Vuze, Mainline and uTorrent, three of the most popular file-sharing programs online, are vulnerable to a new kind of denial of service attack that would enable a single hacker to knock a popular website offline. The security exploit also hides the identity of the hacker, making it possible for them to take down a target and never get caught.
Millions of people use BitTorrent protocol, the process of simultaneously downloading a large file from hundreds of users, to share files online. The methodology assumes that each user hosting the file is well-intentioned, and not trying to infect the swarm of downloaders with malicious software or track their IP addresses, as copyright enforcement groups have done in the case of piracy investigations.
But researchers have now discovered a security vulnerability that makes Vuze, Mainline and uTorrent especially vulnerable to a distributed reflected denial-of-service (DRDoS) attack that responds to a normal BitTorrent request with data that's 50 to 120 times larger than the original request.
“An attacker which initiates a DRDoS does not send the traffic directly to the victim,” wrote researchers from City University of London, PLUMgrid Inc., and THM Friedberg in a paper presented at Usenix Security Symposium. “Instead he/she send it to amplifiers which reflect the traffic to the victim. The attacker does this by exploiting network protocols which are vulnerable to IP spoofing. A DRDoS attack results in a distributed attack which can be initiated by one or multiple attacker nodes .”
Translation: hackers have figured out another way to amplify the number of computers they unwittingly use to overwhelm a website with traffic or other requests, knocking it offline.
The researchers recommended that uTorrent, Vuze and the like install new security features to their BitTorrent software that prevents users from falsifying their IP address and amplification.