Spying the World from your Laptop -- Identifying and Profiling Content Providers and Big Downloaders in BitTorrent

This paper presents a set of exploits an adversary can use to continuously spy on most BitTorrent users of the Internet from a single machine and for a long period of time. Using these exploits for a period of 103 days, we collected 148 million IPs downloading 2 billion copies of contents. We identify the IP address of the content providers for 70% of the BitTorrent contents we spied on. We show that a few content providers inject most contents into BitTorrent and that those content providers are located in foreign data centers. We also show that an adversary can compromise the privacy of any peer in BitTorrent and identify the big downloaders that we define as the peers who subscribe to a large number of contents. This infringement on users' privacy poses a significant impediment to the legal adoption of BitTorrent

BitTorrent Sync: Network Investigation Methodology

The volume of personal information and data most Internet users find themselves amassing is ever increasing and the fast pace of the modern world results in most requiring instant access to their files. Millions of these users turn to cloud based file synchronisation services, such as Dropbox, Microsoft Skydrive, Apple iCloud and Google Drive, to enable "always-on" access to their most up-to-date data from any computer or mobile device with an Internet connection. The prevalence of recent articles covering various invasion of privacy issues and data protection breaches in the media has caused many to review their online security practices with their personal information. To provide an alternative to cloud based file backup and synchronisation, BitTorrent Inc. released an alternative cloudless file backup and synchronisation service, named BitTorrent Sync to alpha testers in April 2013. BitTorrent Sync's popularity rose dramatically throughout 2013, reaching over two million active users by the end of the year. This paper outlines a number of scenarios where the network investigation of the service may prove invaluable as part of a digital forensic investigation. An investigation methodology is proposed outlining the required steps involved in retrieving digital evidence from the network and the results from a proof of concept investigation are presented.Comment: 9th International Conference on Availability, Reliability and Security (ARES 2014

Compromising Tor Anonymity Exploiting P2P Information Leakage

Privacy of users in P2P networks goes far beyond their current usage and is a fundamental requirement to the adoption of P2P protocols for legal usage. In a climate of cold war between these users and anti-piracy groups, more and more users are moving to anonymizing networks in an attempt to hide their identity. However, when not designed to protect users information, a P2P protocol would leak information that may compromise the identity of its users. In this paper, we first present three attacks targeting BitTorrent users on top of Tor that reveal their real IP addresses. In a second step, we analyze the Tor usage by BitTorrent users and compare it to its usage outside of Tor. Finally, we depict the risks induced by this de-anonymization and show that users' privacy violation goes beyond BitTorrent traffic and contaminates other protocols such as HTTP

Why are they hiding ? Study of an Anonymous File Sharing System

International audienceThis paper characterizes a recently proposed anonymous file sharing system, OneSwarm. This characterisation is based on measurement of several aspects of the OneSwarm system such as the nature of the shared and searched content and the geolocation and number of users. Our findings indicate that, as opposed to common belief, there is no significant difference in downloaded content between this system and the classical BitTorrent ecosystem. We also found that a majority of users appears to be located in countries where anti-piracy laws have been recently adopted and enforced (France, Sweden and U.S). Finally, we evaluate the level of privacy provided by OneSwarm, and show that, although the system has strong overall privacy, a collusion attack could potentially identify content providers

I Know Where You are and What You are Sharing: Exploiting P2P Communications to Invade Users' Privacy

In this paper, we show how to exploit real-time communication applications to determine the IP address of a targeted user. We focus our study on Skype, although other real-time communication applications may have similar privacy issues. We first design a scheme that calls an identified targeted user inconspicuously to find his IP address, which can be done even if he is behind a NAT. By calling the user periodically, we can then observe the mobility of the user. We show how to scale the scheme to observe the mobility patterns of tens of thousands of users. We also consider the linkability threat, in which the identified user is linked to his Internet usage. We illustrate this threat by combining Skype and BitTorrent to show that it is possible to determine the file-sharing usage of identified users. We devise a scheme based on the identification field of the IP datagrams to verify with high accuracy whether the identified user is participating in specific torrents. We conclude that any Internet user can leverage Skype, and potentially other real-time communication systems, to observe the mobility and file-sharing usage of tens of millions of identified users.Comment: This is the authors' version of the ACM/USENIX Internet Measurement Conference (IMC) 2011 pape

