Concepcion 1

2009-11-15

The Evolution and Security of BitTorrent

Justin Fogel-Concepcion
12/15/2008
 Concepcion 2

Table of Contents

BitTorrent ......................................................................................... Error! Bookmark not defined.

Table of Contents ........................................................................................................................... 2
Abstract............................................................................................. Error! Bookmark not defined.
Outline .............................................................................................. Error! Bookmark not defined.
Evolution of P2P ............................................................................... Error! Bookmark not defined.
BitTorrent’s Design ......................................................................................................................... 6
Popularity and Consequences ....................................................................................................... 8
Security Risks ................................................................................................................................ 10
Conclusion .................................................................................................................................... 14
Acronyms and Abbreviations......................................................................................................... 3
Definitions .................................................................................................................................... 15
Reference .......................................................................................... Error! Bookmark not defined.
 Concepcion 3

Abstract

Over the years BitTorrent has grown from a fledging new technology to one of the

largest Peer 2 Peer networks on the internet. Its increase in popularity has brought it under the

scrutiny of the public eye and under the close observation of the internet’s shadier crowd. This

paper aims to understand what prompted the creation of the BitTorrent protocol and why it

differs from its Peer 2 Peer predecessors. It will also take a close look at possible security

vulnerabilities in the protocol and their respective solutions.

Outline

This paper will begin with an introduction to P2P networks and BitTorrent’s relationship

to them. This P2P primer will entail the predecessors of BT and why they no longer hold such

prominence over the P2P field. This will lead to the fundamental design shift that will create

BitTorrent. The paper will then explain the basics of BitTorrent and how it actually works. This

section will then lead to a quick discussion about BitTorrent’s rising popularity and the

unfortunate consequences that popularity has. Following that will be the security implications

of BitTorrent and specific attacks that can be done via the BT protocol and their respective

solutions.
 Concepcion 4

Evolution of P2P

To truly understand BitTorrent we have to start at the beginning, and establish that BT is in fact

a Peer 2 Peer network. Granted it is an evolved P2P network but it is still a P2P network. Peer

2 Peer networking was brought into prominence in 1999 with the release of Napster in 1999

[1]. At its core, P2P is the connection of two users who wish to transfer data. That data tends

to be music, movies, software, and games. How does the transfer of files really work?

Figure 1 – How Napster Works [20] Figure 2 – How Kazaa Works [20]
Kazaa里面已经有supernode了.
At the basis of Kazaa, WinMX, and Napster there lies a clear defined order of operations.

Napster being the first of its kind to gain prominence used an archaic order of operations for

getting your files. In Napster you, the client, search for an mp3 titled debaser. A request is sent

to a central server that then asks the other computers if they have the file. A message is sent

back to you and a connection is linked between the person who has it. The reason this is

archaic is due to its centralized nature. All the information is flowing to one focal point and

besides being inefficient it also brought legal ramifications for Napster.

Kazaa on the other hand took what Napster did and evolved it further. The differences

between the two are clear in Figures 1 and 2. However a short description is simply that Kazaa
 Concepcion 5

decentralized it by changing it slightly. Instead of contacting Kazaa you contact a supernode

which is basically an individual with higher bandwidth capabilities [20]. This now focuses all the

pressure towards the users instead of a single server. These are the two differing approaches

to the old style of P2P networking.

So what was the problem with these old styles of networking? First let’s do a little

math. As of the time of writing I am on a 20mbs/5mbs fiber optic line. I download

approximately 2.2megs a second and can upload approximately 500kb a second. An average

song is about 4 megabytes. So that would take me eight seconds to upload to someone. Not a

lot of time obviously. Now let’s say a DVD rip of a new movie averages about 700 megabytes,

which is 1400 seconds or approximately 23 minutes. That still is not that bad, so obviously the

question you are asking me is why are you mentioning this? My internet connection is in the

upper tier of ISPs available in the world and as such your average user will come nowhere close

to the above numbers. Now imagine someone with ¼ of my upload speeds, the same file

would take them 5600 seconds or 93 minutes. Even that is still in the higher tiers of services.

