How is torrents protocol used to DDoS you? I never came across torrents being used as a DDoS. I would appreciate more details on what sort of torrent attack it was, and whether you found any ways of partially neglecting damage.
A malicious tracker, or a peer if using DHT, can claim an IP, the victim, is active in the swarm and has valuable bits of the torrent. Then torrent clients will try to connect to the victim.
The attack is pretty clever, being indirect it is hard to trace and because bittorrent allows arbitrary ports you can hit a specific ip & port pair.
The one downside is the victims can be sure it is a bittorrent DDOS by checking the attacking connection's requests. The attacker's packets will contain bittorrent's magic connection bits.
Please confirm my understanding: this would be by inserting yourself into the DHT with an address near/equal to a target high-volume torrent, so that you're frequently queried by clients looking for peers?
If so, I guess it could be possible in some cases to identify the peers who initiated the attack. The non-malicious peers attempting to make BitTorrent connections to your server will provide the infohash of the torrent they think you're downloading, which you might be able use to find the malicious DHT peer who's directing them.
At first I thought you were suggesting that it's possible to for malicious peers to insert invalid IP/port pairs into non-malicious DHT nodes, which I don't believe is possible. (The mainline DHT protocol [1] requires that peers provide a "token" value, previously sent to their IP address, to verify themselves when being listed for a torrent.)
It sounds like you have a better understanding of DHT than me and tt sounds like DHT isn't vulnerable like traditional tracker. My knowledge of the attack method is served to what I read in a research paper 2 years back.
Yes. Very much harder. One can be done at line rate on any halfway decent router, and the other requires deep packet inspection which is considerably more expensive.
In theory yes, but it requires deep packet inspection to catch before it hits the server. Such equipment is expensive per GB/s and not something you'd have access to by accident.
unfortunately i don't have the technical details, we weren't 100% sure but it seems there's a way to exploit BitTorrent by misdirecting clients to send their traffic toward any host.
We ended blocking out ranges of ip's but at a point you end up cutting a lot of legitimate traffic as well (but i really lack the technical expertise to go more into depth on this).
