BitTorrent DHT can be used for DDoS
At the 27th CCC Congress (Chaos Communication Congress), the topic of DDoS attacks via DHT was discussed ( “Lying To The Neighbors” presentation in PDF ).
They knew how to use BitTorrent for DDoS before : it was necessary to register the victim's IP address as a tracker - and he received many requests. But the problem is that for this method you need a popular torrent.
A new method of exploit DHT allows you to use an existing network of peers. In short, the algorithm is as follows: one has to become a popular peer on the network in order to receive many find_node requests from neighboring peers.
Every day, millions of people download torrents, and in some cases more than 100,000 users download the same file. Such clusters of users quite naturally attract the attention of intruders who are looking for a way to use the crowd with benefit.
')
DHT protocol allows you to detect new peers, downloading the same file, without referring to the tracker. This allows you to continue downloading even if the tracker is dropped and the original torrent is deleted.
In his presentation at CCC, a hacker under the nickname Astro tells how the Kademlia protocol for DHT works and why it is possible to spoof neighboring peers with fake nodes (NodeID). In a comment for TorrentFreak, he explained that “address hashing and verification schemes are good for the old Internet, but it becomes almost useless in a large IPv6 address space.” As a result, fake “nodes” can be slipped into the peers network, and users will participate in a DDoS attack without themselves noticing.
Of course, the practical use of this method can be easily prevented. For example, to prohibit connecting to ports below 1024th, where most of the critical services are located.
They knew how to use BitTorrent for DDoS before : it was necessary to register the victim's IP address as a tracker - and he received many requests. But the problem is that for this method you need a popular torrent.
A new method of exploit DHT allows you to use an existing network of peers. In short, the algorithm is as follows: one has to become a popular peer on the network in order to receive many find_node requests from neighboring peers.
Every day, millions of people download torrents, and in some cases more than 100,000 users download the same file. Such clusters of users quite naturally attract the attention of intruders who are looking for a way to use the crowd with benefit.
')
DHT protocol allows you to detect new peers, downloading the same file, without referring to the tracker. This allows you to continue downloading even if the tracker is dropped and the original torrent is deleted.
In his presentation at CCC, a hacker under the nickname Astro tells how the Kademlia protocol for DHT works and why it is possible to spoof neighboring peers with fake nodes (NodeID). In a comment for TorrentFreak, he explained that “address hashing and verification schemes are good for the old Internet, but it becomes almost useless in a large IPv6 address space.” As a result, fake “nodes” can be slipped into the peers network, and users will participate in a DDoS attack without themselves noticing.
Of course, the practical use of this method can be easily prevented. For example, to prohibit connecting to ports below 1024th, where most of the critical services are located.
Source: https://habr.com/ru/post/111001/
All Articles