As file sizes begin to grow our potential as an uploader is directly proportional to our

internet capabilities. Fiber optics is still a fledging technology in the states and most people still

don’t even have broadband. So how can P2P survive if the people can no longer upload in a

feasible time? The answer lies in the mixture of Napster and Kazaa.
 Concepcion 6

BitTorrent’s Design

In Figure 1 and Figure 2 there are two distinct themes being displayed, the centralized

and decentralized. However if you look at the two as a whole you will still see that they share

one centralized theme, one singular connection to a peer. So how can the two differing themes

be combined? The answer is that the individual will search torrent websites that will contain a

.torrent file. This file contains information about the tracker and will help point you towards

the tracker. The tracker will send you a list of peers and then you will begin to receive pieces of

the file, better known as blocks. Once you complete one block you are now sharing that one

block and so on [21]. A cascade effect emerges wherein the moment you successfully complete

downloading a block from someone, you now share that block. Of course some individuals will

choose not to share, but if no one shares then there would be no P2P network.

Figure 3 – How BitTorrent works [21]

By minimalizing the amount of stress each individual takes and dividing up the tasks, the

speeds at which you can download increase. A 700 megabyte file would be broken down into
 Concepcion 7

approximately 2734 pieces. Each piece would be approximately 256kb, and each piece would

be broken down into sixteen blocks [4].

Figure 4 – How Pieces Work [22]

This approach creates a large network of information constantly being accessed by many peers

and seeders; this network is called the swarm [11].

Unfortunately there is one major drawback to the decentralized theme of trackers and

swarms. Being that there are so many trackers such as thepiratebay and mininova you cannot
海盗湾
search an overall listing [1]. There have been services that attempt to do this such as

youtorrent.com, however as I can attest it doesn’t always work. The user in the end will make a

tradeoff of overall listings for a more robust and quicker system.

 Concepcion 8

Popularity and Consequences

The public definitely came to use and love the BitTorrent protocol. There are differing

estimates as to the percentage BT traffic encompasses in the grand scheme of things. In [12]

the estimate is at around a third of internet traffic is BT related and in [6] say the percentage is

higher at about sixty. So we can agree that it is likely somewhere in the middle. Adhering to

that logical conclusion, BT takes up a large portion of internet traffic.

What happens when anything gets popular? People tend to take notice. On the good

side of things one of the worlds’ most popular trackers, The Pirate Bay, recently hit 25 million

peers. To put that number in perspective, The Pirate Bay tracks more peers than the combined

populations of Sweden, Norway, Finland, Iceland, and Denmark combined [12]. Of course on

the bad side of things the most commonly downloaded files tend to be music, movies, video

games, and software. The downloading of copyrighted materials is obviously illegal and the

industry is not happy about that. In November of 2008 seven Hollywood studios including:

Paramount, Sony, Twentieth Century Fox, Universal, Warner Bros, and Disney have teamed up

to sue iiNet, Australia’s third largest ISP [14]. In February of 2008 a Danish court ordered the

ISP Tele2 to block its customers from accessing The Pirate Bay [15].

Why can’t they sue or go after BitTorrent? It is merely a program that can share

information, it does not promote downloading illegal files, and in fact they often explicitly state

not to. Going after the individual who broke the law tends to be cumbersome and difficult.

The MPAA has been known to upload fake torrents that will collect the user information so they

can attempt to pursue legal actions [19].

 Concepcion 9

Besides the legal pressure that is present in the BitTorrent field, there is also the

looming threat of security issues. The following is from a bug found in August of 2008 that has

been fixed now:

Secunia has issued two advisories, SA31441 and SA31445, regarding a highly critical vulnerability

that affects uTorrent versions 1.6, 1.7.x up to 1.8 RC6, as well as the BitTorrent mainline client

6.0 up to 6.0.3. Secunia rated this vulnerability as "Highly Critical" because it can allow an

attacker to perform Denial of Service (DoS) attacks and remotely execute malicious code on the

exploited system. The uTorrent users are urged to upgrade to the new uTorrent 1.8 Stable, but

there is still no solution for people using the BitTorrent mainline client. [9]

BitTorrent has inherent security checks because of a constant hash check that happens at the

successful downloading of a piece [7]. However when the issue stretches out towards actual

attacks towards a user it escalates to a different level. In May of 2007 Opera v9.20 was

vulnerable to an attack that caused the computer to use 100% of its system resources

effectively locking up the computer. The attack was triggered by a malformed .torrent file that

is downloaded through Opera’s built in torrent functionality [10].

As any product gets popular more people will take notice and try to find flaws. The

flaws that were found were inherent to two specific products related to BitTorrent. However in

the next section I will address three specific attacks that are delegated to BitTorrent as a whole.
 Concepcion 10

Security Risks

BitTorrent swarms are susceptible to a number of different attacks. Two of the ones

that I will discuss are called the Fake-Block attack and the Uncooperative-Peer Attack [4]. The

fundamentals of which are also described in different means in the [7]. The third and final

attack I will discuss is a DDoS vulnerability attack described by [5], and again mentioned in [7].

