Concepcion 1

8/14/2019 Concepcion 1

1/19

Concepcion 1

The Evolution and Security of BitTorrent

Justin Fogel-Concepcion12/15/2008

2009-11-15


2/19

Concepcion 2

Table of Contents

BitTorrent ......................................................................................... Error! Bookmark not defined. Table of Contents ........................................................................................................................... 2Abstract ............................................................................................. Error! Bookmark not defined. Outline .............................................................................................. Error! Bookmark not defined. Evolution of P2P ............................................................................... Error! Bookmark not defined. BitTorrents Design ......................................................................................................................... 6Popularity and Consequences ....................................................................................................... 8 Security Risks ................................................................................................................................ 10 Conclusion .................................................................................................................................... 1 4 Acronyms and Abbreviations ......................................................................................................... 3Definitions .................................................................................................................................... 15Reference .......................................................................................... Error! Bookmark not defined.


3/19

Concepcion 3

Abstract

Over the years BitTorrent has grown from a fledging new technology to one of the

largest Peer 2 Peer networks on the internet. Its increase in popularity has brought it under the

scrutiny of the public eye and under the close observation of the internets shadier crowd. This

paper aims to understand what prompted the creation of the BitTorrent protocol and why it

differs from its Peer 2 Peer predecessors. It will also take a close look at possible security

vulnerabilities in the protocol and their respective solutions.

Outline

This paper will begin with an introduction to P2P networks and BitTorrents relationship

to them. This P2P primer will entail the predecessors of BT and why they no longer hold such

prominence over the P2P field. This will lead to the fundamental design shift that will create

BitTorrent. The paper will then explain the basics of BitTorrent and how it actually works. This

section will then lead to a quick discussion about BitTorrents rising popularity and the

unfortunate consequences that popularity has. Following that will be the security implications

of BitTorrent and specific attacks that can be done via the BT protocol and their respective

solutions.


4/19


5/19

Concepcion 5

decentralized it by changing it slightly. Instead of contacting Kazaa you contact a supernode

which is basically an individual with higher bandwidth capabilities [20]. This now focuses all the

pressure towards the users instead of a single server. These are the two differing approaches

to the old style of P2P networking.

So what was the problem with these old styles of networking? First lets do a little

math. As of the time of writing I am on a 20mbs/5mbs fiber optic line. I download

approximately 2.2megs a second and can upload approximately 500kb a second. An average

song is about 4 megabytes. So that would take me eight seconds to upload to someone. Not a

lot of time obviously. Now lets say a DVD rip of a new movie averages about 700 megabytes,

which is 1400 seconds or approximately 23 minutes. That still is not that bad, so obviously the

question you are asking me is why are you mentioning this? My internet connection is in the

upper tier of ISPs available in the world and as such your average user will come nowhere close

to the above numbers. Now imagine someone with of my upload speeds, the same file

would take them 5600 seconds or 93 minutes. Even that is still in the higher tiers of services.

As file sizes begin to grow our potential as an uploader is directly proportional to our

internet capabilities. Fiber optics is still a fledging technology in the states and most people still

dont even have broadband. So how can P2P survive if the people can no longer upload in a

feasible time? The answer lies in the mixture of Napster and Kazaa.


6/19

Concepcion 6

BitTorrents Design

In Figure 1 and Figure 2 there are two distinct themes being displayed, the centralized

and decentralized. However if you look at the two as a whole you will still see that they share

one centralized theme, one singular connection to a peer. So how can the two differing themes

be combined? The answer is that the individual will search torrent websites that will contain a

.torrent file. This file contains information about the tracker and will help point you towards

the tracker. The tracker will send you a list of peers and then you will begin to receive pieces of

the file, better known as blocks. Once you complete one block you are now sharing that one

block and so on [21]. A cascade effect emerges wherein the moment you successfully complete

downloading a block from someone, you now share that block. Of course some individuals will

choose not to share, but if no one shares then there would be no P2P network.

