"Attackers Can ‘Steal’ Bandwidth From BitTorrent Seeders"

[ionice]

From http://torrentfreak.com/attackers-can-s ... ds-140819/

In an article published in “Computers & Security” Adamsky and his colleagues reveal an exploit which allows attackers to get a higher download rate from seeders than other people.

In technical terms, the exploit misuses BitTorrent’s choking mechanism of clients that use the “Allowed Fast” extension. Attackers can use this to keep a permanent connection with seeders, requesting the same pieces over and over.

The vulnerability was extensively tested in swarms of various sizes and the researchers found that three malicious peers can already slow download times up to 414.99%. When the number of attackers is greater compared to the number of seeders, the worse the effect becomes.

The impact of the attack further depends on the download clients being used by the seeders in the swarm. The mainline BitTorrent clients and uTorrent are not vulnerable for example, while Vuze, Transmission and Libtorrent-based clients are.

Does anyone know if the latest version of Transmission is vulnerable? Or are there any mitigation measures one should be aware of?

[cfpp2p]

Update: The article was updated to clarify that only older version of Libtorrent were affected. According to the research Transmission currently has the “Allowed Fast” code commented out, but it could become vulnerable when it’s implemented.

http://torrentfreak.com/attackers-can-s ... ds-140819/

[cfpp2p]

BEP 6 is inactive.

It wasn't used but commented out 03/07/11 at changeset 12111
https://trac.transmissionbt.com/changeset/12111/

peer-msgs.c

/*updateFastSet( msgs );*/


I can't tell from the article what or how exactly the tests were performed. The simple inaccuracy of originally stating transmission was vulnerable ( unless they were editing source code to produce the effects ) makes me think the credibility of the research article is not as high as it should be.

[ionice]

I see, that's good to hear.
Thanks for the info cfpp2p!

[Astara]

http://trac.transmissionbt.com/register

ionice, you should open a trac ticket for this issue.

Maybe they don't want to have every message submitted
for moderation and wait up to a day to see if their message was
even accepted.

[Astara]

Astara, the issue has been resolved.

But not the issue of why he didn't submit it in the first place or why I don't bother.

IMO, never having seen a bug-tracker that requires approval before being allowed to submit or update a bug, it feels like they are trying to hide something. They may very well, NOT be, but operating outside of what is normal still causes people to speculate and wonder why.

I did get that the base issue posted about was temporarily dealt with.

One thing that might stop such a client -- if transmission kept track of
what pieces it had sent to 'who', then it would know if many multiple
retries are being done.

If they ask for the same piece "too many times" (? greater than 2?)
in a row, maybe they should be 'snubbed' for a while, OR just put at the bottom of the BndWth priority queue.

[cfpp2p]

BEP 6 is a relative to super seeding and the opinion varies whether the original super seeding is all that good anyway. It can appear that these kind of protocols can cause unwanted behaviors and certainly the stealing of bandwidth would qualify as unwanted.

Partial BEP 6 via haveAll and haveNone ( originally implemented by https://trac.transmissionbt.com/ticket/1549 ) has been implemented for a long while. Way back when it was done It seemed a good decision to have BEP 6 commented out, and it still does.

https://trac.transmissionbt.com/search? ... tension%22
https://trac.transmissionbt.com/search?q=%22bep+6%22
https://trac.transmissionbt.com/search?q=%22bep6%22

Transmission doesn't allow the stealing of bandwidth vulnerability as published in “Computers & Security”by Adamsky and his colleagues, lets be clear about that.

[Astara]

Actually I think the topic is a bit ludicrous to begin with.

I mean you have people giving away bandwidth (I seed 24/7), and someone talks about "stealing" the BW that I am giving away for free??... Yeah, I
know its about a potential unfairness in the distribution mechanism, but still, taken in the larger context, it seems a bit silly to be talking about "stealing"...

[cfpp2p]

Yeah, I
know its about a potential unfairness in the distribution mechanism, but still, taken in the larger context, it seems a bit silly to be talking about "stealing"...

agreed