Warnings from ISP About DHTs and Flooding

[turningfish]

Hi there
My ISP (telus) is generally pretty quiet about p2p use, as the laws here in canada, as they apply, to telecos are still a little in flux. I've been running a fair number of torrents both downloading and seeding in the past couple months, and was finally contacted by their abuse department with a warning. The warning, however, was that my machine was being used to flood some location via an exploit in the p2p software. Here's how they described it:

Essentially, vulnerabilities in your file sharing software are being used by an outside party to cause network disruptions.

DHT stands for Distributed Hash Table. DHT is typically used in certain file sharing/peer to peer software (BitTorrent, Gnutella, etc) as a means of locating files (movies, television shows, music, documents) on the internet. Issues occur when DHT entries are forged and used direct network traffic against a specific target; this is called 'Flooding' as the target is flooded with unsolicited traffic. Having DHT active on your file sharing/peer to peer software allows your connection to become a participant in this flooding of the specified target. It was this unsolicited traffic that was the source of the complaint.

In order to correct these problems please follow one of these suggestions:

* Uninstall the file sharing/peer to peer software from your system.

* Ensure your file sharing/peer to peer software is the latest version (many newer versions have the DHT capability removed).

*Disable DHT capability in the existing file sharing/peer to peer software. For information on disabling the DHT for your specific software, please refer information available online.

I've changed some stuff in my Transmission setup, namely only accepting encrypted peers, lowering the number of global connections, and starting to use the blocklist feature set for weekly updates.

My question is whether these steps will tighten up my Transmission use against misuses of DHT, assuming that's the actual problem?
Thanks very much

[guilherme]

Well, this is actually very weird, as Transmission does not support DHT (at least for now).
Are you sure no other torrent client has been used on your local network (same IP address)?

[Jordan]

They're full of crap. Transmission doesn't even support DHT yet.

[jch]

Turningfish,

Please copy the following text (including the initial and final BEGIN PGP MESSAGE and END PGP SIGNATURE) and forward it to your ISP.

Code: Select all

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Sir, Madam,

It is not very useful to contact your customers about this issue;
contacting the developer community would be more productive.

> issues occur when DHT entries are forged and used direct network traffic
> against a specific target

The user that you contacted uses a program known as ``transmission''; this
program does not currently implement a DHT in any form.

> Ensure your file sharing/peer to peer software is the latest version
> (many newer versions have the DHT capability removed).

I am not aware that this is a case for any peer-to-peer software.  Quite
the opposite, the use of DHT is on the increase.

In the particular case of Bittorrent, as you might or might not be aware,
there are two implementations of DHT, known as the ``mainline'' and the
``Azureus/Vuze'' (AZ) variants.

The AZ variant is undocumented, and only used by the Azureus/Vuze client.
It might or might not have vulnerabilities, it is difficult to tell.

The mainline variant, on the other hand, is documented and implemented in
a large number of clients.  As far as I know, it doesn't have any
significant vulnerabilities if implemented correctly; if you see
significant flaws in the mainline DHT, we need to track down the incorrect
client and fix it.

Even when implemented correctly, however, the mainline variant is
susceptible to amplification attacks.  This vulnerability, however, is no
worse than the similar vulnerability in DNS:

1. The maximum amplification factor is on the order of 10.  This is similar
   to what can be achieved using plain DNS, and much better than what can
   be achieved with DNSsec.

2. The amplification only applies to the payload; the number of packets
   is not amplified.

3. Just like with DNS, it can be avoided by proper implementation of
   BCP-38.  (I am aware that implementing BCP-38 in a large network is
   not trivial.)

If you still believe that the amplification factor is a significant issue,
I am quite willing to implement a rate limiting feature in my software, and
share it with other Bittorrent developers.  In order to do that, I will
need information about the traffic flows you're monitoring, in particular
the approximate number of traffic sources, the size of the packets you are
seeing (they should come in a small number of discrete sizes), and hopefully
full packet traces.

With respectful regards,

                                        Juliusz Chroboczek
                                        Université de Paris 7
                                        <jch@pps.jussieu.fr>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoMAK4ACgkQOyf6h3f/XztKkACeLkuo/1r2hWrt+PHoK8kR4UqN
Vp4AoJ3hYoQKidLHXMSyLHORKzsksIig
=mNRi
-----END PGP SIGNATURE-----