Vulnérabilités de la DHT de BitTorrent & Identification des comportements malveillants dans KAD

Le présent délivrable présente les résultats des travaux menés durant les six premiers mois (T0+6) du projet GIS 3SGS ACDAP2P dont l'objectif est de proposer une architecture collaborative pour la détection d'attaques dans les réseaux pair à pair. Nous détaillons dans ce rapport nos travaux concernant l'identification des comportements malveillants affectant le réseaux KAD (tâche T2) ainsi que l'identification des vulnérabilités affectant la DHT du réseau BitTorrent (tâche T3) qui sont au coeur du projet ACDAP2P. Pour introduire nos travaux, nous présentons tout d'abord leur contexte ainsi qu'une taxonomie des différentes attaques pouvant affecter les DHT.. Notre première contribution montre à travers plusieurs expériences que des failles de sécurité permettent la réalisation d'attaques efficaces pouvant altérer le bon fonctionnement de la DHT de BitTorrent. En prenant pour cas d'étude le réseau P2P KAD, nous recensons ensuite les pairs suspects en utilisant deux approches de détection et montrons ainsi que des milliers de contenus du réseau sont attaqués durant nos mesures. Finalement, nous constatons l'éphémérité de certains attaquants dans le réseau

BitTorrent 시스템에서 컨텐트 번들링 및 배포

학위논문 (박사)-- 서울대학교 대학원 : 전기·컴퓨터공학부, 2013. 2. 최양희.BitTorrent는 컨텐트 공유에 사용되는 가장 인기있는 인터넷 소프트웨어이다. BitTorrent가 널리 사용됨에 따라, 연구자들은 BitTorrent의 처리량, 공정성, 인센티브와 같은 이슈에 대해 연구해 왔고, 이러한 연구들은 BitTorrent 성능과 관련된 가치있는 결과들을 보여주었다. 하지만 대부분의 연구에서는, BitTorrent에서의 컨텐트 번들링 및 배포 전략과 관련해서 (1) BitTorrent 배포자가 파일을 어떤 목적으로 어떻게 번들 하는지와 (2) BitTorrent의 배포자들이 그들의 목적을 성취하기 위해 어떠한 전략들을 사용하는지 등에 대해 다루고 있지 않다. 본 학위 논문에서는, 앞서 언급한 문제들을 측정된 데이터를 바탕으로 조사하기 위해서, BitTorrent 포탈중 가장 큰 규모인 The Pirate Bay (TPB)에 대한 종합적인 측정 연구를 수행하였다. 측정된 데이터셋은 12만개의 토런트와 1600만명의 사용자로 구성되었고, 컨텐트 배포자를 (i) 가짜 배포자, (ii) 이윤추구 배포자, (iii) 이타적 배포자 세가지 종류로 분류하여 연구를 진행하였다. 또한 영화, TV, 성인물, 음악, 응용프로그램, 게임, 전자책과 같은 컨텐트 카테고리에 따라 번들링과 컨테트 배포 현황이 어떻게 되는지 조사하였다. 첫번째로, 토런트의 구조적 패턴과 스왐 참여자의 행동 패턴을 파악하기 위해 컨텐트 번들링과 관련된 현황을 조사하였다. 특별히, (1) 얼마나 컨텐트 번들링이 널리 사용되는가, (2) 어떤 파일들이 어떻게 토런트로 번들되는가, (3) 왜 배포자들이 파일을 번들해서 사용하는가, (4) 사용자들이 번들된 파일들을 어떻게 다운로드 받는가에 초점을 맞추어 연구를 수행하였다. 측정결과 72% 이상의 토런트들이 여러개의 파일로 구성되어 있는 것을 알 수 있었고, 이것은 번들이 BitTorrent의 파일 공유를 위해 널리 사용되고 있음을 보여준다. 그리고 경제적인 이득을 위해 웹사이트를 광고하는 이윤추구 배포자들이 번들을 선호하여 사용하는 경향이 있음을 알 수 있었다. 또한 번들된 토런트의 대부분의 파일(94%)이 사용자들에 의해 선택되고, 번들된 토런트가 번들이 아닌 토런트보다 평균적으로 더 인기가 좋음을 알 수 있었다. 전체적으로, 토런트의 구조적 패턴과 스왐 참여자의 특징은 컨텐트의 카테고리 종류에 따라서, 그리고 번들된 토런트인지 번들되지 않은 토런트인지에 따라서 주목할만한 차이점이 있음을 발견할 수 있었다. 다음으로, 사회경제적 관점에서 BitTorrent의 컨텐트 배포 패턴을 (1) 배포자에 의해서 파일이 어떻게 배포되는가, (2) 각 배포자들은 어떤 전략들을 사용하는가, (3) 배포 전략들이 얼마나 효과가 있는가의 측면에서 조사하였다. 측정결과 상당한 양의 트래픽(61%)이 가짜 토런트를 다운받을 때 발생하고 있는 것을 알 수 있었고, 이는 많은 양의 인터넷 트래픽이 불필요하게 낭비되고 있음을 보여 주는 것이다. 따라서 본 측정 결과로부터 알 수 있는 가짜 배포자들의 배포 패턴을 고려해서 TPB의 가짜 배포자를 걸러낼 수 있는 방법을 제안하였고, 제안된 방법이 전체 다운로드 트래픽의 45% 가량을 줄일 수 있음을 보여 주었다. 또한 이윤추구 배포자들은 그들의 수익모델(예를 들어, 개인 트래커 사이트에 새로운 사용자를 영입하는 것이나 사람들이 사진과 연결된 URL 링크를 클릭하도록 하는 것)에 따라 다른 배포 전략을 이용하고 있음을 알 수 있었다.BitTorrent is one of the most popular applications for sharing contents over the Internet. The huge success of BitTorrent has attracted the research community to investigate BitTorrent's behavior in terms of throughput, fairness, and incentive issues, revealing valuable insights into the performance aspects of BitTorrent. However, most of these studies paid little attention to understand content bundling and publishing strategies in BitTorrent from the following perspectives: (1) how, and for what purposes, are constituent files bundled by BitTorrent publishers? and (2) what strategies are adopted by BitTorrent publishers to achieve their goals? To answer these questions with data from a large-scale BitTorrent system, we conduct