Security Experts:

BitTorrent Flaws Can Be Exploited for DRDoS Attacks: Researchers

Malicious actors can exploit vulnerabilities in BitTorrent, the popular peer-to-peer (P2P) file sharing protocol, to launch distributed reflective denial-of-service (DRDoS) attacks, researchers warned at the recent USENIX conference.

According to researchers, attackers can abuse BitTorrent protocols such as Micro Transport Protocol (uTP), Distributed Hash Table (DHT), and Message Stream Encryption (MSE), and the BitTorrent Sync tool to reflect and amplify traffic.

BitTorrent and BTSync use UDP protocols, which are not designed to prevent the spoofing of source IP addresses. This allows an attacker to send small packets to amplifiers using the victim’s IP, which results in the amplifiers sending larger packets to the victim.

Potential amplifiers can be identified using peer discovery techniques such as DHT, Peer Exchange (PEX) and trackers. These techniques allow attackers to collect millions of amplifiers, experts said.

This type of DRDoS attack has three main advantages: the attacker can hide his identity, a distributed attack can be initiated from a single computer, and the attack’s impact is increased by the amplifiers.

“The impact of a DRDoS attack is proportional to the adoption of the protocol that it is exploiting, as wide adoption makes it easier to find and scale-out the amplifier population,” the researchers wrote in a paper.

Experiments conducted by the researchers revealed that attackers can obtain an amplification factor of up to 50 in the case of BitTorrent clients and an amplification factor of up to 120 in the case of BTSync.

According to experts, the most vulnerable BitTorrent clients are the most popular ones; namely uTorrent, Mainline and Vuze.

Attacks that abuse DNS and NTP for reflection can be the easily blocked using a stateful packet inspection (SPI) firewall because DNS and NTP use known ports. However, attacks leveraging BitTorrent protocols can only be mitigated using deep packet inspection (DPI) firewalls that can detect certain strings in the handshake. Attacks that exploit MSE cannot be blocked even with DPI because the handshake is completely random, researchers noted.

“We think a working countermeasure must follow two parallel ways: global ISP coordination to prevent IP spoofing and protocol defense mechanism to avoid protocol exploitation,” experts said in their paper.

DRDoS attacks can be very damaging. In February 2014, content delivery network (CDN) CloudFlare reported that one of its customers was targeted in an NTP-based attack that peaked at 400Gbps.

UPDATE. BitTorrent has provided the following statement:

"First, it’s important to understand that this is a theoretical scenario and that such an attack has not been observed in the wild. Florian Adamsky and his co-authors conducted an experiment in a controlled environment producing the results presented in the paper.


Attacks like this will always be possible due to the way UDP-based protocols work. Abuse of DNS is commonly known. And even as recent as February of 2014, public Network Time Protocol (NTP) servers across the world were leveraged to carry out such an attack. Nonetheless we’ve taken the vulnerability reports seriously and have taken steps to harden our protocols and mitigate some weaknesses outlined in the research paper.


To their credit, Florian and the co-authors reported their findings to us responsibly some weeks back. The team at BitTorrent has already been able to address much of the issue prior to the paper’s publication and will soon have mitigated the matter completely.


An important point regarding Sync: even before the recent updates to Sync, the severity of the vulnerability was reduced by a few factors. First, the attacker would have to know the Sync user they are trying to exploit to get their “Secret” - or the Sync user would have to have exposed that “Secret” publicly in some way. In addition, Sync, by design, limits the amount of peers in a share making the attack surface much smaller. It would not serve as an effective source to mount large scale attacks."

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.