Category: BitTorrent

Aug 27 2015

BitTorrent patched against flaw that allowed crippling DoS attacks

The maintainers of the open BitTorrent protocol for file sharing have fixed a vulnerability that allowed lone attackers with only modest resources to take down large sites using a new form of denial-of-service attack.

The technique was disclosed two weeks ago in a research paper submitted to the 9th Usenix Workshop on Offensive Technologies. By sending vulnerable BitTorrent applications maliciously modified data, attackers could force them to flood a third-party target with data that was 50 to 120 times bigger than the original request. By replacing the attacker's IP address in the malicious user datagram protocol request with the spoofed address of the target, the attacker could cause the data flood to hit the victim's computer.

In a blog post published Thursday, BitTorrent engineers said the vulnerability was the result of a flaw in a reference implementation called libuTP. To fix the weakness, the uTorrent, BitTorrent, and BitTorrent Sync apps will require acknowledgments from connection initiators before providing long responses.

Read 3 remaining paragraphs | Comments

Aug 16 2015

How BitTorrent could let lone DDoS attackers bring down big sites

Some of the most widely used BitTorrent applications, including uTorrent, Mainline, and Vuze are also the most vulnerable to a newly discovered form of denial of service attack that makes it easy for a single person to bring down large sites.

The distributed reflective DoS (DRDoS) attacks exploit weaknesses found in the open BitTorrent protocol, which millions of people rely on to exchange files over the Internet. But it turns out that features found uTorrent, Mainline, and Vuze make them especially suitable for the technique. DRDoS allows a single BitTorrent user with only modest amounts of bandwidth to send malformed requests to other BitTorrent users.

The BitTorrent applications receiving the request, in turn, flood a third-party target with data that's 50 to 120 times bigger than the original request. Key to making the attack possible is BitTorrent's use of the user datagram protocol, which provides no mechanism to prevent the falsifying of IP addresses. By replacing the attacker's IP address in the malicious request with the spoofed address of the target, the attacker causes the data flood to hit victim's computer.

Read 4 remaining paragraphs | Comments

Dec 19 2013

BitTorrent serverless chat replaces usernames with crypto keys

BitTorrent, Inc. is developing a serverless instant messaging system that relies on public key encryption to protect the privacy of communications, identifying users not with traditional usernames but with cryptographic key pairs.

The company, which develops the BitTorrent peer-to-peer protocol as well as the BitTorrent and μTorrent file sharing software, announced the forthcoming chat software in September and revealed some details on how it will work in a blog post today. It reads:

With BitTorrent Chat, there aren’t any “usernames” per se. You don’t login in the classic sense. Instead, your identity is a cryptographic key pair. To everyone on the BitTorrent Chat network at large, you ARE your public key. This means that, if you want, you can use Chat without telling anyone who you are. Two users only need to exchange each other’s public keys to be able to chat.

Using public key encryption provides us with a number of benefits. The most obvious is the ability to encrypt messages to your sender using your private key and their public key. But in public key encryption, if someone gains access to your private key, all of your past (and future) messages could be decrypted and read. In Chat, we are implementing forward secrecy. Every time you begin a conversation with one of your contacts, a temporary encryption key will be generated. Using each of your keypairs, this key will be generated for this one conversation and that conversation only, and then deleted forever.

Underlying this system is a Distributed Hash Table (DHT) which finds IP addresses, removing the need for a central server to route messages, the company explained.

Read 5 remaining paragraphs | Comments

Jan 04 2013

Study Says Yahoo, Google Help Fund Pirate Sites

Study Says Yahoo, Google Help Fund Pirate Sites

Google and Yahoo were among the top advertising networks servicing the most ads on pirate sites, according to a new study unveiled Thursday. The analysis by the Annenberg Innovation Lab at the University of Southern California found that Pasadena, California-based …