Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

P2P Networks Supplement Botnets

samzenpus posted more than 7 years ago | from the share-you-bot dept.

The Internet 74

stuckinarut writes "Peer to peer file sharing network popularity is at an all time high, with hundreds of thousands of computers connected to a single P2P network at a given time. These networks are increasingly being used to trick PCs into attacking other machines, experts say. In fact, some reports indicate that peer-to-peer may actually exceed web traffic. Computer scientists have previously shown how P2P networks can be subverted so that several connected PCs gang up to attack a single machine, flooding it with enough traffic to make it crash. This can work even if the target is not part of the P2P network itself. Now, security experts are warning that P2P networks are increasingly being used to do just this. "Until January of this year we had never seen a peer-to-peer network subverted and used for an attack," says Darren Rennick of internet security company Prolexic in an advisory released recently. "We now see them constantly being subverted.""

cancel ×

74 comments

Sorry! There are no comments related to the filter you selected.

It would be interesting... (4, Interesting)

Tuxedo Jack (648130) | more than 7 years ago | (#19330925)

Think about it. Make a false request for a file - and then do TONS of requests for it from hundreds and thousands of other people. It's a classic DDoS attack.

However, this will rule out a lot of corporate machines from being used as bots in this fashion; most decent sysadmins filter P2P traffic.

Re:It would be interesting... (1, Offtopic)

Captain Splendid (673276) | more than 7 years ago | (#19330961)

Yeah, I'm not sure how any of this is news. I mean, we're all well versed already:
  • 1. Find p2p users, because they're more likely to run unpatched and vulnerable
  • 2. Zombify said PC
  • 3. Profit!
So what's new about this?

Re:It would be interesting... (4, Insightful)

Bill Wong (583178) | more than 7 years ago | (#19331043)

From what I understand, this sounds like a new DDoS technique.
Spoof some packets and forward them to a torrent tracker that so-and-so-IP-address is a seed for popular torrents.
Watch as requests for that file flood the target. Repeat as necessary (actually, probably will need to repeat a whole lot).

Re:It would be interesting... (1)

complete loony (663508) | more than 7 years ago | (#19331409)

And depending on the P2P protocol, if you point a standard client at a web server, the p2p client handshake could tie up a socket until the HTTP server times it out.

What seems to be needed is for the popular client implementations to refuse to connect to peers that have a standard protocol port number, eg SMTP, HTTP, FTP, HTTPS.

That doesn't sound THAT bad. (4, Informative)

khasim (1285) | more than 7 years ago | (#19331515)

From TFA:

"In all file-sharing systems, you need a database to locate where these files are," Ross says. "The trick is to poison the database, to put bogus entries in that say that a very popular file is located at some target address that you want to attack."

Thousands of computers will then start contacting the target computer requesting, for example, the latest Britney Spears song or episodes of The Office.

Actually, that won't happen.

Computers do not AUTOMATICALLY hit the "target computer". A person has to CHOOSE to download whatever the content is supposed to be.

In order to get "thousands of computers" to attack the target, you'd have to claim that the content was something that "thousands" of people wanted ... RIGHT THEN!

Otherwise your "attack" will be limited to how many people are trying to download the content at any one time that have not timed out.

They created modified versions of BitTorrent files, and their own "tracker" a computer, which stores the databases that peers use to find one another on the network. Then, using 25 bogus files, they were able to trick more than 50,000 computers into cooperating within a few hours.

It's not how many TOTAL computers over a TOTAL time period.

If each of those 50,000 computers timed out and gave up in 60 seconds (a very reasonable time frame), then you're only looking at 278 (rounded up) "attacks" a minute.

Between 4 and 5 "attacks" a second.

It doesn't sound like much when you do the math, does it?

Re:That doesn't sound THAT bad. (5, Funny)

rtb61 (674572) | more than 7 years ago | (#19332005)

Dang, now why would you go and take apart a good old "P2P is evil and must be banned" story, just think of that wasted RIAA money going down the drain on a failed corporate viral marketing meme ;).

Re:That doesn't sound THAT bad. (1)

pnutjam (523990) | more than 6 years ago | (#19342589)

If they are poisoning the database, why would they only poison one entry?