Fake-Block Attack

As mentioned previously in BitTorrent each file is divided into pieces, where each piece

is usually 256kb (depending on the overall size of the file). Each piece is further divided into

blocks, typically 16 blocks in a piece. When downloading a piece, a client requests different

blocks for the piece from different peers [4].

A non-malicious attack in nature the fake-block attack seeks to prolong your download

times. The attacker joins the swarm sharing the file by registering with the tracker. Then it

begins to advertise it has a number of pieces from the file. The victim receives the message and

requests the attacker to send its blocks. The attacker instead of sending an authentic block will

send a fake one. After the victim finishes downloading the block and the entire piece, a hash

check is performed across the entire piece. The hash check will of course fail because of fake

blocks and the user will then have to re-download the entire piece again. The victim just

wasted 256kb of bandwidth, which in itself is not a lot but it is the bigger picture we must look

at.

The above is referring to only one individual attacker. Let’s experiment for a moment

and imagine there are 100 attackers in the swarm, which is just more practical in terms of
 Concepcion 11

seeders. Let’s say the victim’s torrent has 10000 pieces. That is 2560000 kilobytes, 2560

megabytes, or 2.56 gigabytes. The victim is connecting to all the attackers and getting the fake

blocks. Instead of downloading a small percentage of fake blocks, because of the number of

seeders the victim is accumulating a much larger number of fake blocks. For practical sake let

us say that 50% of the file pieces turned out to be fake, that just wasted 1.28 gigabytes, almost

a fourth of some 40 GB monthly limits [12]. As the amount of attackers increase the amount of

time and bandwidth increase.

A possible solution to the Fake-Block attack is giving the user an option in their BT client

to ban certain seeders. If the client fails a hash check, the client searches for the IPs related to

the blocks that failed the test and eliminates them from the individual’s swarm. Of course the

downside is sometimes there are legitimate reasons you may fail a hash check or get a bad

piece. Temporary internet failure or inconsistent downloading can cause a corruption of a

block and that would cause the whole piece to fail its hash check. However the removal from

seeder list is the only solution to the fake-block attack.

Uncooperative-Peer Attack

In an uncooperative-peer attack, the attacker joins the swarm and establishes TCP

connections with victim peers. After the connection is made it never provides any blocks to the

peers. A common version of this attack is called the chatty peer attack [4]. The attacker

engages in a handshake message, which is the first connection that is established between two

peers. Afterwards the attacker advertises it has a number of pieces available from the file.

When the victim queries the attacker for a block they do not receive anything. The attacker
 Concepcion 12

then resends its handshake message and the process repeats itself. The victim never receives

any blocks and wastes time dealing with the attacker, when it could have connected to a

legitimate peer. Of course as with the fake-block attack the effectiveness of this attack is

increased dramatically if a large amount of attackers are present in the swarm.

The solution to the uncooperative-peer attack is similar in nature to the fake-block

attack. The client program sets an auto-retry limit with a respective peer. An uncooperative

peer can happen by accident if there is a disturbance in the connection between the two.

However if it repeats itself a predetermined number of times, the individual is taken off the

victim’s peer. It is possible that if it happens even more that the client sends a message to the

tracker informing them of a peer’s uncooperativeness and can manually remove them from a

swarm. This can also apply to the fake-block solution.

DDoS Attack

The following attack was executed by Ka Cheung Sia of UCLA and all credit goes to Sia.

With that out of the way, many BT users know that traffic surges are possible with popular seed

is used. TV Shows a popular file found on BT sites tend to have users who upload the torrent

file consistently after an episode airs. This individual is now the primary seed to anyone who

wishes to download it. This effect lessens as more peers become seeders. However that

immediate flood of handshake messages to the seeder can cause traffic surges similar to a

DDoS attack. In certain scenarios, it has been recorded that more than 1000 clients are trying

to connect to a seeder simultaneously [5]. The nature of a DDoS attack is that it will strangle

the host into sending or receiving any data.

 Concepcion 13

It is possible altering the information you send back to the tracker it is possible to

redirect huge amounts of traffic to a victim peer. The following steps were taken by [5] to

enact the DDoS experiment:

1.We download 1191 recently uploaded torrent files from http://www.mininova.org, which is a

Website dedicated to share torrent files among users. A summary of the torrents and trackers

used are listed in Table 1.

