked its library code to address the design flaw in its protocol. Before, an attacker could start a connection with a BitTorrent node, and fake its IP address to be that of the victim. The node would acknowledge the connection to the victim, rather than the attacker. The attacker would then send a handshake message to the node. The node would try to repeatedly reply to the handshake to the hapless victim, rather than the attacker.
Now a node will generate a random acknowledgment value and send that to the victim, rather than the attacker, when the connection is initiated. The attacker can only guess what this value is, and without it, its handshake message to the node will be ignored. The node will refuse to reply to the handshake unless the sender knows the acknowledgment value to prove it initiated the connection.
This, in turn, will make reflecting large volumes of traffic far more difficult for an attacker, and will prevent the execution of DRDoS attacks.
BitTorrent noted that even before the vulnerability was disclosed, products such as its Sync tool were in large part safe against the attacks.
“Sync, by design, limits the amount of peers in a share, making the attack surface much smaller,” added Averill. “It would not serve as an effective source to mount large-scale attacks.”