Re:That doesn't sound THAT bad. (1)

SpaceLifeForm (228190) | more than 7 years ago | (#19332477)

Just another FUD attack by the darkside so they can attempt to legislate stupid laws to take control of the Internet.

Re:That doesn't sound THAT bad. (1)

DavidSev (1108917) | more than 7 years ago | (#19333379)

Could it be that this is just another attempt at killing p2p? The using trackers as lists of IP's that probably wont be patched sounds like a much better plan.

Re:That doesn't sound THAT bad. (1)

Simon (S2) (600188) | more than 6 years ago | (#19334383)

If each of those 50,000 computers timed out and gave up in 60 seconds (a very reasonable time frame), then you're only looking at 278 (rounded up) "attacks" a minute.

Between 4 and 5 "attacks" a second.


How did you calculate that? If a new episode of office comes out, and say 10000 users want to download it in the first 10 minutes, that would be 10000 / 600 = 16,6 connections/second. that's a fair bit.

Re:That doesn't sound THAT bad. (1)

DrYak (748999) | more than 6 years ago | (#19335037)

Computers do not AUTOMATICALLY hit the "target computer". A person has to CHOOSE to download whatever the content is supposed to be.
In order to get "thousands of computers" to attack the target, you'd have to claim that the content was something that "thousands" of people wanted ... RIGHT THEN!


This is easy. Just put PR0N or NAKED, or LESBIAN, or HOT ACTION, or a combination of thereof in the title of your fake file, put it on ThePirateBay and the download will be started by millions in the following couple of seconds.

On a more serious side note :
The fake torrent technique has a problem : everything is centred around the fake tracker.
Also, the unwilling DDoSers aren't throwing pings or random garbage data to the target, their are sending request for file downloads.

As said in the article, one solution is to filter traffic by types :
- a web server isn't supposed to receive request for bittorrent.

Another more subtle solution is to every now and then not just throw away the packet, but keep it for analysis. Then look inside /WHICH/ file/torrent attempted to be downloaded.
Once you know the file, you may more easily find the fake torrent and the fake tracker.
You can ask ThePirateBay (or whatever site referenced the torrent) to please remove it because of the DDoS attack,
you can also ask the fake tracker's ISP to cut access to the tracker.

Re:That doesn't sound THAT bad. (0)

Anonymous Coward | more than 6 years ago | (#19337605)

Computers do not AUTOMATICALLY hit the "target computer". A person has to CHOOSE to download whatever the content is supposed to be.
That depends on the network. Bittorrent isn't everything. A lot of badly designed networks/clients would happily (try to) connect to any computer on the internet if a neighboring node instructs them to do so. (or at least used to do so)

Re:That doesn't sound THAT bad. (1)

HeroreV (869368) | more than 6 years ago | (#19338469)

Computers do not AUTOMATICALLY hit the "target computer". A person has to CHOOSE to download whatever the content is supposed to be.
If a user has already chosen to download something, their client may try to connect to anybody who has it.

1) find a popular torrent
2) tell tracker a certain IP address has the entire file, lots of upload slots, and huge upload bandwidth
3) tens of thousands of bittorrent clients try to connect to the IP address
4) successful DDoS

Re:It would be interesting... (1)

xouumalperxe (815707) | more than 7 years ago | (#19331069)

What the fine article means, however, is that zombifying is an entirely extraneous step. You can just find a p2p server and subvert all its clients to attack a webserver (strategically directing all traffic to port 80).

Re:It would be interesting... (3, Insightful)

necro2607 (771790) | more than 7 years ago | (#19331211)

What's new about it: The victims don't have to be P2P users at all (in fact, their PC could just be sitting there at the log in screen, not even in use).

We're talking about subverting P2P protocols in such a manner that completely legit P2P client software all over the net will be making regular requests to a certain target machine, because as far as the client software knows, that's where the requested file (SHREK_3_SCREENER_DVDRIP.AVI etc.) is supposedly located.

Re:It would be interesting... (1)

shmlco (594907) | more than 7 years ago | (#19331285)

So true. Back when I used a PC I'd occassionally run torrent and suddenly see firewall attacks peak like no one's business. Port probes, UDP probes, service attacks. Yuck.

It wouldn't surprise me at all to find many of the largest "information wants to be free" torrent sites being run by black hats in order to gather IP addresses and routing information for attacks.

