Networking

P2P clients used for DoS attacks


The frequency and magnitude of peer-to-peer (P2P) enabled denial-of-service (DoS) attacks are increasing, and there seems to be little organizations can do to protect themselves when using traditional approaches to Web site defense.

File-sharing P2P networks aren't new. Their use for sharing all types of media over the Internet caused an explosion in workstation enrollments. It was only a matter of time before cybercriminals began taking advantage of these "public" networks.

Most P2P networks are based on the DC++ client. Each client in a DC++-based network is listed in a network hub. It is this hub software that is at risk of compromise. Older versions of the hub software allow attackers to instruct registered clients to disconnect from the P2P network and connect to a system at the intended target's location. This can result in hundreds of thousands of connection attempts sent to a Web server, bringing it to its proverbial knees. According to Fredrik Ullner, a member of the DC++ project, it's "difficult to impossible" to prevent an attack under these circumstances (Robert Lemos, "Peer-to-peer networks co-opted for DOS attacks," SecurityFocus, 28 May 2007).

Of course, the solution is to upgrade all network hubs to a nonvulnerable version of the P2P software. However, getting network administrators to take this step is difficult. Further, attackers could circumvent this step by setting up their own hub servers running a vulnerable version, collect the list of network clients, and launch an attack (Lemos). 

Detecting a P2P DoS attack is easy; defending against it is difficult. An organization's perimeter defense devices would be overwhelmed by a large attack. Blocking the large number of source IP addresses is time-consuming and would still slow packet processing to a crawl. One solution is to prevent the packets from reaching a business network in the first place.

Prolexic, for example, has announced a solution for dealing with P2P-based attacks. Once an attack is detected, packets related to the attack are prevented from making it to the perimeter defenses. This type of solution might be the only way to deal with this emerging threat.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Editor's Picks