Change History (2)

comment:1 Changed 6 years ago by mike.dld

  • Priority changed from High to Normal
  • Resolution set to duplicate
  • Severity changed from Critical to Normal
  • Status changed from new to closed

Duplicate of #5888.

comment:2 in reply to: ↑ description Changed 6 years ago by cfpp2p

Results of actual testing of transmission are below.

Replying to funkstar:

http://www.computerworld.com/article/2976590/security/bittorrent-patches-flaw-that-could-amplify-distributed-denial-of-service-attacks.html

In order to fix the issue, BitTorrent, the company that maintains libuTP,
modified the library so that it properly verifies the ACK number
accompanying the second request. If it doesn't match the one sent
to the victim in the first packet, it will drop the connection.

The change does not prevent DDoS reflection
but kills the amplification effect. 

https://github.com/bittorrent/libutp/commit/13d33254262d46b638d35c4bc1a2f76cea885760

From the original official Florian Adamsky report https://www.usenix.org/system/files/conference/woot15/woot15-paper-adamsky.pdf

2.1 Distributed Reflective Denial-of-Service (DRDoS) Attacks
An attacker which initiates a DRDoS does not send the
traffic directly to the victim; instead he/she sends it to
amplifiers which reflect the traffic to the victim. The at-
tacker does this by exploiting network protocols which
are vulnerable to IP spoofing...

...

The ratio of the smaller and larger packet is known as BAF

BAF = Bv/Ba
 
where the payload to the victim is denoted as Bv and the
amplified payload from the victim as Ba. For instance,
a BAF of 5 times means, that an attacker with 1 Gbps
upload capacity can send 5 Gbps of traffic to the victim.
Similar to BAF, a Packet Amplification Factor (PAF) is
defined as the ratio of the number of packets sent from
the amplifier to the victim and the number of packets sent
from the attacker to the amplifier.

2.2 BitTorrent Protocol Family

...

3.2.3 Transmission

3.2.3 Transmission and LibTorrent
We tested with Transmission 2.84 (built 14307) on
Ubuntu 14.04.1. Transmission supports both LTEP
and AMP. However, Transmission does not add any
other BitTorrent message in the first uTP data packet
than the handshake. It does not matter which extension
is activated, Transmission only sends 88 bytes in a
BitTorrent handshake and resends a lost packet three
times. According to this, an attacker can only achieve a
BAF of 4.0 if the amplifier uses the Transmission client.

...

Table 2: Amplification Factors of the different BitTorrent
clients with a BitTorrent handshake with uTP.
Description                 BAF    PAF
ucat                        351.5  6
uTorrent w/o extensions     27.6   3.5
Mainline w/o extensions     27.8   3.5
uTorrent with LTEP          39.6   3
Mainline with LTEP          39.6   3
Vuze w/o extensions         13.9   2
Vuze with LTEP              18.7   2
Vuze with AMP               54.3   3.5
Transmission w/o extensions 4.0    3.5
Transmission with LTEP      4.0    3.5
Transmission with AMP       4.0    3.5
Libtorrent w/o extensions   5.2    4
Libtorrent with LTEP        5.2    4

4 Experimental Evaluation
In this section, we show that the attacks presented in this
paper are efficient, robust and difficult to circumvent.

refs. https://www.us-cert.gov/ncas/alerts/TA14-017A

http://engineering.bittorrent.com/2015/08/27/drdos-udp-based-protocols-and-bittorrent/

http://www.christian-rossow.de/articles/Amplification_DDoS.php

Last edited 6 years ago by cfpp2p (previous) (diff)
Note: See TracTickets for help on using tickets.