P2P Networks Hijacked for DDoS Attacks

Peer-to-peer networks are being hijacked to launch an increasing number of distributed denial of service (DDoS) attacks on web sites, according to security researchers and network service providers. In these attacks, large numbers of client computers running P2P software are tricked into requesting a file from the intended target of the DDoS, allowing the attacker to use the P2P network to overwhelm the target site with traffic.

These type of attacks had been discussed in papers by security researchers last year, but began appearing on the Internet in early 2007 and have accelerated in recent weeks, according to Prolexic Technologies, which specializes in DDoS defense. In a May 14 advisory, Prolexic reported an increase in the number and frequency of attacks. "The rash of large P2P attacks we have seen in the last month is a perfect example of how the DDoS problem constantly evolves," said Darren Rennick, CEO of Prolexic. "Until January of this year we had never seen a peer-to-peer network subverted and used for an attack. We now see them constantly being subverted."

The company said as many as 100,000 machines had been used in some of the attacks. The peer-to-peer DDoSes may be attractive to attackers, as they don't require the use of an existing "botnet" of compromised computers.

Prolexic said many of the recent attacks exploited dc++ open source peer-to-peer client for Windows machines using the Direct Connect file-sharing protocol. On their blog, the developers of dc++ acknowledge that the software is being used in DDoS attacks, and note that recent updates have addressed the security holes.

"Unfortunately, we need to come to a grip that no matter how much protection we add to new hubs and clients, there will always be those who are using old versions of their client or hub of choice, which is exactly how people exploit DC," wrote Fredrik Ullner. "They are taking advantage of people’s resistance of upgrading."

Last year researchers detailed weaknesses in several widely-used P2P infrastructures. A team from Brooklyn Polytechnic University found that the OverNet P2P protocol could allow networks to be manipulated to launch DDoS attacks. OverNet was used in the eDonkey peer-to-peer software, which has fallen off in usage since the eDonkey web site was taken over by the Recording Industry Association of America (RIAA) as part of a legal settlement. Reports of DDoS weaknesses in the Gnutella network emerged as early as 2002. Last year the team of Elias Athanasopoulos, Kostas G. Anagnostakis and Evangelos P. Markatos confirmed those findings in more recent versions and offered defense strategies.