The maintainers of the open BitTorrent protocol for file sharing have fixed a vulnerability that allowed lone attackers with only modest resources to take down large sites using a new form of denial-of-service attack.
The technique was disclosed two weeks ago in a research paper submitted to the 9th Usenix Workshop on Offensive Technologies. By sending vulnerable BitTorrent applications maliciously modified data, attackers could force them to flood a third-party target with data that was 50 to 120 times bigger than the original request. By replacing the attacker's IP address in the malicious user datagram protocol request with the spoofed address of the target, the attacker could cause the data flood to hit the victim's computer.
In a blog post published Thursday, BitTorrent engineers said the vulnerability was the result of a flaw in a reference implementation called libuTP. To fix the weakness, the uTorrent, BitTorrent, and BitTorrent Sync apps will require acknowledgments from connection initiators before providing long responses.
Some of the most widely used BitTorrent applications, including uTorrent, Mainline, and Vuze are also the most vulnerable to a newly discovered form of denial of service attack that makes it easy for a single person to bring down large sites.
The distributed reflective DoS (DRDoS) attacks exploit weaknesses found in the open BitTorrent protocol, which millions of people rely on to exchange files over the Internet. But it turns out that features found uTorrent, Mainline, and Vuze make them especially suitable for the technique. DRDoS allows a single BitTorrent user with only modest amounts of bandwidth to send malformed requests to other BitTorrent users.
The BitTorrent applications receiving the request, in turn, flood a third-party target with data that's 50 to 120 times bigger than the original request. Key to making the attack possible is BitTorrent's use of the user datagram protocol, which provides no mechanism to prevent the falsifying of IP addresses. By replacing the attacker's IP address in the malicious request with the spoofed address of the target, the attacker causes the data flood to hit victim's computer.