No one ever said using torrent services was safe. Downloaders may run afoul of law enforcement, spyware or malware and in many cases don’t end up with the file they wanted in the first place. And at the recent USENIX Workshop on Offensive Technologies, a team of researchers rolled out a new risk: multiple BitTorrent-based distributed reflective denial-of-service (DRDoS) attacks, some of which can’t be defeated using standard defenses.

Amplified Aggravation

Most users are familiar with DDoS attacks. Malicious actors flood network connections with traffic in hopes of overwhelming bandwidth allowances and causing websites to crash. But companies are getting better at defending against these attacks since they often come with familiar precursors that allow IT admins to take proactive action.

DRDoS, meanwhile, is a subtler animal. It works like this: Attackers spoof source IP addresses and then send small packets of data to known amplifiers. These amplifiers expand received packets and send them back; large enough volumes can overwhelm even high-performance systems. As noted by SecurityWeek, reflective attacks have been clocked at 400 gigabytes per second.

Using amplifiers lets attackers do less work for a greater payoff, do it all from a single machine and lower the chance they’ll be caught in the act since most of the heavy lifting is done by the amplifier itself. What’s more, these amplifiers aren’t hard to find; as more cybercriminals use them, they become easier to access online.

Torrent Troubles and DRDoS

So how does this tie in with BitTorrent streaming? Most torrent systems use UDP protocols, which aren’t designed to prevent IP spoofing. And with so many connections providing data simultaneously to user devices, the attack surface is huge — multiple reflective attacks could overwhelm even the most resilient systems. According to ExtremeTech, torrent clients such as BitTorrent Sync (BYSync) and µTorrent are vulnerable, along with popular services Vuse and Mainline. Amplification factors of up to 50 have been observed in BitTorrent official clients and 120 for BTSync.

The research team identified three risky protocols: Micro Transport Protocol (µTP), Distributed Hash Table (DHT) and Message Stream Encryption (MSE). DHT attacks that leverage DNS spoofing or network time protocol (NTP) for reflection are the easiest to defeat using a stateful packet inspection (SPI) firewall since these attack vectors leverage known ports.

As noted by Threatpost, however, handling µTP DRDoS attacks is more difficult because “TP establishes a connection with a two-way handshake. This allows an attacker to establish a connection with an amplifier using a spoofed IP address, as the receiver does not check whether the initiator has received the acknowledgment.” Normal firewalls won’t detect this kind of attack, meaning users will need to implement deep packet inspection (DPI). And when it comes to MSE, things get even more difficult since the protocol relies on a random handshake. Right now, there’s no working countermeasure to MSE-based DRDoS attacks.

The simple answer here? Don’t torrent. But the aggregate model has merit when it comes to download speed and reliability. Users need to decide if the risk of amplified attacks is worth the benefit of BitTorrent.

More from

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…