comprehensive measurements on one of the largest BitTorrent portals: the Pirate Bay (TPB). From the datasets of the 120 K torrents and 16 M peers, we classify BitTorrent publishers into three types: (i) fake publishers, (ii) profit-driven publishers, and (iii) altruistic publishers. Throughout this dissertation, we investigate the current practice of bundling and publishing across different content categories: Movie, TV, Porn, Music, Application, Game, and E-book. We first investigate the current practice of content bundling to understand the structural patterns of torrents and the participant behaviors of swarms. In particular, we focus on: (1) how prevalent content bundling is, (2) how and what files are bundled into torrents, (3) what motivates publishers to bundle files, and (4) how peers access the bundled files. We find that over 72% of BitTorrent torrents contain multiple files, which indicates that bundling is widely used for file sharing. We reveal that profit-driven BitTorrent publishers who promote their own web sites for financial gains like advertising tend to prefer to use the bundling. We also observe that most files (94%) in a bundle torrent are selected by users and the bundle torrents are more popular than the single (or non-bundle) ones on average. Overall, there are notable differences in the structural patterns of torrents and swarm characteristics (i) across different content categories and (ii) between single and bundle torrents. We next investigate the current practice of content publishing in BitTorrent from a socio-economic point of view, by unraveling (1) how files are published by publishers, (2) what strategies are adopted by publishers, and (3) how effective those strategies are. We show that a significant amount of traffic (61%) of BitTorrent has been generated (i.e., unnecessarily wasted) to download fake torrents. Therefore, we suggest a method to filter out fake publishers on TPB by considering their distinct publishing patterns learned from our measurement study, and show that the proposed method can reduce around 45% of the total download traffic. We also reveal that profit-driven publishers adopt different publishing strategies according to their revenue models (e.g., advertising private tracker sites to attract potential new members, or exposing image URLs to make people click the URL links).Abstract i I. Introduction 1 II. Related Work 5 2.1 Multi-torrent Systems 5 2.2 Bundling in BitTorrent 6 2.3 Bundling in Economics 7 2.4 Content publishing in BitTorrent 7 III. Methodology 9 3.1 Measurement Methodology 9 3.2 Publisher Classification 11 IV. Bundling Practice in BitTorrent: What, How, and Why 14 4.1 Introduction 14 4.2 Datasets 16 4.2.1 Torrent Datasets 17 4.2.2 Swarm Datasets 17 4.3 Single vs. Bundle 18 4.3.1 Bundling is widespread 18 4.3.2 How files are bundled 20 4.4 Main File Analysis in Bundling 27 4.4.1 Identifying Main Files 28 4.4.2 Constituents of Bundle-k 29 4.5 Publisher Analysis 32 4.5.1 Contribution of Top-20 Publishers 33 4.5.2 Cross-category Publishing of Top-20 Publishers 39 4.6 User Access Pattern Analysis 40 4.6.1 Popularity Analysis 40 4.6.2 Availability Analysis 43 4.6.3 The Number of Files Requested by Users in a Bundle Torrent 44 4.6.4 Swarm Behaviors versus Bundle-k 47 4.7 Discussions 50 V. Content Publishing Practice in BitTorrent 52 5.1 Introduction 52 5.2 The Number of Published Torrents 54 5.3 Publishers Strategies 58 5.3.1 Lifetime of Publishers and their Publishing Rates 59 5.3.2 Content Categories 60 5.3.3 Advertising Strategies of Profit-driven Publishers 63 5.4 Downloaders Behavior 64 5.5 Implications on Publishers Strategies 69 5.5.1 Fake Publishers 69 5.5.2 Profit-driven Publishers 71 VI. Summary & Future Work 73 Bibliography 75 Korean Abstract 80Docto