2. The original python BT client program is modified to parse the torrent files and send

forged announcement message to the corresponding trackers indicated in each torrent file.

3. Upon the trackers receive requests for a list of participating peers from other clients, it will

send them the victim’s IP address and port number.

4. Other peers in the BT network will then attempt to connect to the victim machine and

request for pieces of files.

The victim machine that was used was an Apache web server configured to serve 400 clients

simultaneously. When they performed a large scale attack the victim maintained an average of

500 concurrent users over the eight hour attack period.

Figure 5 – Sia’s Results for the large scale attack

 Concepcion 14

At the time of the attack the web server began to give heavy delays and timeout on the

connections.

To put the scale of the attack in perspective, there were 30,513 distinct IPs that

attempted to connect to the victim [5]. It was observed that most clients tried approximately

three times before they gave up. However two IPs in question (one from Singapore and the

other from the United States) tried to connect over 8000 times.

The solution to such an attack is a difficult one. One possible solution is a more robust

implementation of tracker protocol that forces an authentication between the user and the

source address. In [5], Sia discusses a more in depth solution that involves packet filtering and

full TCP connections. The full TCP connection is what can cripple a server. He discusses a

method to limit the connection and safeguard against flooding.

Conclusion

Throughout the course of this paper it became evident that BitTorrent is the successor

of P2P programs of the past, it still has flaws of its own. We looked at critical flaws in the

uTorrent BitTorrent client and in the BT functionality in the Opera web browser. We examined

three attacks against BT users: the fake-block attack, the uncooperative-peer attack, and a

DDoS attack. Fortunately there were actual and possible solutions present to the

vulnerabilities that we discussed, whether it be old versions of software, traffic filtering, or

robust tracker authentication. The possibilities are there to help address security flaws in the

BitTorrent protocol.
 Concepcion 15

Reference for Paper

Acronyms

- ISP: Internet Service Provider

- TCP/IP: Transmission Control Protocol and Internet Protocol
- P2P: Peer 2 Peer
- MB: Megabyte
- KB:Kilobyte
- BT: BitTorrent
- MPAA: Motion Picture Association of America
- WoW: World of Warcraft
- DDoS: Distributed Denial of Service

Definitions

Availability: The number of existing full copies of the file available to the client for
downloading. The higher this number is, the potentially easier and quicker it can be to
download the complete file (not accounting for other factors). If this number is less than one
(for example, 0.65) then there is not a full copy of the file available to download.

Block: A block is a piece of a file. When a file is distributed via BitTorrent, it is broken into
smaller pieces, or blocks. Typically the block is 250kb in size, but it can vary with the size of the
file being distributed. Breaking the file into pieces allows it to be distributed as efficiently as
possible. Users get their files faster using less bandwidth.

Client: the BitTorrent software used to download and upload files. The BitTorrent client can be
downloaded here.

Handshake: the first connection between two peers

Leech or leecher: usually refers to a peer that is downloading while uploading very little, or
nothing at all. Sometimes this is unintentional and due to firewall issues. The term leech is also
sometimes used to simply refer to a peer that is not seeding yet.

Peer: one of a group of clients downloading the same file.

 Concepcion 16

Re-seed: Re-seeding is the act of putting up a new complete copy of a file after no more seeds
are available to download from. This is done to allow clients with only partial downloads to
complete the download process and increases availability.

Scrape: This is when a client sends a request to the tracker for information about the statistics
of the torrent, like who to share the file with and how well those other users are sharing.

Seed: a complete copy of the file being made available for download.

Supernode: are powerful computers with fast network connections, high bandwidth and quick
processing capabilities.

Swarm: a group of seeds and peers sharing the same torrent.

Torrent: generally, the instance of a file or group of files being distributed via BitTorrent.

Torrent file: a file which describes what file or files are being distributed, where to find parts,
and other info needed for the distribution of the file.

Tracker: a server that keeps track of the peers and seeds in a swarm. A tracker does not have a
copy of the file itself, but it helps manage the file transfer process.
 Concepcion 17

Works Cited

[1] P. Gilman and B. Reed. "Analysis of Internet File Sharing Programs” Oregon State University.

07 June 2006. <http://islab.oregonstate.edu/koc/ece478/04Report/Gilman-Reed.doc>.

[2] C. Valli and A. Woodward. “Network Security” Proc. 5th Australian Info. Security

Management, Dec. 2007, pp.92,

<http://scissec.scis.ecu.edu.au/conference_proceedings/2007/aism/AISM_proceedings.

pdf >.

