[ISN] File-sharing sites are being subverted for web attacks

From: InfoSec News (alerts@private)
Date: Wed May 30 2007 - 22:10:29 PDT


http://www.newscientisttech.com/article.ns?id=dn11949

By Mason Inman 
30 May 2007
NewScientist.com news service

Peer-to-peer (P2P) file-sharing networks, which let users trade movies, 
music and software online, are increasingly being used to trick PCs into 
attacking other machines, experts say.

Computer scientists have previously shown how P2P networks can be 
subverted so that several connected PCs gang up to attack a single 
machine, flooding it with enough traffic to make it crash. This can work 
even if the target is not part of the P2P network itself.

Now, security experts are warning that P2P networks are increasingly 
being used to do just this. "Until January of this year we had never 
seen a peer-to-peer network subverted and used for an attack," says 
Darren Rennick of internet security company Prolexic in an advisory 
released recently. "We now see them constantly being subverted."

A large number of computers can easily overwhelm the servers of even 
large companies with data, in a so-called "distributed denial of 
service" (DDoS) attack. In the past, such attacks have been used by 
criminals to extort money from large firms.

In May 2007, DDoS attacks were used to take down web servers belonging 
to banks, government agencies, and newspapers across Estonia, in 
coordinated, and apparently politically-motivated, strikes.


Database poisoning

However, mounting a DDoS attack normally involves exploiting software 
bugs to break into systems, often using a computer virus, and creating 
an army of remotely controlled machines, or a "botnet".

Early in 2006, Keith Ross and Naoum Naoumov at the Polytechnic 
University, in Brooklyn, New York, demonstrated that P2P networks could 
be used to launch an attack without hijacking any PCs, in a published 
study of the eDonkey P2P network.

"In all file-sharing systems, you need a database to locate where these 
files are," Ross says. "The trick is to poison the database, to put 
bogus entries in that say that a very popular file is located at some 
target address that you want to attack."

Thousands of computers will then start contacting the target computer 
requesting, for example, the latest Britney Spears song or episodes of 
The Office.

A more recent study shows that BitTorrent, one of the most popular 
file-sharing networks, can be misused the same way. BitTorrent splits 
files up for sharing, which dramatically increases download speeds and 
also has a more centralised database than networks such as eDonkey. But 
Athina Markopoulou and colleagues at the University of California in 
Irvine, US show that it can still be used to mount a DDoS attack.


Client hacking

They created modified versions of BitTorrent files, and their own 
"tracker" a computer, which stores the databases that peers use to find 
one another on the network. Then, using 25 bogus files, they were able 
to trick more than 50,000 computers into cooperating within a few hours. 
"We needed to do some hacking in the BitTorrent code," says Karim El 
Defrawy, a member of Markopoulou's group. "But anyone with some small 
programming experience could do this."

Bram Cohen, creator of BitTorrent, points out that there are far simpler 
ways to launch similar attacks: "Anyone with a popular website can put 
lots of tags for hidden versions of an image on somebody else's website, 
have some JavaScript get those images to reload once every few seconds, 
and completely denial of service a medium-size or even large website."

However, other experts maintain that the popularity of P2P networks 
makes the issue important. "As P2P networks become more successful, this 
will become more of a problem," says Sanjay Rao of Purdue University, 
US, who has also studied the issue. "I think it's going to have the 
potential to be much worse than the botnet problem."

"One reason for the shift in strategy, is that these attacks are harder 
to defend and track down than traditional botnet-based DDoS," adds 
Richard Miller, of UK internet monitoring firm Netcraft. "They represent 
a new attack vector, and it will take a while before the internet 
security community is widely aware of the new technique, and how best to 
defend against it."


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed May 30 2007 - 22:26:47 PDT