A Survey of Attacks on the BitTorrent Protocol from Its Operational
Viewpoints
1Soojin Kim,
2Seungoh Choi, and
1,2,3Byeong-hee Roh
1Dept. of Information and Computer Engineering, Ajou University, Suwon, Korea
2Dept. of Computer Engineering, Graduate School, Ajou University, Suwon, Korea
3Dept. of Software Convergence Technology, Ajou University, Suwon, Korea
{strawvery, uwer1, bhroh}@ajou.ac.kr
Abstract As BitTorrent has become one of the most popular peer-to-peer file sharing protocols, various
security threats have appeared from its vulnerable protocol architecture. In this paper, we analyzed
the vulnerabilities of BitTorrent protocol, and surveyed existing attacks on the protocol. Then, we
classified the attacks from the protocol’s operational viewpoints. Basically, the protocols are
categorized into two parts: tracker-based and trackerless.
Keywords: BitTorrent, Tracker, Peer-to-peer networks, Attack, DDoS
1. Introduction
Recently, peer-to-peer (P2P) file sharing applications consume a great part of the Internet backbone
bandwidth. With the distributive nature of P2P applications, the P2P protocols provide more efficient
file sharing capability than traditional client-server-based protocols [1].
The BitTorrent [2] has gained the most popularity in P2P users due to its capability of more
scalable architecture and rapid file distribution than other P2P protocols. The BitTorrent adopts file-
centric design and incentive-based operation. Numerous BitTorrent client programs running on various
operating systems have been developed, and they are compatible with each other. So, users can choose
any client program to access BitTorrent P2P networks.
However, the BitTorrent encounters various security threats as in most of Internet applications.
There have been much of works on the BitTorrent attacks [3][5]-[25][31]-[33], which are not only
similar ones as in other P2P protocols, but also those applicable only to the BitTorrent from its inherent
protocol architecture. In this paper, we analyze vulnerabilities of the BitTorrent protocol, and
survey existing attacks on the protocol. Then, we classify the attacks from the protocol’s
operational viewpoints.
The rest of this paper is organized as follows. In Section 2, we briefly describe the BitTorrent
protocol architecture. In Section 3, the survey of attacks on the BitTorrent protocol is illustrated.
Finally, we conclude the paper in Section 4.
2. The BitTorrent Architecture [2]
The BitTorrent architecture is composed of three entities: a tracker, a seeder (peers with the entire
file), and a leecher (non-seeder peers). The tracker is responsible for managing swarms. A swarm is a
group of peers having the content with same file identifier. The file identifier includes file directory,
file piece, file information, and so on, and is generated by using a hash function. When a seeder wants
to share a file, the seeder provides a torrent file including the metadata for whom it desired, and then
announces to the tracker about the shared file.
Once the tracker obtains the announced message from the seeder, it generates a swarm for the file
unless the tracker finds other exact-matched swarm. If a leecher requests the swarm to the tracker by
using torrent file or magnet, the tracker provides the swarm to the leecher. Likewise, the tracker plays a
key role in providing the requested information to the leechers as a coordinator in a centralized manner.
After obtaining the swarm from the tracker, the leecher starts to communicate with peers in the swarm
without the tracker. Then, the leecher periodically requests pieces of the file to the peers by sending
INTEREST messages, and advertises the information on the pieces it has by sending HAVE and BIT-
FIELD messages. By repeating requests and advertisements on the pieces, the leecher finally completes
A Survey of Attacks on the BitTorrent Protocol from Its Operational Viewpoints Soojin Kim, Seungoh Choi, Byeong-hee Roh
Research Notes in Information Science (RNIS) Volume14,June 2013 doi:10.4156/rnis.vol14.80
449
to download the whole desired file.
In the BitTorrent, there are internal chunk selection mechanisms such as the rarest first, the strict
priory, and others. In addition, choking mechanisms such as optimistic unchoking and anti-snubbing
run on the protocol. With the mechanisms, BitTorrent peers can share files quickly and get improved
quality of inter-connections among peers [26][27].
