Networking optimize

P2P clients used for DoS attacks


The frequency and magnitude of peer-to-peer (P2P) enabled denial-of-service (DoS) attacks are increasing, and there seems to be little organizations can do to protect themselves when using traditional approaches to Web site defense.

File-sharing P2P networks aren't new. Their use for sharing all types of media over the Internet caused an explosion in workstation enrollments. It was only a matter of time before cybercriminals began taking advantage of these "public" networks.

Most P2P networks are based on the DC++ client. Each client in a DC++-based network is listed in a network hub. It is this hub software that is at risk of compromise. Older versions of the hub software allow attackers to instruct registered clients to disconnect from the P2P network and connect to a system at the intended target's location. This can result in hundreds of thousands of connection attempts sent to a Web server, bringing it to its proverbial knees. According to Fredrik Ullner, a member of the DC++ project, it's "difficult to impossible" to prevent an attack under these circumstances (Robert Lemos, "Peer-to-peer networks co-opted for DOS attacks," SecurityFocus, 28 May 2007).

Of course, the solution is to upgrade all network hubs to a nonvulnerable version of the P2P software. However, getting network administrators to take this step is difficult. Further, attackers could circumvent this step by setting up their own hub servers running a vulnerable version, collect the list of network clients, and launch an attack (Lemos). 

Detecting a P2P DoS attack is easy; defending against it is difficult. An organization's perimeter defense devices would be overwhelmed by a large attack. Blocking the large number of source IP addresses is time-consuming and would still slow packet processing to a crawl. One solution is to prevent the packets from reaching a business network in the first place.

Prolexic, for example, has announced a solution for dealing with P2P-based attacks. Once an attack is detected, packets related to the attack are prevented from making it to the perimeter defenses. This type of solution might be the only way to deal with this emerging threat.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

1 comments
TheGooch1
TheGooch1

DoS attacks are also ( and most have been since at least '99 ) caused by C++ apps, VBScript apps, .Net apps, Java apps, and application apps. P2P is nothing special, and DC+ accounts ( per Nethack statistics ) are about 10% of the P2P 'market', with apps like eMule, Limewire, bittorrent, etc far outnumbering DC+. Btw, P2P by definition is not a client server model, it is Peer to Peer model, in which there is not a client application. However, its good to let DC+ users know about the vulnerability mentioned in the article, but the article's title should have been "DC+ App Vulnerability Used in DoS Attacks". "P2P" is just too general.