[3] M. Engle and J. Khan. “Vulnerabilities of P2P Systems and a Critical Look at

their Solutions” Kent State University. 01 Nov. 2006

< http://www.medianet.kent.edu/techreports/TR2006-11-01-p2pvuln-EK.pdf >

[4] P. Dhungel, D. Wu, B. Schonhorst, and K. Ross. “A Measurement Study of Attacks on

BitTorrent Leechers” Polytechnic University.

<http://cis.poly.edu/~ross/papers/BTattacksIPTPS.pdf >

[5] K. Sia. “DDoS Vulnerability Analysis of Bittorrent Protocol” University of California, Los

Angeles. <http://oak.cs.ucla.edu/~sia/cs239spring06.pdf> Site Down, the PDF was

saved and is attached at website

[6] K. Defraway, M. Gjoka, A. Markopoulou. “BotTorrent: Misusing BitTorrent to Launch DDoS

Attacks” Usenix.

< http://www.usenix.org/event/sruti07/tech/full_papers/eldefrawy/eldefrawy.pdf>
 Concepcion 18

[7] N. Liogkas, R. Nelson, E. Kohler and L. Zhang. “Exploiting BitTorrent For Fun (But Not Profit)”

University of California, Los Angeles. < http://www.iptps.org/papers-2006/Liogkas-

BitTorrent06.pdf>

[8] P. Dhungal, X. Hei, D. Wu and K. Ross “The Seed Attack: Can BitTorrent be Nipped in the

Bud?” Polytechnic University <http://cis.poly.edu/~ross/papers/SeedAttack.pdf>

[9] M. Engle and J. Khan. “Highly Critical Bug in uTorrent and BitTorrent Clients Discovered”

Softpedia. 13 Aug. 2008

< http://news.softpedia.com/news/Highly-Critical-Bug-in-uTorrent-and-BitTorrent-

Clients-Discovered-91818.shtml>

[10] Unknown “BitTorrent Exploit Vulnerability Discovered in Latest Opera” TorrentFreak

03 May. 2007

< http://torrentfreak.com/bittorrent-exploit-vulnerability-discovered-in-latest-opera/>

[11] Unknown “FAQ – BitTorrent Concepts” BitTorrent

< http://www.bittorrent.com/btusers/help/faq/bittorrent-concepts#4n9 >

[12] S. Kelly “BitTorrent battles over bandwith” BBC NEWS. 13 Apr. 2006

< http://news.bbc.co.uk/2/hi/programmes/click_online/4905660.stm >

[13] B. Jones “Will uTorrent Really Kill the Internet?” TorrentFreak. 02 Dec. 2008

< http://torrentfreak.com/will-utorrent-really-kill-the-internet-081201/ >

[14] Ernesto. “The Pirate Bay Sees Traffic and Peers Surge” TorrentFreak. 15 Nov. 2008

< http://torrentfreak.com/the-pirate-bay-sees-traffic-and-peers-surge-081115/>
 Concepcion 19

[15] Unknown. “Movie Studios Sue ISP Over BitTorrent Piracy” TorrentFreak. 20 Nov. 2008

<http://torrentfreak.com/movie-studios-join-forces-to-sue-isp-over-bittorrent-

081120/>

[16] Unknown. “ISP Must Continue to Block The Pirate Bay” TorrentFreak. 26 Nov. 2008

< http://torrentfreak.com/the-pirate-bay-sees-traffic-and-peers-surge-081115/>

[17] Unknown. “Port Forwarding” Galway Computer Society.

< http://alumni.ox.compsoc.net/~steve/portforwarding.html>

[18] Ernesto. “How to Find Fake Torrents Uploaded by the MPAA and RIAA” TorrentFreak. 28

Jan. 2007 <http://torrentfreak.com/how-to-find-fake-torrents-uploaded-by-the-mpaa-

and-riaa/comment-page-2/

[19] Ernesto. “MPAA Caught Uploading Fake Torrents” TorrentFreak. 11 Jan. 2007

<http://torrentfreak.com/mpaa-caught-uploading-fake-torrents/>

[20] S. Watson. “How Kazaa Works.” HowStuffWorks.

<http://computer.howstuffworks.com/kazaa3.htm>

[21] “BitTorrent Working.” http://alexmohr.com/bittorrent/btworking.html

[22] http://azureus.sourceforge.net/img/sc/2.2.0.0/torrent_-_pieces.png