3. Threats on the BitTorrent Protocol
3.1. Vulnerability of the BitTorrent [3][5][6][11]
As mentioned in Section 2, leechers need to obtain a swarm information on a desired file from
trackers to get the file. The swarm includes the peers that have or interested to the desired content.
However, since trackers do not support any security features, there is no way for seeders and leechers
to know whether malicious peers have been comprised in the swarm information provided by the
trackers or not. In addition, either seeders or leechers can act as attackers without any constraints not
knowing by trackers.
The BitTorrent is driven by two protocols: Tracker HTTP Protocol (THP) and Peer Wire Protocol
(PWP). The former provides the BitTorrent services between peers and a tracker by using HTTP, and
the latter is used for the exchange of pieces described in the metadata between peers. Trackers have
also faced with similar threats as in ordinary HTTP servers. If an attacker has the authority of the
control of a tracker by misusing the vulnerability of THP, it can disrupt the swarm information so that
peers are faced with severe attack situations such as denial of service (DoS), worm spread, and so on.
In addition, peer(s) can be attacked from other peers by exploiting PWP by attackers.
3.2. Classification of Attacks on the BitTorrent
From the protocol’s operational viewpoints, we can classify the attacks on the BitTorrent as
shown in Figure 1. Traditionally, the BitTorrent protocol is operated based on a centralized tracker. It
also supports the trackerless operation mode based on distributed hash table (DHT) [4].
Figure 1. Classification of existing attacks in BitTorrent
In the tracker-based operation mode, BitTorrent attacks are divided into two classes according to
whether they use THP or PWP. For attacks utilizing THP, fake report attacks have been addressed
targeting either peers or trackers [5]-[7][33], where attackers provide wrong swarm information to
disrupt the peer relationship for a file. In order to target a peer as a victim, attackers include the peer in
A Survey of Attacks on the BitTorrent Protocol from Its Operational Viewpoints Soojin Kim, Seungoh Choi, Byeong-hee Roh
450
most of swarms by intercepting tracker’s authority. Since each BitTorrent peer connects to the tracker
by using TCP, TCP SYN flooding attacks [4][24][28] as in traditional Internet network attacks are
possible. The attack may cause a denial of service on the tracker due to the large number of requests
that it receives. In the ISP Bottleneck [28][29][30] attacks, connections between peers are made
between different ISPs. The attack may cause a severe degrade of delay performances on not only
BitTorrent peers, but also the other normal users connected through different ISPs.
There have been various attacks by utilizing PWP. In lying piece possession [8][9], piece attack [9],
fake-block attack [10] and peer exchange attack [11], attackers announce the fake information on the
file, pieces, blocks, and IP addresses of peers, respectively, to make the download speed slower or not
to allow users to download the file. The attacks such as uncooperative peer attack [10][12][13],
bandwidth attack [9][12] and connection attack on seeders or leechers [12][21][23][25], disrupt the file
sharing progress between peers by ignoring the requests, by flooding requests to them, or by
interrupting TCP connections in early stage, respectively. BitTorrent worm attacks [31][32] propagate
a malicious program that reproduces itself and spreads it over the network by utilizing the BitTorrent
topologic information.
The trackerless BitTorrent protocol is based on DHT. In the DHT, each peer has its own identifier
randomly generated by using a cryptographic hash function, and there is no verification mechanism
whether the identifier is valid or not. Accordingly, all possible attacks on DHT-based P2P networks
such as Sybil attack [14]-[18], eclipse attack [9],[15]-[18], pollution attack [19], and geo-localized
isolation attack [20] can be applied to the trackerless BitTorrent protocol. Especially, it is more
harmful when normal peers participate into a DDoS attack by generating numerous requests to a victim
simultaneously [34][35], in which the normal nodes do not know that they act as zombies for the attack.
