A Note on the DDoS Attacks

Adam Kelly —  January 29, 2015 — 3 Comments

Recently, several sites have noticed DDoS attacks from torrent clients in China. These attacks are not originating in the torrent ecosystem, but are caused by DNS servers returning incorrect IP addresses for well-known BitTorrent trackers.

While the identity of the perpetrators and the motivation remain unclear, we here at BitTorrent would like to share some of our expertise that may help website operators mitigate these attacks.

Torrent Trackers work similarly to a normal HTTP server, but in a more limited fashion. Torrent clients contact the server, and ask it information about the torrent and the swarm.

Because of this, the misdirected torrent clients will contact the victim HTTP server, and see what looks like a valid HTTP response (although not a valid “scrape reply”).

If you follow the link to Jamie’s blog, you will notice that that he suggests a configuration change for Apache similar to the one below:

[Credit Jamie Zawinski]

In our example above, we’ve changed the response code from 404 to 410. uTorrent, Bittorrent, and torrent clients based on the excellent libtorrent library will interpret this HTTP response code as “do not attempt to contact this tracker again”. That will cause the request traffic to fall off much faster.

References:
http://furbo.org/2015/01/28/grass-mud-horse/
http://www.jwz.org/blog/2015/01/chinese-bittorrent-the-gift-that-keeps-on-giving/
http://blog.devops.co.il/post/108740168304/torrent-ddos-attack
http://www.bittorrent.org/beps/bep_0031.html

Adam Kelly

Posts

Adam is the lead software engineer on the µTorrent Windows client team. He also has the most experience battling sharks of any engineer in the office.
  • ysth

    This has made a dramatic difference for us.

    Do make sure you actually respond with a 410 with “RewriteRule ^/announc – [G]” or the like; ErrorDocument just by itself has no effect.

  • The code above is incomplete and many sites have it in the wrong order.

    Some mangling going on by the comment system.
    http://pastebin.com/Y4aKWPr7

    This is confirmed working on my website

    ErrorDocument 410 “d14:failure reason13:not a tracker8:retry in5:nevere”

    RewriteEngine On
    RewriteRule ^/announc – [G]

  • There are some interesting characteristics in traffic patters:

    – the traffic only comes in certain hours to the affected IPs
    – list of affected IP addresses seem to be static
    – the affected IPs are typically hostings (i.e. no ADSL or otherwise home addresses)
    – different IPs get different shares of traffic
    – and many more!

    I’m a security researcher writing an extended article about this.

    I’d be interested to speak with people who are affected by this kind of “bittorrent DDoS”. The magazine I’m writing the article for is willing to cover some of the costs related to this DDoS (your hosting cost, compensate for your time) if you help us track this attack better – please contact me at tchm at virtall dot com for details.