Re:It would be interesting... (1)

timmarhy (659436) | more than 7 years ago | (#19331055)

this does not work very well for the simple reason that once people realise they aren't geting a useful download from the torrent they are connected to, they cancel it and there goes your bandwidth. the net effect of this is you don't get ANY seeds and people avoid your torrent and you don't get much upstream bandwidth.

Re:It would be interesting... (1)

necro2607 (771790) | more than 7 years ago | (#19331325)

They won't cancel it if it's a totally valid torrent that they are getting 30kb/sec on, because that's what it will look like to all the users. Big deal - they are still downloading just fine, why would they cancel? See, the "target victim" IP will simply be another "seed" in the torrent (or perhaps another peer with, you know, 99% of the torrent or whatever). If it's an insanely popular torrent, it's going to get a TON of requests. Of course, my theoretical situation here might not actually even be techically possible with BitTorrent due to security features inherent in the protocol...

Re:It would be interesting... (1)

jamstar7 (694492) | more than 7 years ago | (#19332749)

OK, so what exactly would this site be sending at 30k/sec? And exactly how do you sucker a target to send this data out when there's no P2P client installed on it? I'm having a seriously hard time believing this.

Re:It would be interesting... (1)

Simon (S2) (600188) | more than 7 years ago | (#19334245)

OK, so what exactly would this site be sending at 30k/sec?

Nothing. Another seed/peer is sending data at 30k/sec.

And exactly how do you sucker a target to send this data out when there's no P2P client installed on it?

You don't. You just send the requests to the target.

Re:It would be interesting... (1)

deroby (568773) | more than 6 years ago | (#19334343)

I think that what he means is that "in the total picture of your Torrent session" you get ca 30kbps because you are connected let's say 150 peers in total. Of those 150 peers, 149 are 'real' and some of them are uploading data to you. However, number 150 is actually not a real peer but an 'innocent' web server somewhere whose IP address has been 'tricked' into the Tracker list. All your peers will (regularly?) try to connect with that address and the idea is that this will 'overwhelm' the web server.

Now, to be honest, unless everybody suddenly starts using 'hacked' clients that try to connect 10 times a second, I don't think the web server will really notice. IMHO it's not the concept of P2P that's "the danger" here, but (as usual) the implementation in the client.

Out of curiosity I did a little test : I'm not really a .torrent user because my router tends to go down when I try to download large files via torrent (eg. ubuntu releases), so I prefer eMule if I need something really large (luckily doesn't happen too often so please forgive my ignorance on the subject). As suggested above I did a Kad search for "Shrek". Surprisingly an entry [shrek.mpg] (70Mb) came up with 15k sources! I've never ever seen this before, in the past!? Everything above 500 I considered 'wide-spread' =) Anyway, when I tried to download it, it went from 250 to 1 source and stayed there. Very strange. Maybe this poisoning stuff is more active than I presumed !?! Sifting through the other search results, the "best" I got was ca 650 sources. Assuming all these clients 'talk' to each other and (using source-exchange) pass around the IP of the 'victim web server', that still only gives me ca 650 probes every 25 minutes (= standard interval eMule uses to re-ask a source IIRC). If anything connected to the web goes down because 'in the worst-case scenario' 650 machines try to connect to it all at once and to that again every 25 minutes, well, it's worth going down imho.

PS: Actually I even wonder if eMule will re-ask when there is no proper reply, in fact, I would't be too surprised if it simply strips the IP from the list.
PS: the file I picked to download didn't take long to get some 'red' comments and what do you know, another incarnation of the Paris Hilton video =) Of all the filenames linked to this hash, hardly 50% indicated that it was Paris Hilton related, all the rest were games / recent movies / software packages / etc ... I always wonder why people do this...

Re:It would be interesting... (1)

necro2607 (771790) | more than 7 years ago | (#19331191)

Most decent sysadmins filter P2P traffic? Sure, I guess, if these attacks use default ports and so on. However, I can pretty much guarantee that these DDoS methods will just use whatever random port, or in fact only use default ports when you specifically choose as such.

Actually analyzing every packet and trying to recognize the protocol used is excessively CPU intensive (for the firewall), and requires pretty powerful machines if you're expecting to catch every "P2P" protocol on the network.

