SciTechBits – Interesting Bits of Science & Technoglogy Served For You!

RIAA and anti-p2p companies have constantly engaged in various methods to thwart sharing of albums and movies over BitTorrent. Detailed research on one of the popular methods (leecher attack) has proven that, the time and money spent on this method is just a waste. The researchers also suggest methods to completely nullify these attacks.

With law suits against BitTorrent users being very unpopular and legal action against every tracker being impossible, RIAA and record labels have long been using anti-p2p companies such as Media Defender, Safenet and Macrovision to engage in online attacks on various components of the BitTorrent ecosystem.

Of the many attacks used, a few are popular. Seeder attack focuses on attacking the seeder (uploader), in order to prevent the file reaching other users; however this attack needs to initiated at the very early stages of protecting an album or movie from propagating and seeders are usually experienced p2p users. Tracker attack involves flooding the tracker, however most trackers employ high bandwidth servers and many BitTorrent clients have employed other mechanisms such as distributed hash tables and gossips (letting other peers know about the peers discovered by a client). Uploading fake torrents to trackers is one other method used, however this only just frustrates the users but does not prevent or block the sharing of their valued content. Leecher attack is one of the most popular attack, for that it attempts to attack the majority of the BitTorrent ecosystem, the users actively downloading parts of a movie or album. Researchers have paid special attention to leecher attacks, due to this reason.

Leecher attack is usually carried out by the friends of RIAA in two ways. Connection attack is where; the attackers make TCP connections to the leechers, but not upload anything and thus delaying and/or frustrating the users. Piece attack on the other hand, involves uploading a small but fake piece and thus causing a failed hash test. To analyze the actual spread and effect of leecher attacks, the researchers used both active and passive measurements as opposed to simulations.

In passive measurement, Azureus and uTorrent clients were used to download the same very popular music album multiple times. Downloads were alternated between being attacked (not using IP filtering or PeerGuardian) and being attacked. A packet parser was developed and used to analyze the attacking trends and characteristics. The analysis showed that, connection attack was done by multiple handshaking but not uploading anything and thus wasting the number of available open TCP slots in the client. Piece attack was performed by uploading fake zero sized files and thus causing failed hash tests for the block being downloaded. As the album being downloaded was popular, the attacks were very fierce. When using Azureus client, 60% of the active useful peers were connection attackers (no piece attackers). However, this only caused about 35% increase in download time for a T1 connection and 29% increase in download time for a DSL connection. The main reason for this little effect was, to make all TCP ports busy, the attackers need more connections and thus, more active a torrent is, it is more tough to contain it. In the case of uTorrent, similar prevalence of attacks was found. The effect of piece attacks was highly varying, for T1 connections; the increase in download time was only 2.7%, but 57% in DSL. This was explained by the tit-for-tat algorithm used and thus resulting very slow download speed. A simple mathematical analysis showed that, only if 20% of the peers were attackers, a 70% success rate is possible, however for a very active torrent; this level of penetration is very tough. Both of these attacks could never prevent the download, they could only moderately delay, in case of residential DSL users. It should here be noted that, even after applying different attack techniques for different clients, there is very less effect and even a 100% delay in downloading, would not really frustrate the user, given that most torrent users download overnight or in the background.

For active measurement, the researchers built a crawler which connected to every peer discovered using 8 top movie torrents, to profile if the peer was an attacker or not. The results from the active measurement showed matching results and also showed that some attackers were attacking multiple clients (both Azureus and uTorrent). One movie had as much as 85% attackers. Active measurement showed the same pattern as in passive, ie. Connection attack involved multiple handshakes with no uploads (chit-chatting) and piece attacks involved fake zero pieces.

Even though there are block lists (list of IPs of attackers) found on the internet, the researchers observe that, the IPs change constantly and thus relying on the block list entirely would not be suffice. Based on these analyses, the researchers suggest methods to further mitigate the already miniscule effect of these attacks. In case of connection attack, adding a simple check for peers who handshake but do not upload any content would help identify the attackers and block them dynamically. For piece attacks, maintaining multiple heuristics of every peer connected to the client, which carries estimates of the chances that the given peer uploaded a fake piece is suggested, as just looking for fake pieces of zero size would not work, if the attacker randomized the attack pieces.

Journal Reference: doi:10.1016/j.comcom.2009.07.006