1. Measurement and Diagnosis of Address Misconfigured P2P traffic Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic Lab for Internet and Security Technology (LIST) Northwestern Univ.

2. 2 What is P2P address misconfiguration?  Thousands of peers send P2P file downloading requests to a “random” target (even not in the P2P system) on the Internet Peers “random” target on the Internet Address-misconfigured P2P traffic

3. 3 Motivations  P2P file sharing accounted for > 60% of traffic in USA and > 80% in Asia  P2P software DC++ has already been exploited by attackers for DoS  direct gigabit “junk” data per second to a victim host from more than 150,000 peers  End user perspective  Involve innocent users in DDoS attacks unconsciously  Anti-P2P arm-race  Downloading performance  ISP perspective  Reduce unwanted traffic for “green” Internet Get contacted by an ISP in Canada  P2P developer perspective  Identify the buggy software among a large number of variances.  Help design more robust P2P software

4. 4 Outline Motivation Passive measurement results P2PScope system design Root cause diagnosis and analysis Conclusion

5. 5 Passive Measurement Honeynet/honeyfarm datasets Events: # of unique sources > 100 in 6 hours LBLNUGQ Sensor5 /2410 /244 /16 Traces901GB916GB49GB Duration47 months 16 months 26 days Scan traffic removal Event time window extraction Target identification

6. 6 Measurement Results Event characteristics: –Usually involve thousands of peers on average –Duration: A few hours to up to a month LBLNU eMule143416 BitTorrent74211 Gnutella43 Soribada60 Xunlei120 VAgaa11

7. 7 Popularity Growing Trend: IP space: observed in three sensors in five different /8 IP prefixes The total numbers of connections that match the P2P signatures. 39%!

8. 8 Further Diagnosis Problems with passive measurement on archived data –Events have gone –Hard to backtrack the propagation –Root cause? Need a real-time backtracking and diagnosis system!

9. 9 Outline Motivation Passive measurement results P2PScope system design Root cause diagnosis and analysis Conclusion

10. 10 Design of P2PScope System Root cause inference Backtracking system P2P-enabled Honeynet P2P payload signature based responder Event identification 10100101011101 infohash; ‘abc.avi’ Protocol parsing for metadata

11. 11 Design of P2P Doctor System Root cause inference Backtracking system P2P-enabled Honeynet Index Server (tracker) Crawling BT: top 100, eMule: 185 Peer Exchange Protocol Crawling DHT Crawling

12. 12 Design of P2P Doctor System Root cause inference Backtracking system P2P-enabled Honeynet Track the information flow for suspicious P2P software Track how honeynet IPs propagated in P2P systems Peer routability checking Anti-P2P analysis Hypothesis formulation and testing Totally ~7000 lines of Python, Perl and Bro

13. 13 Outline Motivation Passive measurement results P2P Doctor system design Root cause diagnosis and analysis Conclusion

14. 14 Diagnosis & Analysis Questions –What is the root cause? –Which peers spread misconfiguration? –How is misconfiguration disseminated? –How badly are individual clients affected? Results –Data plane traffic radiation –Detailed results focus on eMule and BitTorrent

15. 15 Data Plane Traffic Radiation DHT Peer Exchange Index Server Who has avatar.avi? 1.2.3.4 Resource mapping

16. 16 eMule – Root Cause Byte ordering is the problem! 1.2.3.4 4.3.2.1 1.2.3.4

17. 17 eMule – Root Cause Byte ordering is the problem! –61% of the reverse honeynet peers indeed running eMule with the port number reported –For the backtracked peers which is in the unroutable IP space, 69.6% of them having reverse IPs run eMule Locate bugs in source code –At least aMule 2.1.0 (a popular eMule alternative) has the byte order bug

18. 18 eMule – Peers & Dissemination Which peers spread misconfiguration? –99.24% of misconfigured peers are normal peers How is the misconfiguration disseminated? –Index Server? No –Peer exchange? Yes –DHT? No Percentage of bogus peers in eMule network? –[12.7%, 25.0%] w/ a total of 37,079 backtracked peers

19. 19 BitTorrent – Root Cause I Anti-P2P companies deliberately inject bogus peers! –20% of traffic we observed related to anti-P2P peers –Only return bogus peers or anti-P2P peers –Using UTorrent peer exchange protocol to disseminate –Find a particular peer farm One /24 network, each IP run hundreds of peers Run Azureus 2.5.0.0 and IPs also run VMware Return peers even for non-existing file hashes.

20. 20 BitTorrent – Root Cause II KTorrent also has a byte-order bug –Discover using information flow tracking on KTorrent, UTorrent and Azureus –Identify the actual bug, report to KTorrent Developers and get confirmed. Misconfiguration propagation –[fully] KTorrent: all peers exchanged from others –[partial] UTorrent: all peers that respond to TCP handshaking –[almost not] Azureus: all peers that respond to BitTorrent handshaking.

21. 21 Conclusions The first study to measure and diagnose large- scale address misconfigured P2P traffic Find 39% Internet background radiation is caused by address misconfiguration –Popular in various P2P systems, increase 100% each year for four years, and scattered in the IPv4 space For eMule, we found it is caused by network byte order problem For BitTorrent –Anti-P2P companies deliberately inject bogus peers –KTorrent has a byte order bug

22. 22