Re:It would be interesting... (0)

Anonymous Coward | more than 7 years ago | (#19331577)

So use an application proxy, with a good IDS. Most, including SNORT, will detect P2P traffic.

Re:It would be interesting... (0)

necro2607 (771790) | more than 7 years ago | (#19332219)

I can't see many, if any, companies running SNORT or similar "intrusion detection" software on every single workstation throughout their company...

Re:It would be interesting... (1)

jamstar7 (694492) | more than 7 years ago | (#19332795)

I can't see many, if any, companies running SNORT or similar "intrusion detection" software on every single workstation throughout their company...

Shouldn't have to do more than run SNORT and some packet analysis software on the gateway machine. We're assuming of course that all the workstations are properly NATed behind a gateway. Once you find out which machine's taken over, you can do what you need to do on it. No big deal.

Re:It would be interesting... (3, Interesting)

Pedrito (94783) | more than 7 years ago | (#19331371)

most decent sysadmins filter P2P traffic.

You should read the advisory. Apparently firewalls aren't generally enough to prevent an attack. I suspect I've actually been the victim of some of these attacks, though I have no idea why and it's possible that it's something else, but I've had "attacks" that appear to be related to the ED2K (eMule/eDonkey) network where I just get flooded with incoming ED2K packets and it quickly hoses my DSL modem, which obviously isn't designed to handle a DDOS attack. My iptables firewall seems to survive longer than the DSL modem. Fortunately, switching off the modem for a few seconds and firing it back up gives me a new address (one of the benefits of dynamic addresses).

I don't know why I'd be attacked. It's possible people are just testing out their botnets or something, but it's happened several times over the past few months. Since it's fairly simple for me to fix the problem (restarting the modem) and it's only happened a few times, I haven't really bothered to dig too deep into it.

Re:It would be interesting... (1)

SuperNinjaMonkey (966376) | more than 7 years ago | (#19353985)

I think the OP meant that most sysadmins block P2P, so those computers (business computers) couldn't be used in the botnet as part of the attacker.

Re: Obligatory Mafiaa reference (0)

WillfulActs (911353) | more than 7 years ago | (#19331375)

Wouldn't surprise me at all to see the Mafiaa somewhere in the background on this one.

It would be interesting...Full Throttle Sysadmin. (0)

Anonymous Coward | more than 7 years ago | (#19331383)

"However, this will rule out a lot of corporate machines from being used as bots in this fashion; most decent sysadmins filter P2P traffic."

Especially those academic machines.

Don't need no P2P (0, Offtopic)

iminplaya (723125) | more than 7 years ago | (#19330929)

My friends and I use good ol' ftp.

Web traffic? (4, Funny)

kihjin (866070) | more than 7 years ago | (#19330957)

Don't you mean P2P over port 80?

well (3, Insightful)

mastershake_phd (1050150) | more than 7 years ago | (#19331017)

I know my connection sees more P2P traffic than web traffic. One 175mb TV show is a lot of web pages.

Re:well (1)

eternalnyte (765741) | more than 7 years ago | (#19331385)

It would seem you've never seen Myspace....

Re:well (1)

Saikik (1018772) | more than 7 years ago | (#19331641)

Apparently you haven't been to myspace lately.

Re:well (1)

jamstar7 (694492) | more than 7 years ago | (#19332819)

Apparently you haven't been to myspace lately.

Like I'm really missing something by not bothering to hit Myspace...

So please tell me about all the garbage pages I don't see cause I don't use Myspace. I can live without bad video, bad music, and teeniebopper angst...

Re:well (1)

Saikik (1018772) | more than 7 years ago | (#19333545)

You're not missing anything there. But you did miss my point... 175 megs doesn't get you as far as you'd think.

Re:well (1)

jamstar7 (694492) | more than 7 years ago | (#19347839)

Meh. it's about half an hour of an episode of Babylon 5 at decent resolution...

Re:well (1)

MadMidnightBomber (894759) | more than 7 years ago | (#19333519)

"One 175mb TV show is a lot of web pages." ... or one myspace page.

Re:well (1)

AlgorithMan (937244) | more than 6 years ago | (#19339487)

175mb TV show
simpsons? :-)

Its Them (0)

Anonymous Coward | more than 7 years ago | (#19331221)

another one of the RIAA's scare tactics?

