SPR's: Today in its blog, BitTorrent announced that it has fixed a vulnerability that allowed the attackers to take down websites by carrying out distributed reflective denial of service attacks (DRDoS).
Recently Florian Adamsky gave a presentation at a USENIX Workshop tell the possibilities of exploiting UDP-based protocols for DRDoS attacks. uTorrent, BitTorrent, and BitTorrent Sync use the Micro Transport Protocol (µTP) implementation in libuTP as the preferred transport backend running on top of UDP. Due to this, the attacker with modest resources could exploit a BitTorrent user unknowingly and drive a large volume of traffic to the victim to make them offline.
However, Christian Averill, Vice President of Communications and Brand for BitTorrent, tells fossBytes that such an attack has not been observed in the wild. He states: “First, it’s important to understand that this is a theoretical scenario and that such an attack has not been observed in the wild. Florian Adamsky and his co-authors conducted an experiment in a controlled environment producing the results presented in the paper.”
In his recent blog post, he outlines the fact that the BitTorrent engineering team has mitigated any distant possibility of such an attack. In another post, Francisco De La Cruz, software engineer on the uTorrent/BitTorrent team, tells how such an attack works and further explains the steps taken by his team.
Christian tells fossBytes that Florian and the co-authors reported their findings to BitTorrent team responsibly few weeks back and they have issued a fix to the torrent client.
He also shares an interesting point about the vulnerability in Sync. “Even before the recent updates to Sync, the severity of the vulnerability was reduced by a few factors. First, the attacker would have to know the Sync user they are trying to exploit to get their “Secret” – or the Sync user would have to have exposed that “Secret” publicly in some way. In addition, Sync, by design, limits the amount of peers in a share making the attack surface much smaller. It would not serve as an effective source to mount large-scale attacks,” he explains.
Having something to add? Share your opinions through comments.