|
|
|
|
|
|
by Danieru
4473 days ago
|
|
|
A malicious tracker, or a peer if using DHT, can claim an IP, the victim, is active in the swarm and has valuable bits of the torrent. Then torrent clients will try to connect to the victim. The attack is pretty clever, being indirect it is hard to trace and because bittorrent allows arbitrary ports you can hit a specific ip & port pair. The one downside is the victims can be sure it is a bittorrent DDOS by checking the attacking connection's requests. The attacker's packets will contain bittorrent's magic connection bits. |
|
|
Please confirm my understanding: this would be by inserting yourself into the DHT with an address near/equal to a target high-volume torrent, so that you're frequently queried by clients looking for peers?
If so, I guess it could be possible in some cases to identify the peers who initiated the attack. The non-malicious peers attempting to make BitTorrent connections to your server will provide the infohash of the torrent they think you're downloading, which you might be able use to find the malicious DHT peer who's directing them.
At first I thought you were suggesting that it's possible to for malicious peers to insert invalid IP/port pairs into non-malicious DHT nodes, which I don't believe is possible. (The mainline DHT protocol [1] requires that peers provide a "token" value, previously sent to their IP address, to verify themselves when being listed for a torrent.)
[1]: http://www.bittorrent.org/beps/bep_0005.html