Figure 3 How BitTorrent works [21]

By minimalizing the amount of stress each individual takes and dividing up the tasks, the

speeds at which you can download increase. A 700 megabyte file would be broken down into


7/19

Concepcion 7

approximately 2734 pieces. Each piece would be approximately 256kb, and each piece would

be broken down into sixteen blocks [4].

Figure 4 How Pieces Work [22]

This approach creates a large network of information constantly being accessed by many peers

and seeders; this network is called the swarm [11].

Unfortunately there is one major drawback to the decentralized theme of trackers and

swarms. Being that there are so many trackers such as thepiratebay and mininova you cannot

search an overall listing [1]. There have been services that attempt to do this such as

youtorrent.com, however as I can attest it doesnt always work. The user in the end will make a

tradeoff of overall listings for a more robust and quicker system.


8/19


9/19

Concepcion 9

Besides the legal pressure that is present in the BitTorrent field, there is also the

looming threat of security issues. The following is from a bug found in August of 2008 that has

been fixed now:

Secunia has issued two advisories, SA31441 and SA31445, regarding a highly critical vulnerability

that affects uTorrent versions 1.6, 1.7.x up to 1.8 RC6, as well as the BitTorrent mainline client

6.0 up to 6.0.3. Secunia rated this vulnerability as "Highly Critical" because it can allow an

attacker to perform Denial of Service (DoS) attacks and remotely execute malicious code on the

exploited system. The uTorrent users are urged to upgrade to the new uTorrent 1.8 Stable, but

there is still no solution for people using the BitTorrent mainline client. [9]

BitTorrent has inherent security checks because of a constant hash check that happens at the

successful downloading of a piece [7]. However when the issue stretches out towards actual

attacks towards a user it escalates to a different level. In May of 2007 Opera v9.20 was

vulnerable to an attack that caused the computer to use 100% of its system resources

effectively locking up the computer. The attack was triggered by a malformed .torrent file that

is downloaded through Operas built in torrent functionality [10].

As any product gets popular more people will take notice and try to find flaws. The

flaws that were found were inherent to two specific products related to BitTorrent. However in

the next section I will address three specific attacks that are delegated to BitTorrent as a whole.


10/19

Concepcion 10

Security Risks

BitTorrent swarms are susceptible to a number of different attacks. Two of the ones

that I will discuss are called the Fake-Block attack and the Uncooperative-Peer Attack [4]. The

fundamentals of which are also described in different means in the [7]. The third and final

attack I will discuss is a DDoS vulnerability attack described by [5], and again mentioned in [7].

Fake-Block Attack

As mentioned previously in BitTorrent each file is divided into pieces, where each piece

is usually 256kb (depending on the overall size of the file). Each piece is further divided into

blocks, typically 16 blocks in a piece. When downloading a piece, a client requests different

blocks for the piece from different peers [4].

A non-malicious attack in nature the fake-block attack seeks to prolong your download

times. The attacker joins the swarm sharing the file by registering with the tracker. Then it

begins to advertise it has a number of pieces from the file. The victim receives the message and

requests the attacker to send its blocks. The attacker instead of sending an authentic block will

send a fake one. After the victim finishes downloading the block and the entire piece, a hash

check is performed across the entire piece. The hash check will of course fail because of fake

blocks and the user will then have to re-download the entire piece again. The victim just

wasted 256kb of bandwidth, which in itself is not a lot but it is the bigger picture we must look

at.

The above is referring to only one individual attacker. Lets experiment for a moment

and imagine there are 100 attackers in the swarm, which is just more practical in terms of


11/19

Concepcion 11

seeders. Lets say the victims torrent has 10000 pieces. That is 2560000 kilobytes, 2560

megabytes, or 2.56 gigabytes. The victim is connecting to all the attackers and getting the fake

blocks. Instead of downloading a small percentage of fake blocks, because of the number of

seeders the victim is accumulating a much larger number of fake blocks. For practical sake let

us say that 50% of the file pieces turned out to be fake, that just wasted 1.28 gigabytes, almost

a fourth of some 40 GB monthly limits [12]. As the amount of attackers increase the amount of

time and bandwidth increase.