BitTorrent (2, Informative)

TheSHAD0W (258774) | more than 7 years ago | (#19331291)

The reason P2P lends itself to abuse is because peers typically depend on data from non-authoritative sources (other peers) for information. BitTorrent's classical tracker communication doesn't allow spurious inserted IP addresses to be broadcast to other peers, which prevents BitTorrent networks from being used as DoS amplifiers.

I can't say the same for certain non-standard extensions to BitTorrent, or for official's DHT-based trackerless system, unfortunately; I haven't studied them enough to assert their infallibility.

Re:BitTorrent (1)

Ken_g6 (775014) | more than 7 years ago | (#19331773)

Once I noticed that a computer somewhere had pulled over 1GB of data for a Linux *CD* (700MB), in my uTorrent client. And, yes, I did have DHT on. At the time I figured it was just a rogue client, and blocked it in my firewall. Now I wonder...

Re:BitTorrent (1)

TheSHAD0W (258774) | more than 7 years ago | (#19331801)

That is possible, but more likely the guy was behind a bad router. Some routers can cause consistent data corruption, and the client ends up downloading the same thing over and over. Difficult to fix.

Re:BitTorrent (1)

SpaceLifeForm (228190) | more than 7 years ago | (#19332527)

Routers corrupting packets?
Care to share any names?

Re:BitTorrent (1)

eat here_get gas (907110) | more than 6 years ago | (#19334949)

I am a member of several torrenting sites, I use uTorrent as a client (DHT-disabled per site instruction). Your comment about a router corrupting data makes me wonder if that is what I am presently experiencing. I usually obtain 3-7 shows (@300MB to 4GB) a day, have been for years. Lately though I've had problems in my downloads where I have DL'd the entire show and found bad files (files are in flac/shn format, and are verified via Traders Little helper). The thing is, no-one else in the torrent (or swarm) experiences these problems. I run a Linksys router, ZoneAlarm firewall, Norton AV, PortsLock, SpyBot, SpywareBlaster (ALL on high/paranoid setting), so I'm lead to believe I couldn't "catch anything" from the "Net... How can I find out if my router is destroying data, or if some nefarious site-scheme is underfoot? I've never had "infections" btw....

Re:BitTorrent (1)

TheSHAD0W (258774) | more than 6 years ago | (#19344493)

Most routers only do this when you're running in the DMZ. They assume you're playing a game, and many games send the local IP over TCP and won't work right if you're behind a firewall. The router helpfully replaces instances of the local IP with the remote IP, which usually doesn't cause much trouble in a game, but causes approx. 1 hash fail per gigabyte of data. If you update your router's firmware and forward ports rather than setting DMZ, you ought to be able to solve the problem.

Another reason to better utilize P2P networks (2, Insightful)

Freed (2178) | more than 7 years ago | (#19331315)

P2P has too much potential at stake to just being associated with massive copyright infringements and now botnets.

These associations will only be used as excuses to involve clueless regulators to inflict even more damage than they already do.

P2P also is used to distribute OS images, large collections of data, etc. Companies and organizations--especially involved with free software--need to get on the ball and rely more on P2P. There's more than just bandwidth savings at stake.

Another reason to better misfire. (0)

Anonymous Coward | more than 7 years ago | (#19332155)

"P2P has too much potential at stake to just being associated with massive copyright infringements and now botnets."

Oh, my. Cause and effect? Quick! Someone blame the RIAA and Microsoft before it's too late.

BTW The popularity protocol is overrated.* Once the popularity wears off, it's no better than FTP.

*There are alrady FTP clients that download different pieces of the same file from different servers. The only thing P2P does well is hide content, and destination.

Re:Another reason to better misfire. (1)

the_womble (580291) | more than 7 years ago | (#19333531)

There are alrady FTP clients that download different pieces of the same file from different servers. The only thing P2P does well is hide content, and destination.
P2P spreads the load much more widely, and with less effort.

I cannot run an FTP server over my NATed ADSL connection, but when I use bit-torrent I can see uploads happening.

FTP only spreads the load to those who deliberately mirror you. P2P spreads the load over everyone who is downloading.

How do you explain the fact that P2P (bittorrent especially) is used when there is no need to hide anything (Linux distros, Jamendo, etc.)?

