When you use a torrent client, you take your chances. Even if it’s just the ever-so-mild chance of running afoul of some sort of copyright regime, torrent traffic is rarely totally legally kosher. Yet a new study from an international team of security researchers has concluded that some of the world’s most popular torrent clients can open you up to a completely different sort of legal problem: one in which your computer is made part of a criminal attack without your consent.
The vulnerability lets hackers exponentially increase the traffic load on targets, and is thought to affect uTorrent, Vuze, BitTorrent’s own BTSync, and more. At issue are the Micro Transport Protocol (uTP), BTSync, Distributed Hash Table (DHT), Message Stream Encryption (MSE) protocols; according to the report, “with a single BTSync ping message an attacker and amplify the traffic up to 120 times.” BitTorrent has been alerted to the problem, and as of this writing it has released partial patches for some software.
In concept, BitTorrent works by coordinating many connections between many people, allowing distributed swarm downloading that’s both super fast and super reliable, in the aggregate. That word “distributed,” though, pops up in other areas of modern technology — particularly, in the acronym DDoS, or Distributed Denial of Service attack. This is the practice of directing huge masses of data requests at a single server, bringing that server down under the weight of all the unexpected traffic. It’s not a “hack,” since nothing was unlawful accessed, but a well-aimed and timed DDoS attack can be devastating to complex organizations like corporations and governments.
The traditional method of creating all this problem traffic has been to release a virus designed to hijack infected systems and use them for coordinated denial of service attacks — the swarm of unwitting agent computers this creates is called a “botnet.” The BitTorrent vulnerability seems to allow quick and easy access to the exact same functionality, giving attackers a ready-made botnet and turning downloaders into unwilling swarm attackers.
The specific type of attack is actually a distributed reflective denial of service attack, meaning that the hackers don’t actually direct the victim computers to contact the target server directly, but contact the victim computers with a fake communication that seems to be originating from the target server. These innocent systems then respond to this seeming request for contact from the target server, inundating it with traffic. In this case, the reflector computers also act as “amplifiers,” meaning that they send more requests to the target server than they (seemingly) received from it. These reflected, amplified signals can bring even high-end infrastructure to its knees.
The researchers call the attack both efficient and difficult to avoid, since the vulnerability is built right into the concept of the BitTorrent transfer protocols in question. The reflection attacks are difficult to block because BitTorrent users a dynamic port, unlike static options like DNS, so it’s not easily caught by malicious activity filters.
DDoS attacks have been an increasing problem over the past several years, with one attack early last year almost bringing down a large portion of the internet with a whopping 400 Gbps of traffic. This attack reportedly made use of just 4,529 NTP servers running on 1,298 different networks — very achievable numbers of people for an average-sized torrent tracker.
These stories will never cease — vulnerabilities will always be found, working both in favor of criminals and law enforcement. The reason you will always have to patch your software is the same reason hacker thieves can’t rest as easily as they might: complex software is really complex, and a dedicated searcher can almost always find a loophole in its logical framework.