A possible solution to the Fake-Block attack is giving the user an option in their BT client

to ban certain seeders. If the client fails a hash check, the client searches for the IPs related to

the blocks that failed the test and eliminates them from the individuals swarm. Of course the

downside is sometimes there are legitimate reasons you may fail a hash check or get a bad

piece. Temporary internet failure or inconsistent downloading can cause a corruption of a

block and that would cause the whole piece to fail its hash check. However the removal from

seeder list is the only solution to the fake-block attack.

Uncooperative-Peer Attack

In an uncooperative-peer attack, the attacker joins the swarm and establishes TCP

connections with victim peers. After the connection is made it never provides any blocks to the

peers. A common version of this attack is called the chatty peer attack [4]. The attacker

engages in a handshake message, which is the first connection that is established between two

peers. Afterwards the attacker advertises it has a number of pieces available from the file.

When the victim queries the attacker for a block they do not receive anything. The attacker


12/19


13/19

Concepcion 13

It is possible altering the information you send back to the tracker it is possible to

redirect huge amounts of traffic to a victim peer. The following steps were taken by [5] to

enact the DDoS experiment:

1.We download 1191 recently uploaded torrent files from http://www.mininova.org, which is a

Website dedicated to share torrent files among users. A summary of the torrents and trackers

used are listed in Table 1.

2. The original python BT client program is modified to parse the torrent files and send

forged announcement message to the corresponding trackers indicated in each torrent file.

3. Upon the trackers receive requests for a list of participating peers from other clients, it will

send them the victims IP address and port number.

4. Other peers in the BT network will then attempt to connect to the victim machine and

request for pieces of files.

The victim machine that was used was an Apache web server configured to serve 400 clients

simultaneously. When they performed a large scale attack the victim maintained an average of

500 concurrent users over the eight hour attack period.

Figure 5 Sias Results for the large scale attack


14/19

Concepcion 14

At the time of the attack the web server began to give heavy delays and timeout on the

connections.

To put the scale of the attack in perspective, there were 30,513 distinct IPs that

attempted to connect to the victim [5]. It was observed that most clients tried approximately

three times before they gave up. However two IPs in question (one from Singapore and the

other from the United States) tried to connect over 8000 times.

The solution to such an attack is a difficult one. One possible solution is a more robust

implementation of tracker protocol that forces an authentication between the user and the

source address. In [5], Sia discusses a more in depth solution that involves packet filtering and

full TCP connections. The full TCP connection is what can cripple a server. He discusses a

method to limit the connection and safeguard against flooding.

Conclusion

Throughout the course of this paper it became evident that BitTorrent is the successor

of P2P programs of the past, it still has flaws of its own. We looked at critical flaws in the

uTorrent BitTorrent client and in the BT functionality in the Opera web browser. We examined

three attacks against BT users: the fake-block attack, the uncooperative-peer attack, and a

DDoS attack. Fortunately there were actual and possible solutions present to the

vulnerabilities that we discussed, whether it be old versions of software, traffic filtering, or

robust tracker authentication. The possibilities are there to help address security flaws in the

BitTorrent protocol.


15/19

Concepcion 15

Reference for Paper

Acronyms

- ISP: Internet Service Provider

- TCP/IP: Transmission Control Protocol and Internet Protocol

- P2P: Peer 2 Peer

- MB: Megabyte

- KB:Kilobyte

- BT: BitTorrent

- MPAA: Motion Picture Association of America

- WoW: World of Warcraft

- DDoS: Distributed Denial of Service

Definitions

Availability: The number of existing full copies of the file available to the client fordownloading. The higher this number is, the potentially easier and quicker it can be todownload the complete file (not accounting for other factors). If this number is less than one(for example, 0.65) then there is not a full copy of the file available to download.

Block: A block is a piece of a file. When a file is distributed via BitTorrent, it is broken intosmaller pieces, or blocks. Typically the block is 250kb in size, but it can vary with the size of thefile being distributed. Breaking the file into pieces allows it to be distributed as efficiently aspossible. Users get their files faster using less bandwidth.

Client: the BitTorrent software used to download and upload files. The BitTorrent client can bedownloaded here.