Re:Another reason to better misfire. (1)

Abcd1234 (188840) | more than 6 years ago | (#19339073)

Once the popularity wears off, it's no better than FTP.

Show me an FTP server or client whose transfer rate scales superlinearly with popularity, and I'll be very very impressed.

Time? (1)

gmuslera (3436) | more than 7 years ago | (#19331363)

That starting amount of people will try to connect to that site could be high, ok, but as soon the p2p client realizes that is not talking with a p2p server all ends there, the attack said by Bittorrent author in the article could be better. How long could be a p2p attack that way? Or maybe, how much retries/time do usual the p2p clients to make that worrysome?

What does it look like? (1)

Jah-Wren Ryel (80510) | more than 7 years ago | (#19331413)

So the article mentions two cases:

1) Edonkey/Emule
2) Bittorrent

In the second case, it sounds a lot like the attacker needs to run their own tracker, which means they have convince people to come to their tracker in the first place, making it relatively easy to avoid.

But the first case, with Edonkey, sounds like it might only need a naughty client. But they don't go into details, instead referencing an academic paper which I am too lazy to read and suspect it won't answer my ultimate question anyway, which is:

If you are running emule, are there any tell-tale signs to indicate that your emule client is unwittingly participating in a DDOS attack? Like certain verbose log entries or somesuch?

Re:What does it look like? (0)

Anonymous Coward | more than 7 years ago | (#19331557)

For non-standard BitTorrent clients you might have alternate vectors aside from the tracker. For example, both DHT and Peer Exchange in uTorrent could be used for this (in theory, don't know the implementation details), assuming you wrote a client that mimicked uTorrent and reported bogus peers when queried.

What probably gave the author the idea: (2, Informative)

MLS100 (1073958) | more than 7 years ago | (#19331569)

I remember a while ago I went on vacation and lost the lease on my IP back when I had Comcast. I came home and booted up the router, it leased a new IP, business as usual.

That night I look over at my modem and the send/receive lights are flashing like crazy. I check my firewall logs and see mass connection attempts on some port I wasn't aware was associated with anything. I do some Google searching and come to find out it's that peer-to-peer edonkey crap.

I thought "Whatever, surely the client will stop making connection attempts after it times out for a few days." But no sir, it went on for literally months until I received a new IP lease (with a little intervention on my part). Granted the traffic was not enough to affect my connection all that much but if 'legitimate' usage generates such a high volume of traffic I can see how abuse could become a concern.

Who writes these clients anyway, connection/ping timeout for a month and the IP is not put on some sort of exclude list?

minus 1, TRol7) (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19331643)

A bit of Older news (5, Informative)

maelfius (592856) | more than 7 years ago | (#19332381)

I'm glad this finally made it to Slashdot. It's a bit of older news to those of us who work in the web hosting industry and have already been subjected to these types of attacks. The scale that the abuse of these networks causes the DDOS attacks to be is on a much larger scale than DDOS style attacks have been in the past (for the most part).

Thankfully some Peer to Peer network protocols aren't badly implemented (and the client software isn't as bad as others). Netcraft has a decent article about this with examples of the P2P networks that have been shown as exploitable.

http://news.netcraft.com/archives/2007/05/23/p2p_n etworks_hijacked_for_ddos_attacks.html [netcraft.com]

I can confidently say that these attacks can easily span the 800,000 pkt/sec (per link) and include millions of source addresses for a "cheap cost" compared to the botnets that previously have been almost exclusive to the attacks. Thankfully most P2P clients aren't hijackable in a way to simply pulse connections (all at once) or the more traditional SynFlooding. Connection (fully negotiated) tends to be easier to diagnose than the strictly syn-flooding style attacks can be, on top of it they tend to be more directed (single destination vs. rotating with some kind of intelligence across an entire netblock).

Re:A bit of Older news (1)

shdragon (1797) | more than 6 years ago | (#19336119)

Will you share what clients/p2p protocols are not affected? What clients should people avoid?

Re:A bit of Older news (1)

maelfius (592856) | more than 6 years ago | (#19341453)

DC++ appears to be the most affected from what I've seen. Unfortunately I can only go by what I'm seeing on the destination end (at this time), which makes discovery of the source software a bit difficult at times. I'll say the article I linked details a bit of the exploitable software, usually Hubs and clients that are far from patched (later versions tend to close some of the holes). However, people never update P2P software (as a broad generalization) in comparison to more mission critical applications.