Improving Security and Performance in Low Latency Anonymous Networks

Conventional wisdom dictates that the level of anonymity offered by low latency anonymity networks increases as the user base grows. However, the most significant obstacle to increased adoption of such systems is that their security and performance properties are perceived to be weak. In an effort to help foster adoption, this dissertation aims to better understand and improve security, anonymity, and performance in low latency anonymous communication systems. To better understand the security and performance properties of a popular low latency anonymity network, we characterize Tor, focusing on its application protocol distribution, geopolitical client and router distributions, and performance. For instance, we observe that peer-to-peer file sharing protocols use an unfair portion of the network’s scarce bandwidth. To reduce the congestion produced by bulk downloaders in networks such as Tor, we design, implement, and analyze an anonymizing network tailored specifically for the BitTorrent peer-to-peer file sharing protocol. We next analyze Tor’s security and anonymity properties and empirically show that Tor is vulnerable to practical end-to-end traffic correlation attacks launched by relatively weak adversaries that inflate their bandwidth claims to attract traffic and thereby compromise key positions on clients’ paths. We also explore the security and performance trade-offs that revolve around path length design decisions and we show that shorter paths offer performance benefits and provide increased resilience to certain attacks. Finally, we discover a source of performance degradation in Tor that results from poor congestion and flow control. To improve Tor’s performance and grow its user base, we offer a fresh approach to congestion and flow control inspired by techniques from IP and ATM networks