Attacking P2P Networks

1
Attacking P2P Networks

• Andre L. Nash
• ECS 235
• Thursday, December 8th, 2005

2
Types Of Attacks

• Poisoning, Spoofing, Spam and Virus Attacks
• Defection Attacks
• Malware Attacks
• Identity Attacks
• Denial Of Service Attacks

3
P2P Networks Examined

• eMule / eDonkey
• Hybrid P2P network
• Decentralized eMule servers
• BitTorrent
• Mixed P2P, decentralized networks.
• Multiple ad-hoc networks (swarms) that distribute
  a single file (or set of files), aggregated via a
  Tracker
• Anonymous P2P Networks (I2P, Tor, etc)
• Network nodes are pseudonymous.
• Obfuscates information flow, because data can be
  requested either for yourself or on behalf of
  another client
• Anonymous P2P add-ins exist for BitTorrent, mixed
  eMule network over Anonymous P2P

4
File Identification

• eMule
• Files are split into fixed 9.28 MB chunks
• Each chunk is hashed using the MD4 algorithm
• Overall file hash generated by MD4 (string
  concatenation of each chunk)
• Clients identify files to download using file
  hash, peers pass around chunk hashes

• BitTorrent
• Variable sized file chunks (32 KB, 64 KB, , 2.0
  MB)
• Each chunk is hashed using SHA1
• Torrent file contains each chunk hash (ie single
  reference point for a given torrent).

5
Malware Attacks

• Some official clients are funded via adware or
  spyware
• eXeem based on BitTorrent, contains
  decentralized servers (like eMule). Supports
  anonymous P2P.
• Many modified clients and helper applications
  contain malware, adware in exchange for
  extended functionality (such as anti-leech,
  anti-nick-theft protection, identity protection
  and peer banning)
• BitTorrent Acceleration Patch, Torrent Search,
  eMule, eMule Speed Booster and P2P Identity
  Secure have appeared on several Spyware lists

6
Poisoning, Spoofing, Spam, and Virus Attacks

• eMule
• Supports broken secure user identification
  handshaking algorithm
• Susceptible to spoofing attacks clients can
  spoof send, receive, cancel, search and preview
  packets
• Client-specific multiple connection per IP
  setting (further enables spoofing attacks)
• Peer-managed chunk and part hashes malicious
  client can send arbitrary hashes to clients.
  Helps enable virus attacks.

• BitTorrent
• No support for secure user identification
• Susceptible to spoofing attacks clients can
  spoof send, receive, and choke packets
• Client-specific multiple connection per IP
  setting enabled by default on several clients
  (further enables spoofing attacks)
• Torrent file contains chunk hashes. Single point
  of reference.

7
Defection Attacks

• eMule
• Peer-managed credit system, where peers are
  placed in a priority queue based on the number of
  credits I owe to you
• Identity stealing (spoofing) mods enable queue
  cutting
• Poisoning attacks can be used to gain credit
• Credit shaping attempting to gain credits by
  selective file sharing

• BitTorrent
• Trackers exist that track peer upload/download
  ratio and allow a client to participate in their
  swarm
• Designed so that every downloading user MUST
  upload (Tit-for-tat file sharing)
• In practice, optimistic unchoke allows a user to
  download a file very slowly
• Defection enabled by impersonating other peers
  and sending choke packet.

8
Conclusions

• BitTorrent protocol provides a base for a secure
  extension
• Simple protocol, choking algorithm - easily
  developed
• Official client should not be used for a release
  version
• Roughly 55 files, 6000 lines of python code
• No comments or documentation in the official
  client
• Requires 14 shared libraries (for a Windows
  build), including GTK 2.4, pygtk 2.4, pycrypto
  2.0 and py2exe
• Security can be gained at the cost of performance
  (multiple connections per IP)
• Nearly all attacks can be solved by a secure
  handshaking protocol among peers

9
Future Work

• Examine Trackerless security
• Modify official BitTorrent tracker and client
• Support incremental hashing (tracker or
  trackerless)
• Support secure peer identification (handshaking
  algorithm).