Press coverage regarding DC being used as a DDoS tool
January 17, 2008 Leave a comment
There were some press coverage regarding my Denying distributed attacks post. Actually, I was interviewed by Robert Lemos. The following is the mail correspondance we had;
1) From your data, it looke like there is at least 650,000 people using the latest version of DC++ is that correct? How many users do you think you have? What do people typically use dc++ for?
2) Prolexic, an anti-DDoS firm, has used dc++ as an example of a new style of attack (link: http://www.prolexic.com/news/20070514-alert.php) that uses the directory servers of p2p software to direct the clients to DOS a particular IP address or network. Are these attacks common? Can you name an instance in particular where you observed such an attack and give me some concrete details on what happened?
3) How do attackers get control of the dc++ network or directory server to direct such attacks? Are there countermeasures that can be implemented in the software to determine when such an attack is happening?
1) No, I don’t think there’s 650,000 people. We currently have no real way of knowing how many people are using DC++, or even the latest version. We can calculate how many people are starting their clients, but that would require us to look at the logs on how many people connect to the DC++ website. SourceForge, which is hosting the website, does not provide us with those logs, so we can’t say for sure how many are using DC++.
At one point in time, we were able to see how many were using DC++, and it was somewhere around 300,000. But that figure may be misleading, as it’s incremented when someone open a particular window in DC++ as well as on the upstart. If people are then also using multiple instances of DC++, the number will also increase as there’s no lookup on indiviual IPs.
The vast majority of DC++ users (and generally Direct Connect users) use the network to trade files with each other. The major difference between Direct Connect and other P2P networks is the community; The ability to communicate with whoever you’re trading your files with (and of course other people). I personally mostly use Direct Connect for the community aspect. I believe one might compare Direct Connect with good old Napster, with a built in Instant Messenger.
2) These attacks are unfortunately getting more common. I think this phenomenom can be traced back to late 2005, early 2006. (Although, not in such a scale as Prolexic has experienced.)
The most public attack was against http://www.hublist.org, which was the largest hub list in DC (and the most influencial – DC++ had Hublist.org’s hub list as the single default list, until about a year back.) I say was because the site has been down and up since the attacks started.
Basically, the administrators of the hub list and a group of rogue Direct Connect users had a dispute that escalated beond common sense, and has ended up as a massive DDoS. The latter had created tools to ‘destroy’ hubs (eg, a tool to cause a flood in a hub – a different type of DoS) or cripple them. The administrators of Hublist.org responded by removing the hubs that the rogue group commanded, from the hub list Hublist.org provided. In return, the rogue group responded by attacking Hublist.org to show their dismay. Reportedly, the site had experienced a constant 10-90% bandwidth usage (on a 100 Mbit/s line), during about a year’s worth of time.
I mentioned that Hublist.org had been the only default hub list in DC++, since a year back. By that I mean that other hub lists were added at that time. The reason was because the rogue group (that had attacked previously) had launched a massive attack at Hublist.org, rending the site useless and unresponding. The site had been able to work, yet the heavy usage before. However, after the massive attack, the site was down for about six months before it was able to get back up.
Meanwhile, dcpp.net (an address that Todd Pederzani had bought) and the server it was on, was also getting hit, which is the reason the site was moved back to SourceForge, and other parts have been removed. DirectConnect.se, which is a Swedish oriented DC community site, was also taken down with dcpp.net as they were on the same server. YnHub.org, which serve the most popular hub for Windows, was also hit in the storm of attacks (though I don’t know if it was on the same computer as the other two sites).
You should contact the administrators of hublist.org concerning their DDoS. They have reportedly been in contact with Finnish police (their site is .fi based), Scotland Yard, FBI, UK authorities and Romanian authorities. (There may be more; I don’t remember more currently.)
Disclaimer: I have no idea if this is the same group as have been reported by Prolexic.
3) The attackers are able to take control over servers by two ways;  By exploiting the victim’s operating system, and gaining access to the hub and making the hub render as part of a bot net. And  by exploiting the victim’s hub software.
The former can of course be avoided by good firewall protection, but that’s quite difficult for anyone involved in DC to enforce.
The latter can be avoided by upgrading hub software that are known to have exploits. I don’t think there are any public hub softwares today that have these flaws; As I’ve written, the attackers take advantage of people’s reluctance to upgrade. (Out of lazyness or whatever.)
The attackers also have the possibility, as anyone else, to register a new hub on a hub list, which they are in complete control over. It’s difficult to impossible to restrict this. I think the majority of DDoS initiating hubs are in this category.
Lemos published his article on SecurityFocus. There are other sites he published on, too, but as far as I can tell, it’s all the identical article.