Connect with us

Hi, what are you looking for?



BitTorrent Flaws Can Be Exploited for DRDoS Attacks: Researchers

Malicious actors can exploit vulnerabilities in BitTorrent, the popular peer-to-peer (P2P) file sharing protocol, to launch distributed reflective denial-of-service (DRDoS) attacks, researchers warned at the recent USENIX conference.

Malicious actors can exploit vulnerabilities in BitTorrent, the popular peer-to-peer (P2P) file sharing protocol, to launch distributed reflective denial-of-service (DRDoS) attacks, researchers warned at the recent USENIX conference.

According to researchers, attackers can abuse BitTorrent protocols such as Micro Transport Protocol (uTP), Distributed Hash Table (DHT), and Message Stream Encryption (MSE), and the BitTorrent Sync tool to reflect and amplify traffic.

BitTorrent and BTSync use UDP protocols, which are not designed to prevent the spoofing of source IP addresses. This allows an attacker to send small packets to amplifiers using the victim’s IP, which results in the amplifiers sending larger packets to the victim.

Potential amplifiers can be identified using peer discovery techniques such as DHT, Peer Exchange (PEX) and trackers. These techniques allow attackers to collect millions of amplifiers, experts said.

This type of DRDoS attack has three main advantages: the attacker can hide his identity, a distributed attack can be initiated from a single computer, and the attack’s impact is increased by the amplifiers.

“The impact of a DRDoS attack is proportional to the adoption of the protocol that it is exploiting, as wide adoption makes it easier to find and scale-out the amplifier population,” the researchers wrote in a paper.

Experiments conducted by the researchers revealed that attackers can obtain an amplification factor of up to 50 in the case of BitTorrent clients and an amplification factor of up to 120 in the case of BTSync.

According to experts, the most vulnerable BitTorrent clients are the most popular ones; namely uTorrent, Mainline and Vuze.

Advertisement. Scroll to continue reading.

Attacks that abuse DNS and NTP for reflection can be the easily blocked using a stateful packet inspection (SPI) firewall because DNS and NTP use known ports. However, attacks leveraging BitTorrent protocols can only be mitigated using deep packet inspection (DPI) firewalls that can detect certain strings in the handshake. Attacks that exploit MSE cannot be blocked even with DPI because the handshake is completely random, researchers noted.

“We think a working countermeasure must follow two parallel ways: global ISP coordination to prevent IP spoofing and protocol defense mechanism to avoid protocol exploitation,” experts said in their paper.

DRDoS attacks can be very damaging. In February 2014, content delivery network (CDN) CloudFlare reported that one of its customers was targeted in an NTP-based attack that peaked at 400Gbps.

UPDATE. BitTorrent has provided the following statement:

“First, it’s important to understand that this is a theoretical scenario and that such an attack has not been observed in the wild. Florian Adamsky and his co-authors conducted an experiment in a controlled environment producing the results presented in the paper.

Attacks like this will always be possible due to the way UDP-based protocols work. Abuse of DNS is commonly known. And even as recent as February of 2014, public Network Time Protocol (NTP) servers across the world were leveraged to carry out such an attack. Nonetheless we’ve taken the vulnerability reports seriously and have taken steps to harden our protocols and mitigate some weaknesses outlined in the research paper.

To their credit, Florian and the co-authors reported their findings to us responsibly some weeks back. The team at BitTorrent has already been able to address much of the issue prior to the paper’s publication and will soon have mitigated the matter completely.

An important point regarding Sync: even before the recent updates to Sync, the severity of the vulnerability was reduced by a few factors. First, the attacker would have to know the Sync user they are trying to exploit to get their “Secret” – or the Sync user would have to have exposed that “Secret” publicly in some way. In addition, Sync, by design, limits the amount of peers in a share making the attack surface much smaller. It would not serve as an effective source to mount large scale attacks.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.