Analysis of bandwidth attacks in a bittorrent swarm

The beginning of the 21st century saw a widely publicized lawsuit against Napster. This was the first Peer-to-Peer software that allowed its users to search for and share digital music with other users. At the height of its popularity, Napster boasted 80 million registered users. This marked the beginning of a Peer-to-Peer paradigm and the end of older methods of distributing cultural possessions. But Napster was not entirely rooted in a Peer-to-Peer paradigm. Only the download of a file was based on Peer-to-Peer interactions; the search process was still based on a central server. It was thus easy to shutdown Napster. Shortly after the shutdown, Bram Cohen developed a new Peer-to-Peer protocol called BitTorrent. The main principle behind BitTorrent is an incentive mechanism, called a choking algorithm, which rewards peers that share. Currently, BitTorrent is one of the most widely used protocols on the Internet. Therefore, it is important to investigate the security of this protocol. While significant progress has been made in understanding the Bit- Torrent choking mechanism, its security vulnerabilities have not yet been thoroughly investigated. This dissertation provides a security analysis of the Peer-to-Peer protocol BitTorrent on the application and transport layer. The dissertation begins with an experimental analysis of bandwidth attacks against different choking algorithms in the BitTorrent seed state. I reveal a simple exploit that allows malicious peers to receive a considerably higher download rate than contributing leechers, thereby causing a significant loss of efficiency for benign peers. I show the damage caused by the proposed attack in two different environments—a lab testbed comprised of 32 peers and a global testbed called PlanetLab with 300 peers. Our results show that three malicious peers can degrade the download rate by up to 414.99 % for all peers. Combined with a Sybil attack with as many attackers as leechers, it is possible to degrade the download rate by more than 1000 %. I propose a novel choking algorithm which is immune against bandwidth attacks and a countermeasure against the revealed attack. This thesis includes a security analysis of the transport layer. To make BitTorrent more Internet Service Provider friendly, BitTorrent Inc. invented the Micro Transport Protocol. It is based on User Datagram Protocol with a novel congestion control called Low Extra Delay Background Transport. This protocol assumes that the receiver always provides correct feedback, otherwise this deteriorates throughput or yields to corrupted data. I show through experimental evaluation, that a misbehaving Micro Transport Protocol receiver which is not interested in data integrity, can increase the bandwidth of the sender by up to five times. This can cause a congestion collapse and steal a large share of a victim’s bandwidth. I present three attacks, which increase bandwidth usage significantly. I have tested these attacks in real world environments and demonstrate their severity both in terms of the number of packets and total traffic generated. I also present a countermeasure for protecting against these attacks and evaluate the performance of this defensive strategy. In the last section, I demonstrate that the BitTorrent protocol family is vulnerable to Distributed Reflective Denial-of-Service attacks. Specifically, I show that an attacker can exploit BitTorrent protocols (Micro Transport Protocol, Distributed Hash Table, Message Stream Encryption and BitTorrent Sync to reflect and amplify traffic from Bit- Torrent peers to any target on the Internet. I validate the efficiency, robustness, and the difficulty of defence of the exposed BitTorrent vulnerabilities in a Peer-to-Peer lab testbed. I further substantiate lab results by crawling more than 2.1 million IP addresses over Mainline Distributed Hash Table and analyzing more than 10,000 BitTorrent handshakes. The experiments suggest that an attacker is able to exploit BitTorrent peers to amplify traffic by a factor of 50, and in the case of BitTorrent Sync 120. Additionally, I observe that the most popular BitTorrent clients are the most vulnerable ones

Experimental Evaluation of Floating Car Data Collection Protocols in Vehicular Networks

The main objectives of the Intelligent Transportation Systems (ITS) vision is to improve road safety, traffic management, and mobility by enabling cooperative communication among participants. This vision requires the knowledge of the current state of the road traffic, which can be obtained by collecting Floating Car Data (FCD) information using Dedicated Short-Range Communication (DSRC) based on the IEEE 802.11p standard. Most of the existing FCD collection protocols have been evaluated via simulations and mathematical models, while the real-world implications have not been thoroughly investigated. This paper presents an open-source implementation of two state-of-the-art FCD collection algorithms, namely BASELINE and DISCOVER. These algorithms are implemented in an open-source vehicular prototyping platform and validated in a real-world experimental setup

Softwarization of SCADA: Lightweight Statistical SDN-Agents for Anomaly Detection

The increasing connectivity of restricted areas suchas Critical Infrastructures (CIs) raises major security concernsfor Supervisory Control And Data Acquisition (SCADA) systems,which are deployed to monitor their operation. Given the impor-tance of an early anomaly detection, Intrusion Detection Systems(IDSs) are introduced in SCADA systems to detect malicious ac-tivities as early as possible. Agents or probes form the cornerstoneof any IDS by capturing network packets and extracting relevantinformation. However, IDSs are facing unprecedented challengesdue to the escalation in the number, scale and diversity of attacks.Software-Defined Network (SDN) then comes into play and canprovide the required flexibility and scalability. Building on that,we introduce Traffic Agent Controllers (TACs) that monitor SDN-enabled switches via OpenFlow. By using lightweight statisticalmetrics such as Kullback-Leibler Divergence (KLD), we are ableto detect the slightest anomalies, such as stealth port scans, evenin the presence of background traffic. The obtained metrics canalso be used to locate the anomalies with precision over 90%inside a hierarchical network topology

Smartphones in a Microwave: Formal and Experimental Feasibility Study on Fingerprinting the Corona-Warn-App

Contact Tracing Apps (CTAs) have been developed to contain the coronavirus disease 19 (COVID-19) spread. By design, such apps invade their users' privacy by recording data about their health, contacts, and partially location. Many CTAs frequently broadcast pseudorandom numbers via Bluetooth to detect encounters. These numbers are changed regularly to prevent individual smartphones from being trivially trackable. However, the effectiveness of this procedure has been little studied. We measured real smartphones and observed that the German Corona-Warn-App (CWA) exhibits a device-specific latency between two subsequent broadcasts. These timing differences provide a potential attack vector for fingerprinting smartphones by passively recording Bluetooth messages. This could conceivably lead to the tracking of users' trajectories and, ultimately, the re-identification of users.Comment: accepted for publication at TRUSTBU

Locust: Highly Concurrent DHT Experimentation Framework for Security Evaluations

Distributed Hash Table (DHT) protocols, such as Kademlia, provide a decentralized key-value lookup which is nowadays integrated into a wide variety of applications, such as Ethereum, InterPlanetary File System (IPFS), and BitTorrent. However, many security issues in DHT protocols have not been solved yet. DHT networks are typically evaluated using mathematical models or simulations, often abstracting away from artefacts that can be relevant for security and/or performance. Experiments capturing these artefacts are typically run with too few nodes. In this paper, we provide Locust, a novel highly concurrent DHT experimentation framework written in Elixir, which is designed for security evaluations. This framework allows running experiments with a full DHT implementation and around 4,000 nodes on a single machine including an adjustable churn rate; thus yielding a favourable trade-off between the number of analysed nodes and being realistic. We evaluate our framework in terms of memory consumption, processing power, and network traffic