A Survey of Attacks on the BitTorrent Protocol from Its Operational

Viewpoints

1Soojin Kim,

2Seungoh Choi, and

1,2,3Byeong-hee Roh

1Dept. of Information and Computer Engineering, Ajou University, Suwon, Korea

2Dept. of Computer Engineering, Graduate School, Ajou University, Suwon, Korea

3Dept. of Software Convergence Technology, Ajou University, Suwon, Korea

{strawvery, uwer1, bhroh}@ajou.ac.kr

Abstract As BitTorrent has become one of the most popular peer-to-peer file sharing protocols, various

security threats have appeared from its vulnerable protocol architecture. In this paper, we analyzed

the vulnerabilities of BitTorrent protocol, and surveyed existing attacks on the protocol. Then, we

classified the attacks from the protocol’s operational viewpoints. Basically, the protocols are

categorized into two parts: tracker-based and trackerless.

Keywords: BitTorrent, Tracker, Peer-to-peer networks, Attack, DDoS

1. Introduction

Recently, peer-to-peer (P2P) file sharing applications consume a great part of the Internet backbone

bandwidth. With the distributive nature of P2P applications, the P2P protocols provide more efficient

file sharing capability than traditional client-server-based protocols [1].

The BitTorrent [2] has gained the most popularity in P2P users due to its capability of more

scalable architecture and rapid file distribution than other P2P protocols. The BitTorrent adopts file-

centric design and incentive-based operation. Numerous BitTorrent client programs running on various

operating systems have been developed, and they are compatible with each other. So, users can choose

any client program to access BitTorrent P2P networks.

However, the BitTorrent encounters various security threats as in most of Internet applications.

There have been much of works on the BitTorrent attacks [3][5]-[25][31]-[33], which are not only

similar ones as in other P2P protocols, but also those applicable only to the BitTorrent from its inherent

protocol architecture. In this paper, we analyze vulnerabilities of the BitTorrent protocol, and

survey existing attacks on the protocol. Then, we classify the attacks from the protocol’s

operational viewpoints.

The rest of this paper is organized as follows. In Section 2, we briefly describe the BitTorrent

protocol architecture. In Section 3, the survey of attacks on the BitTorrent protocol is illustrated.

Finally, we conclude the paper in Section 4.

2. The BitTorrent Architecture [2]

The BitTorrent architecture is composed of three entities: a tracker, a seeder (peers with the entire

file), and a leecher (non-seeder peers). The tracker is responsible for managing swarms. A swarm is a

group of peers having the content with same file identifier. The file identifier includes file directory,

file piece, file information, and so on, and is generated by using a hash function. When a seeder wants

to share a file, the seeder provides a torrent file including the metadata for whom it desired, and then

announces to the tracker about the shared file.

Once the tracker obtains the announced message from the seeder, it generates a swarm for the file

unless the tracker finds other exact-matched swarm. If a leecher requests the swarm to the tracker by

using torrent file or magnet, the tracker provides the swarm to the leecher. Likewise, the tracker plays a

key role in providing the requested information to the leechers as a coordinator in a centralized manner.

After obtaining the swarm from the tracker, the leecher starts to communicate with peers in the swarm

without the tracker. Then, the leecher periodically requests pieces of the file to the peers by sending

INTEREST messages, and advertises the information on the pieces it has by sending HAVE and BIT-

FIELD messages. By repeating requests and advertisements on the pieces, the leecher finally completes

A Survey of Attacks on the BitTorrent Protocol from Its Operational Viewpoints Soojin Kim, Seungoh Choi, Byeong-hee Roh

Research Notes in Information Science (RNIS) Volume14,June 2013 doi:10.4156/rnis.vol14.80

449

to download the whole desired file.

In the BitTorrent, there are internal chunk selection mechanisms such as the rarest first, the strict

priory, and others. In addition, choking mechanisms such as optimistic unchoking and anti-snubbing

run on the protocol. With the mechanisms, BitTorrent peers can share files quickly and get improved

quality of inter-connections among peers [26][27].