4. Conclusion
Recently, the BitTorrent has become one of the most popular P2P file sharing protocols because of
its capability of more scalable and rapid file distribution than other P2P protocols. In this paper, we
surveyed known attacks on the BitTorrent, and classified them from the protocol’s operational
viewpoints. BitTorrent protocol encounters security threats similarly as in other P2P protocols,
Kademlia-based P2P protocol [34] as an example. In addition, there are attacks applicable only to
BitTorrent from its protocol architecture.
It has been known that P2P applications consume the largest amount of bandwidth in the Internet
backbone network. As mentioned before, the BitTorrent users are getting majority in P2P services.
With the vulnerable architecture of the BitTrorrent protocol may cause a severe threat on the Internet
services. We are currently studying on the possible unknown attacks on the BitTorrent protocol, and
surveying the countermeasure schemes against the attacks to secure both the Internet and P2P
application services.
5. Acknowledgment
This research was supported by the MSIP (Ministry of Science, ICT & Future Planning), Korea,
under the Seoul Accord Activation support program supervised by the NIPA(National IT Industry
Promotion Agency).
6. References
[1] Ipoque, “Internet Study 2008/2009,” available at http://www.ipoque.com
[2] B. Cohen, “The BitTorrent Protocol Specification,” Available: http://www.bittorrent.org/beps/
bep_0003.html
[3] K. C. Sia, “DDoS vulnerability analysis of BitTorrent protocol,” University of California, Los
Angeles, USA, 2007.
[4] A. Loewenstern, “DHT Protocol,” Available: http://www.bittorrent.org/beps/bep_0005.html
[5] K. E. Defrawy, M. Gjoka, and A. Markopoulou, “BotTorrent: misusing BitTorrent to launch
DDoS attacks,” USENIX’2007, Jun. 2007.
[6] J. Harrington, C. Kuwanoe, and C. C. Zou, “A BitTorrent-driven distributed denial-of-service
A Survey of Attacks on the BitTorrent Protocol from Its Operational Viewpoints Soojin Kim, Seungoh Choi, Byeong-hee Roh
451
attack,” SecureComm’2007, Sep. 2007.
[7] X. Sun, R. Torres, and S. Rao, “Preventing DDoS attacks on internet servers exploiting P2P
systems,” Computer Networks, Elsevier North-Holland, Oct. 2010.
[8] M. A. Konrath, M. P. Barcellos, and R. B. Mansilha, “Attacking a Swarm with a Band of Liars:
evaluating the impact of attacks on BitTorrent,” P2P’2007, Sep. 2007.
[9] A. Hegenberg, “Attacks and exploits targeting BitTorrent and other P2P file sharing networks,”
FI’2009, Nov. 2009.
[10] P. Dhungel, D. Wu, B. Schonhorst, and K. W. Ross, “A measurement study of attacks on
BitTorrent leechers,” IPTPS’2008, Feb. 2008.
[11] S. Majing, Z. Hongli, F. Bingxing, and D. Xiaojiang, “DDoS vulnerability of BitTorrent Peer
Exchange extension: Analysis and defense,” ICC’2012, Jun. 2012.
[12] P. Dhungel, et al., “A Measurement Study of Attacks on BitTorrent Seeds,” ICC’2011, Jun. 2011.
[13] B. S. Sarjaz and M. Abbaspour, “Securing BitTorrent using a new reputation-based trust
management system,” Peer-to-Peer Networking and Applications, Springer US, Mar. 2013.
[14] L. Wang and J. Kangasharju, “Real-world sybil attacks in BitTorrent mainline DHT,”
GLOBECOM’2012, Dec. 2012.
[15] F. Pontes, F. Brasileiro, and N. Andrade, “BitTorrent Needs Psychiatric Guarantees: Quantifying
How Vulnerable BitTorrent Swarms are to Sybil Attacks,” LADC’2009, Sep. 2009.
