Emerged in recent weeks, but not yet publicly exploited, the flaw that allowed to carry out DDoS attacks particularly serious was resolved by the developers of the BitTorrent protocol.
The group of developers that maintains and operates the open protocol BitTorrent has solved a vulnerability that offered the possibility to a single attacker, even with modest resources of bandwidth, to attack major websites using a new form of denial of service amplified.
We talked about it a few weeks ago: sending a request properly sanitized to other BitTorrent client could cause the flood of a third target data that is 50 to 120 times larger than the original request.
What made possible the attack is the use of UDP protocol by BitTorrent, which offers no mechanism to prevent and avoid falsification of IP addresses, thereby leaving the possibility, in the request artfully packaged, replacing the IP attacker with that of the victim. In the official blog developers, they have announced that the vulnerability is the result of a flaw in the implementation of call reference libuTP. To solve the problem the app uTorrent, BitTorrent, and BitTorrent Sync will now have to request a reply to the one who initiated the connection before giving long answers.
” Any package that falls outside of a window will be limited given up and will not be sent to the victim, ” reads the blog. If we refer to the diagram published in the post, which we reported here above, the packet is dropped 3, and 4, 5 and 6 will never get to the victim. ” Given that this is done at the level of libuTP, all other protocols that can run on libuTP, such as the Message Stream Encryption, are also served by the mitigation. “