3. Threats on the BitTorrent Protocol

3.1. Vulnerability of the BitTorrent [3][5][6][11]

As mentioned in Section 2, leechers need to obtain a swarm information on a desired file from

trackers to get the file. The swarm includes the peers that have or interested to the desired content.

However, since trackers do not support any security features, there is no way for seeders and leechers

to know whether malicious peers have been comprised in the swarm information provided by the

trackers or not. In addition, either seeders or leechers can act as attackers without any constraints not

knowing by trackers.

The BitTorrent is driven by two protocols: Tracker HTTP Protocol (THP) and Peer Wire Protocol

(PWP). The former provides the BitTorrent services between peers and a tracker by using HTTP, and

the latter is used for the exchange of pieces described in the metadata between peers. Trackers have

also faced with similar threats as in ordinary HTTP servers. If an attacker has the authority of the

control of a tracker by misusing the vulnerability of THP, it can disrupt the swarm information so that

peers are faced with severe attack situations such as denial of service (DoS), worm spread, and so on.

In addition, peer(s) can be attacked from other peers by exploiting PWP by attackers.

3.2. Classification of Attacks on the BitTorrent

From the protocol’s operational viewpoints, we can classify the attacks on the BitTorrent as

shown in Figure 1. Traditionally, the BitTorrent protocol is operated based on a centralized tracker. It

also supports the trackerless operation mode based on distributed hash table (DHT) [4].

Figure 1. Classification of existing attacks in BitTorrent

In the tracker-based operation mode, BitTorrent attacks are divided into two classes according to

whether they use THP or PWP. For attacks utilizing THP, fake report attacks have been addressed

targeting either peers or trackers [5]-[7][33], where attackers provide wrong swarm information to

disrupt the peer relationship for a file. In order to target a peer as a victim, attackers include the peer in

A Survey of Attacks on the BitTorrent Protocol from Its Operational Viewpoints Soojin Kim, Seungoh Choi, Byeong-hee Roh

450

most of swarms by intercepting tracker’s authority. Since each BitTorrent peer connects to the tracker

by using TCP, TCP SYN flooding attacks [4][24][28] as in traditional Internet network attacks are

possible. The attack may cause a denial of service on the tracker due to the large number of requests

that it receives. In the ISP Bottleneck [28][29][30] attacks, connections between peers are made

between different ISPs. The attack may cause a severe degrade of delay performances on not only

BitTorrent peers, but also the other normal users connected through different ISPs.

There have been various attacks by utilizing PWP. In lying piece possession [8][9], piece attack [9],

fake-block attack [10] and peer exchange attack [11], attackers announce the fake information on the

file, pieces, blocks, and IP addresses of peers, respectively, to make the download speed slower or not

to allow users to download the file. The attacks such as uncooperative peer attack [10][12][13],

bandwidth attack [9][12] and connection attack on seeders or leechers [12][21][23][25], disrupt the file

sharing progress between peers by ignoring the requests, by flooding requests to them, or by

interrupting TCP connections in early stage, respectively. BitTorrent worm attacks [31][32] propagate

a malicious program that reproduces itself and spreads it over the network by utilizing the BitTorrent

topologic information.

The trackerless BitTorrent protocol is based on DHT. In the DHT, each peer has its own identifier

randomly generated by using a cryptographic hash function, and there is no verification mechanism

whether the identifier is valid or not. Accordingly, all possible attacks on DHT-based P2P networks

such as Sybil attack [14]-[18], eclipse attack [9],[15]-[18], pollution attack [19], and geo-localized

isolation attack [20] can be applied to the trackerless BitTorrent protocol. Especially, it is more

harmful when normal peers participate into a DDoS attack by generating numerous requests to a victim

simultaneously [34][35], in which the normal nodes do not know that they act as zombies for the attack.

