BitTorrent patches flaw that could amplify distributed denial-of-service attacks

BitTorrent fixed a vulnerability that would have allowed attackers to hijack BitTorrent applications used by hundreds of millions of users in order to amplify distributed denial-of-service (DDoS) attacks.

The vulnerability was located in libuTP, a reference implementation of the Micro Transport Protocol (uTP) that’s used by many popular BitTorrent clients including uTorrent, Vuze, Transmission and the BitTorrent mainline client.

The flaw was disclosed earlier this month in a paper presented at the 9th USENIX Workshop on Offensive Technologies by four researchers from City University London, Mittelhessen University of Applied Sciences in Friedberg, Germany and cloud networking firm PLUMgrid.

DDoS amplification is an increasingly popular technique among attackers and can generate very large traffic volumes. It involves sending rogue requests to a large number of servers that appear to originate from the IP (Internet Protocol) address of a target chosen by attackers. This tricks those servers into sending their responses to the spoofed IP address instead of the original sender, flooding the victim with data packets.

The technique has the effect of hiding the source of the original traffic, which is known as reflection, but can also significantly amplify it if the generated responses are larger in size than the requests that triggered them.

This type of attack typically affects protocols that rely on the User Datagram Protocol (UDP) for data transmission, because UDP does not perform source address validation. In their paper, the four researchers showed that uTP is one such protocol.

They showed that an attacker could send a connection request with a spoofed address to a BitTorrent client forcing it to send an acknowledgement (ACK) packet to the victim. The attacker could then send a second request with the same spoofed address and a random ACK number to initiate a BitTorrent handshake.

The BitTorrent client would accept this second request as well and would send a handshake response to the victim. However, since the victim would not expect the packet, it wouldn’t respond back, forcing the BitTorrent client to resend the data up to 4 times, amplifying the traffic that the attackers can generate.

In order to fix the issue, BitTorrent, the company that maintains libuTP, modified the library so that it properly verifies the ACK number accompanying the second request. If it doesn’t match the one sent to the victim in the first packet, it will drop the connection.

The change does not prevent DDoS reflection but kills the amplification effect.

It would be fairly difficult for an attacker to guess the acknowledgement number for a sufficiently large number of reflectors, a BitTorrent engineer said in a blog post Thursday that explains the fix in detail.

The latest versions of uTorrent, BitTorrent mainline and BitTorrent Sync, which are developed by the company, have included the fix since Aug. 4.

The change does not affect backwards compatibility with older versions of those applications nor with third-party BitTorrent clients that use libuTP, a BitTorrent engineer said via email. “Nonetheless, we encourage other developers to ensure their implementations properly enforce acknowledgment number sequencing.”

Other protocols designed by the company that rely on libuTP, like the Message Stream Encryption (MSE), are also protected.