I recommend sticking to BitTorrent and only use trackers you're confident in. BitTorrent's setup is significantly better (in most cases, and not the strange extensions, just the vanilla protocol clients/trackers) than most of the others out there. Again, I'd be hard pressed to point a finger in any specific scenario beyond the obvious. I have long stopped using P2P for personal reasons, partly due to the software and protocols.

Geez. (1, Informative)

Anonymous Coward | more than 7 years ago | (#19332393)

Did anyone ever read the friggin' advisory? They speak of a DC++ attack, not edonkey and not bittorrent. I know jack-shit about edonkey because thats typically only used for downloading "warez" and movies and such. But, yes, bittorrent is designed with certain security features in mind that prevent this. Those that use distributed trackers, I dunno, I dont use them and am not a liberty to discuss them.

I believe most everyone who has posted here must work at Best Buy in their Geek Squad. They use all the buzzwords. They write such a long rant full of geek-speak garbage that it distracts the majority and everyone assumes they know what they are speaking about.

Almost every reply here has been off-topic. Sad.

Re:Geez. (1)

maelfius (592856) | more than 7 years ago | (#19332463)

And sadly I don't have any mod points to spend on this topic where I actually could see use of them.

Reference to the actual studies (1)

slashdotmsiriv (922939) | more than 7 years ago | (#19333095)

The advisory indeed speaks only of using DC++ to launch DDoS http://www.prolexic.com/news/20070514-alert.php [prolexic.com] However, the New Scientist article refers to two academic studies that discuss how eMule and BitTorrent can be misused for the same purpose:

a) N. Naoumov, and K.W. Ross, Exploiting P2P Systems for DDoS Attacks, International Workshop on Peer-to-Peer Information Management, May 2006 http://cis.poly.edu/~ross/papers/p2pddos.pdf [poly.edu]
They show that one can subvert Overnet traffic (applicable to eMule that uses the same DHT as Overnet)

b) Karim El Defrawy, Minas Gjoka, Athina Markopoulou, "BotTorrent: Misusing BitTorrent to Launch DDoS Attacks", USENIX SRUTI, June 2007.
They show that one can subvert BitTorrent traffic by submitting to torrent aggregators fake torrent files that advertize the IP of the victim instead of a legitimate tracker's.

Re:Reference to the actual studies (1)

deroby (568773) | more than 6 years ago | (#19334409)

AFAIK : OverNet and eMule share the same protocol but differ quite a bit in the way they handle stuff. What's true for OverNet might not be true for eMule. (and vice versa)

(and isn't OverNet officially dead ?)

Not that new (1)

Kaenneth (82978) | more than 7 years ago | (#19332585)

A couple years ago while studying p2p protocols, and contemplating writing one myself to release anonymously. I wrote a program that emulated a Kazaa node with the ability to monitor and modify traffic passing through it.

I then added the ability to query and download files, and while experimenting with making it cache queries to others, added a slight bug, in that instead of giving the actual address of the resource, it kept spitting out my address... Shortly after, I realized I had a dandy means for a DOS attack if I wanted to.

Hopefully modern p2p is more secure, but I doubt it.

P2P-ize everything! (2, Insightful)

suv4x4 (956391) | more than 7 years ago | (#19332847)

Well here's what: P2P is just a hack. That's all it is. It's a scheme to avoid central authority, and avoid a central point of load...

While in some cases this is an attempt to avoid legal repercussions of hosting illegal content, on other cases, where content is legal, it's an attempt for the content providers to make their very big bandwidth problem, someone else's bandwidth problem.

Because this is all P2P is doing, moving the problem elsewhere, and actually multiplying it. Downloading a 100 MB file via bittorent will generate far more traffic and connection on the Internet as a whole, than a direct download from a proper server farm. No wonder ISP-s are stressed out from this whole P2P deal.

And then there's the security problems. I wonder: where did all those guys shouting with full throat "P2P-ize everything" do? I've read here on Slashdot, bold commenters proclaim boldly how lame it is that there are still things that aren't P2P yet. We need P2P search engines! P2P hosting! P2P banking! All of those are actual things I've read.