4. Conclusion

Recently, the BitTorrent has become one of the most popular P2P file sharing protocols because of

its capability of more scalable and rapid file distribution than other P2P protocols. In this paper, we

surveyed known attacks on the BitTorrent, and classified them from the protocol’s operational

viewpoints. BitTorrent protocol encounters security threats similarly as in other P2P protocols,

Kademlia-based P2P protocol [34] as an example. In addition, there are attacks applicable only to

BitTorrent from its protocol architecture.

It has been known that P2P applications consume the largest amount of bandwidth in the Internet

backbone network. As mentioned before, the BitTorrent users are getting majority in P2P services.

With the vulnerable architecture of the BitTrorrent protocol may cause a severe threat on the Internet

services. We are currently studying on the possible unknown attacks on the BitTorrent protocol, and

surveying the countermeasure schemes against the attacks to secure both the Internet and P2P

application services.

5. Acknowledgment

This research was supported by the MSIP (Ministry of Science, ICT & Future Planning), Korea,

under the Seoul Accord Activation support program supervised by the NIPA(National IT Industry

Promotion Agency).

6. References

[1] Ipoque, “Internet Study 2008/2009,” available at http://www.ipoque.com

[2] B. Cohen, “The BitTorrent Protocol Specification,” Available: http://www.bittorrent.org/beps/

bep_0003.html

[3] K. C. Sia, “DDoS vulnerability analysis of BitTorrent protocol,” University of California, Los

Angeles, USA, 2007.

[4] A. Loewenstern, “DHT Protocol,” Available: http://www.bittorrent.org/beps/bep_0005.html

[5] K. E. Defrawy, M. Gjoka, and A. Markopoulou, “BotTorrent: misusing BitTorrent to launch

DDoS attacks,” USENIX’2007, Jun. 2007.

[6] J. Harrington, C. Kuwanoe, and C. C. Zou, “A BitTorrent-driven distributed denial-of-service

A Survey of Attacks on the BitTorrent Protocol from Its Operational Viewpoints Soojin Kim, Seungoh Choi, Byeong-hee Roh

451

attack,” SecureComm’2007, Sep. 2007.

[7] X. Sun, R. Torres, and S. Rao, “Preventing DDoS attacks on internet servers exploiting P2P

systems,” Computer Networks, Elsevier North-Holland, Oct. 2010.

[8] M. A. Konrath, M. P. Barcellos, and R. B. Mansilha, “Attacking a Swarm with a Band of Liars:

evaluating the impact of attacks on BitTorrent,” P2P’2007, Sep. 2007.

[9] A. Hegenberg, “Attacks and exploits targeting BitTorrent and other P2P file sharing networks,”

FI’2009, Nov. 2009.

[10] P. Dhungel, D. Wu, B. Schonhorst, and K. W. Ross, “A measurement study of attacks on

BitTorrent leechers,” IPTPS’2008, Feb. 2008.

[11] S. Majing, Z. Hongli, F. Bingxing, and D. Xiaojiang, “DDoS vulnerability of BitTorrent Peer

Exchange extension: Analysis and defense,” ICC’2012, Jun. 2012.

[12] P. Dhungel, et al., “A Measurement Study of Attacks on BitTorrent Seeds,” ICC’2011, Jun. 2011.

[13] B. S. Sarjaz and M. Abbaspour, “Securing BitTorrent using a new reputation-based trust

management system,” Peer-to-Peer Networking and Applications, Springer US, Mar. 2013.

[14] L. Wang and J. Kangasharju, “Real-world sybil attacks in BitTorrent mainline DHT,”

GLOBECOM’2012, Dec. 2012.

[15] F. Pontes, F. Brasileiro, and N. Andrade, “BitTorrent Needs Psychiatric Guarantees: Quantifying

How Vulnerable BitTorrent Swarms are to Sybil Attacks,” LADC’2009, Sep. 2009.