[16] M. Engle and J. I. Khan, “Vulnerabilities of p2p systems and a critical look at their solutions,”
Technical Report, Kent State University, Nov. 2006.
[17] M. Vestola, “Security Issues in Structured P2P Overlay Networks,” TKK Technical Reports in
Computer Science and Engineering, Aalto University, 2010.
[18] Y. Yang, et al., “A Survey of Peer-to-Peer Attacks and Counter Attacks,” SAM’2012, Jul. 2012.
[19] P. Dhungel, X. Hei, K. W. Ross, and N. Saxena, “The pollution attack in P2P live video streaming:
measurement results and defenses,” Sigcomm’2007, Aug. 2007.
[20] J. P. Timpanaro, T. Cholez, I. Chrisment, and O. Festor, “BitTorrent's Mainline DHT Security
Assessment,” NTMS’2011, Feb. 2011.
[21] P. Dhungel, D. Wu, and K. W. Ross, “Measurement and mitigation of BitTorrent leecher attacks,”
Computer Communications, Elsevier, Nov. 2009.
[22] M. P. Barcellos, et. al., “Protecting BitTorrent: Design and Evaluation of Effective
Countermeasures against DoS Attacks,” SRDS’2008, Oct. 2008.
[23] J. K. So, “Defending Against Malicious Behaviors in BitTorrent Systems,” North Carolina State
University, 2012.
[24] B. Giovanni, “A Distributed Denial-of-Service (DDoS) Attack using BitTorrent Peer-to-Peer
(P2P) Network,” Internet Sicherheit (Seminar), Technische University, 2008.
[25] S. Rouibia, J. Vayn, O. Beauvais, and G. Urvoy-Keller, “Early Stage Denial of Service Attacks in
BitTorrent: An Experimental Study,” WETICE’2008. Jun. 2008.
[26] B. Cohen, “Incentives build robustness in BitTorrent,” IPTPS’2003, Feb. 2003.
[27] V. Atlidakis, M. Roussopoulos, and A. Delis, “Changing the Unchoking Policy for an Enhanced
Bittorrent,” Parallel Processing, Springer Berlin Heidelberg, 2012.
[28] M. Slot, “Latency-driven BitTorrent,” Master thesis, Vrije University, Aug. 2008.
[29] R. Binbin, X. Wei, C. Hao, and Y. Dejian, “Improving Locality of BitTorrent with ISP
Cooperation,” ICECT’2009, Feb. 2009.
[30] V. Pacifici, F. Lehrieder, and G. Dan, “Cache capacity allocation for BitTorrent-like systems to
minimize inter-ISP traffic,” INFOCOM’2012, Mar. 2012.
[31] S. Hatahet, A. Bouabdallah, and Y. Challal, “A new worm propagation threat in BitTorrent:
Modeling and analysis,” IMCSIT’2008, Oct. 2008.
[32] S. Hatahet, Y. Challal, and A. Bouabdallah, “BitTorrent Worm Sensor Network: P2P Worms
Detection and Containment,” PDP’2009, Feb. 2009.
[33] J. Nogiec, et al., "Evaluating the Effectiveness of a BitTorrent-driven DDoS Attack," Available:
http://joanatrindade.wdfiles.com/local--files/projects/CS463_JNogiec_FParedes_
JTrindade_paper.pdf, 2009.
[34] H. Koo, Y. Lee, K. Kim, B. Roh, and C. Lee, “A DDoS Attack by Flooding Normal Control
Messages in Kad P2P Networks,” ICACT’2012, Feb. 2012.
[35] Y. Lee, K. Kim, and B. Roh, “DDoS Attack by File Request Redirection in Kad P2P Network,”
IEEE CyberC’2012, Oct. 2012.
A Survey of Attacks on the BitTorrent Protocol from Its Operational Viewpoints Soojin Kim, Seungoh Choi, Byeong-hee Roh
452