But back to the beginning, P2P means no central authority. Hence, it means no central trusted entity, no trust, no security.

Re:P2P-ize everything! (1)

Shadow-isoHunt (1014539) | more than 7 years ago | (#19333533)

But I thought we had p2p search engines...

Re:P2P-ize everything! (0)

Anonymous Coward | more than 7 years ago | (#19333621)

"And then there's the security problems."

Yeah people should use the web instead because THATS secure!

"Downloading a 100 MB file via bittorent will generate far more traffic and connection on the Internet as a whole, than a direct download from a proper server farm."

The "proper server farm" way strikes me as more inefficient actually.

Re:P2P-ize everything! (1)

ratboy666 (104074) | more than 6 years ago | (#19335903)

Your assertion that P2P is (just) a hack to avoid central authority and move bandwidth is partly right.

Yers, I use "P2P" (bittorrent) as a hack. But the DIRECT problem I use bittorrent to address is the disparity between my download speed (5ish mbits/second) vs. my upload speed (256ish kbits/second).

I prefer to be in control of my own network resources -- and not rely on "central authority". So, yes, that is the "end reason" for using bittorrent.

But there would be no reason to use a "P2P" solution if my upload and download rates where the same, or if my upload rate where larger. As it is presently, it takes 20 uploads to match a download (for me), making the case for using P2P.

Re:P2P-ize everything! (1)

pehrs (690959) | more than 6 years ago | (#19336717)

Time to feed the troll.

Well, I would suggest you take a basic course in network design. Peer to Peer is not just a hack. It's the fundamental principle of how Internet is designed.

Internet architecture is built on the principle that all nodes are created equal and should be able to communicate. There are no specific addresses for producers of content and consumer of content... Unlike for example TV. All traffic on the Internet should, according to the original design, be peer to peer.

If you look at the capacity for each potential user Internet has a huge lot of capacity out in the edges of the network and very little capacity in the core. What you want to do, with all traffic, is to move it out to the edges. Peer to Peer protocols takes advantage of this. Yes, you create more traffic on your local link when you download that 100mbit file. But as long as the protocol you are using is reasonably optimized (like, for example, Bittorrent) you will get a majority of the data from nodes that are close to you in the network. Which means that the total distance*data is going to be less than from a major server in a server farm... Unless that server farm happen to be very close to you.

In addition, the global amount of data transfered is only going to be marginally higher (protocol overhead) than the data transfered from a central point, for the same number of downloads.

I have no idea why you are talking about connections. Internet is to a large degree stateless, so connections doesn't matter at all.

Security of peer to peer networks is an interesting subject. The fact that they lack a central authority makes it harder. But is really web of trust worse than a certificate chain? In one case you are trusting a number of other users to verify an identity. In the other case you are trusting a CA, which might have a process involving little more than filling out a form. A central authority is in no way a guarantee for security.

Re:P2P-ize everything! (1)

Abcd1234 (188840) | more than 6 years ago | (#19339113)

P2P is just a hack.

Damn right it's a hack. A hack to get around the fact that ISPs have refused to properly deploy IP multicasting. Until then, I'll take my hack, thanks.

@Dick (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19332943)

People should just use private, encrypted P2P! (0)

Anonymous Coward | more than 6 years ago | (#19335777)

Well shoot, if this is all true, people should just start using private, encrytped file-sharing between friends! There's nothing safer, and no one outside your network of friends can pull any mean stuff. There's several alternatives out there, my favorite being GigaTribe: http://www.gigatribe.com/ [gigatribe.com]

I guess it depends... (0)

Anonymous Coward | more than 6 years ago | (#19336493)

It really depends on which servers they're using the bot-net on...

Competing sites? Bad business.

White supremacist sites? Let em burn!

P2P traffic dominant since 2002 (1)

Alomex (148003) | more than 6 years ago | (#19337235)

In fact, some reports indicate that peer-to-peer may actually exceed web traffic.

This was already the case in most of the measurements we collected in 2002. In fact by 2003, video traffic was the largest by volume, followed by audio, followed by web traffic. Our numbers came from sophisticated measurement devices that could, among other things, tell apart web pages from audio/video traffic on port 80.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>