[16] M. Engle and J. I. Khan, “Vulnerabilities of p2p systems and a critical look at their solutions,”

Technical Report, Kent State University, Nov. 2006.

[17] M. Vestola, “Security Issues in Structured P2P Overlay Networks,” TKK Technical Reports in

Computer Science and Engineering, Aalto University, 2010.

[18] Y. Yang, et al., “A Survey of Peer-to-Peer Attacks and Counter Attacks,” SAM’2012, Jul. 2012.

[19] P. Dhungel, X. Hei, K. W. Ross, and N. Saxena, “The pollution attack in P2P live video streaming:

measurement results and defenses,” Sigcomm’2007, Aug. 2007.

[20] J. P. Timpanaro, T. Cholez, I. Chrisment, and O. Festor, “BitTorrent's Mainline DHT Security

Assessment,” NTMS’2011, Feb. 2011.

[21] P. Dhungel, D. Wu, and K. W. Ross, “Measurement and mitigation of BitTorrent leecher attacks,”

Computer Communications, Elsevier, Nov. 2009.

[22] M. P. Barcellos, et. al., “Protecting BitTorrent: Design and Evaluation of Effective

Countermeasures against DoS Attacks,” SRDS’2008, Oct. 2008.

[23] J. K. So, “Defending Against Malicious Behaviors in BitTorrent Systems,” North Carolina State

University, 2012.

[24] B. Giovanni, “A Distributed Denial-of-Service (DDoS) Attack using BitTorrent Peer-to-Peer

(P2P) Network,” Internet Sicherheit (Seminar), Technische University, 2008.

[25] S. Rouibia, J. Vayn, O. Beauvais, and G. Urvoy-Keller, “Early Stage Denial of Service Attacks in

BitTorrent: An Experimental Study,” WETICE’2008. Jun. 2008.

[26] B. Cohen, “Incentives build robustness in BitTorrent,” IPTPS’2003, Feb. 2003.

[27] V. Atlidakis, M. Roussopoulos, and A. Delis, “Changing the Unchoking Policy for an Enhanced

Bittorrent,” Parallel Processing, Springer Berlin Heidelberg, 2012.

[28] M. Slot, “Latency-driven BitTorrent,” Master thesis, Vrije University, Aug. 2008.

[29] R. Binbin, X. Wei, C. Hao, and Y. Dejian, “Improving Locality of BitTorrent with ISP

Cooperation,” ICECT’2009, Feb. 2009.

[30] V. Pacifici, F. Lehrieder, and G. Dan, “Cache capacity allocation for BitTorrent-like systems to

minimize inter-ISP traffic,” INFOCOM’2012, Mar. 2012.

[31] S. Hatahet, A. Bouabdallah, and Y. Challal, “A new worm propagation threat in BitTorrent:

Modeling and analysis,” IMCSIT’2008, Oct. 2008.

[32] S. Hatahet, Y. Challal, and A. Bouabdallah, “BitTorrent Worm Sensor Network: P2P Worms

Detection and Containment,” PDP’2009, Feb. 2009.

[33] J. Nogiec, et al., "Evaluating the Effectiveness of a BitTorrent-driven DDoS Attack," Available:

http://joanatrindade.wdfiles.com/local--files/projects/CS463_JNogiec_FParedes_

JTrindade_paper.pdf, 2009.

[34] H. Koo, Y. Lee, K. Kim, B. Roh, and C. Lee, “A DDoS Attack by Flooding Normal Control

Messages in Kad P2P Networks,” ICACT’2012, Feb. 2012.

[35] Y. Lee, K. Kim, and B. Roh, “DDoS Attack by File Request Redirection in Kad P2P Network,”

IEEE CyberC’2012, Oct. 2012.

A Survey of Attacks on the BitTorrent Protocol from Its Operational Viewpoints Soojin Kim, Seungoh Choi, Byeong-hee Roh

452