DRDOS (Distributed Reflective Denial of Service). Mr. Florian Adamsky from University οf London δημοσίευσε μια ερευνητική εργασία στη οποία αναφέρεται λεπτομερώς στην οικογένεια των πρωτοκόλλων που χρησιμοποιούνται από BitTorrent clients και μπορούν να καταχραστούν για τη διεξαγωγή επιθέσεων DRDOS.
Most of us have a basic idea of what a DDOS attack is, but the DRDOS attack is a bit different.
While in a DDOS attack, a hacker controls a series of zombie computers that create excessive traffic to a target and the target is "blocked" and no longer accessible to third parties, in a DRDOS, the attacker generates traffic to legitimate network equipment. (called a mirror), which then relays the traffic to the victim.
The traffic sent to the mirror is forged and contains the victim's IP address as the origin of the packet, and when the mirror (or if you want the reflector) follows the general rules of Internet protocols and tries to create a connection, it does so with IP of the victim instead of the attacker.
Also beyond her Missiontraffic on a mirror, attackers have devised ways to use the mirror to enhance traffic.
Protocols widely used in DRDOS attacks are TCP, DNS, and NTP. OR research study by Mr. Adamsky shows how too many protocols can be used by the BitTorrent family in DRDOS attacks, even with the ability to boost traffic.
According to Mr. Adamsky, the BitTorrent protocols that are affected are: UTP (Micro Transport Protocol), Distributed Hash Table (DHT), and Message Stream Encryption (MSE). These are the protocols used in BitTorrent, uTorrent and Vuze applications.
In addition, the BTSync synchronization protocol used with the BitTorrent Sync file sharing application is also vulnerable.
“Our experiments show that BitTorrent has an amplification factor bandwidth (BAF = bandwidth amplification factor) 50 times higher and in the case of BTSync it is up to 120 times higher", said Mr. Florian Adamsky.
But the bad news doesn't stop there. In addition to traffic amplification, DRDOS attacks carried out via BitTorrent are detectable by regular firewalls due to “the range of dynamic ports and encryptionduring the handshake"
Mitigation services for this type of attack would probably require Deep Packet Inspection (DPI), a solution that eats a lot of resources for most server infrastructures.
Such as says TorrentFreak, in BitTorrent have been patched in a recent release beta some of these issues, while Vuze and uTorrent are still vulnerable.