Handshake: the first connection between two peers

Leech or leecher: usually refers to a peer that is downloading while uploading very little, ornothing at all. Sometimes this is unintentional and due to firewall issues. The term leech is alsosometimes used to simply refer to a peer that is not seeding yet.

Peer: one of a group of clients downloading the same file.


16/19

Concepcion 16

Re-seed: Re-seeding is the act of putting up a new complete copy of a file after no more seedsare available to download from. This is done to allow clients with only partial downloads tocomplete the download process and increases availability.

Scrape: This is when a client sends a request to the tracker for information about the statisticsof the torrent, like who to share the file with and how well those other users are sharing.

Seed: a complete copy of the file being made available for download.

Supernode: are powerful computers with fast network connections, high bandwidth and quickprocessing capabilities.

Swarm: a group of seeds and peers sharing the same torrent.

Torrent: generally, the instance of a file or group of files being distributed via BitTorrent.

Torrent file: a file which describes what file or files are being distributed, where to find parts,and other info needed for the distribution of the file.

Tracker: a server that keeps track of the peers and seeds in a swarm. A tracker does not have acopy of the file itself, but it helps manage the file transfer process.


17/19

Concepcion 17

Works Cited

[1] P. Gilman and B. Reed. "Analysis of Internet File Sharing Programs Oregon State University.

07 June 2006. .

[2] C. Valli and A. Woodward. Network Security Proc. 5 th Australian Info. Security

Management, Dec. 2007, pp.92,

.

[3] M. Engle and J. Khan. Vulnerabilities of P2P Systems and a Critical Look at

their Solutions Kent State University. 01 Nov. 2006

< http://www.medianet.kent.edu/techreports/TR2006-11-01-p2pvuln-EK.pdf >

[4] P. Dhungel, D. Wu, B. Schonhorst, and K. Ross. A Measurement Study of Attacks on

BitTorrent Leechers Polytechnic University.

[5] K. Sia. DDoS Vulnerability Analysis of Bittorrent Protocol University of California, Los

Angeles. Site Down, the PDF was

saved and is attached at website

[6] K. Defraway, M. Gjoka, A. Markopoulou. BotTorrent: Misusing BitTorrent to Launch DDoS

Attacks Usenix.

< http://www.usenix.org/event/sruti07/tech/full_papers/eldefrawy/eldefrawy.pdf>


18/19

Concepcion 18

[7] N. Liogkas, R. Nelson, E. Kohler and L. Zhang. Exploiting BitTorrent For Fun (But Not Profit)

University of California, Los Angeles. < http://www.iptps.org/papers-2006/Liogkas-

BitTorrent06.pdf>

[8] P. Dhungal, X. Hei, D. Wu and K. Ross The Seed Attack: Can BitTorrent be Nipped in the

Bud? Polytechnic University

[9] M. Engle and J. Khan. Highly Critical Bug in uTorrent and BitTorrent Clients Discovered

Softpedia. 13 Aug. 2008

< http://news.softpedia.com/news/Highly-Critical-Bug-in-uTorrent-and-BitTorrent-

Clients-Discovered-91818.shtml>

[10] Unknown BitTorrent Exploit Vulnerability Discovered in Latest Opera TorrentFreak

03 May. 2007

< http://torrentfreak.com/bittorrent-exploit-vulnerability-discovered-in-latest-opera/>

[11] Unknown FAQ BitTorrent Concepts BitTorrent

< http://www.bittorrent.com/btusers/help/faq/bittorrent-concepts#4n9 >

[12] S. Kelly BitTorrent battles over bandwith BBC NEWS. 13 Apr. 2006

< http://news.bbc.co.uk/2/hi/programmes/click_online/4905660.stm >

[13] B. Jones Will uTorrent Really Kill the Internet? TorrentFreak. 02 Dec. 2008

< http://torrentfreak.com/will-utorrent-really-kill-the-internet-081201/ >

[14] Ernesto. The Pirate Bay Sees Traffic and Peers Surge TorrentFreak. 15 Nov. 2008

< http://torrentfreak.com/the-pirate-bay-sees-traffic-and-peers-surge-081115/>


19/19

Documents

Concepcion 1