Search Slyck  
Surprise! You’re Not Anonymous on BitTorrent
May 4, 2010
Thomas Mennecke
Font Bigger Font Smaller
The latest shell shocker to come out of the BitTorrent comes from two white papers from Inria France. The research papers examine the anonymity, or in this case its absence, when using the BitTorrent protocol. One paper examines the typical user interaction with BitTorrent, and the other focuses on users trying to mask their identity with TOR. The findings of the papers were identical – no matter how you try to hide your traffic online, those determined enough will always snuff you out.

Anonymity and encryption services are a lot like putting “The Club” or any of those other steering locks on your car. Sure, the device may deter a perpetrator, but ultimately it can be defeated. The same goes for encryption mentality – you’re never completely anonymous online despite your best efforts. There are many ways to “hide” your IP address: VPN services, proxies, and of course Tor. Tor is a decentralized network that is intended to protect free speech by providing an anonymous avenue for writers in politically hostile environments. When it comes to using this type of concealment, these services work well in hiding the individual’s identity when browsing the web or sending emails. But using these services in an effort to hide while using BitTorrent? No way.

The first paper examines the supposed anonymity that BitTorrent users feel when using TOR. The researchers set up their own Tor exit node, and waited as the BitTorrent traffic flowed through. When a BitTorrent client talks to a tracker, it greets the server with a handshake – and that handshake has the IP address of the originating, supposedly anonymous client. The paper also discusses how “man in the middle” attacks can more accurately identify those using BitTorrent on Tor.

“Hijacking the tracker responses allows an attacker to de-anonymize a user who only connects to the tracker using Tor. In addition to the code to instrument and monitor the exit node, this attack requires approximately 200 lines of code to rewrite the list of endpoints, which makes it relatively easy to launch. As we will see in Section 4, more than 70%of BitTorrent users use Tor only to connect to the tracker, making hijacking quite efficient to de-anonymize users.”

Using three different ways to identify users, the researchers found that each layer of the BitTorrent environment had a cascading effect on the ability to identity users. In other words, the more layers the end user employed, such as DHT, the easier and more verifiable the data became.

“The exploitation of the DHT allows to de-anonymize a user, even if she uses Tor to connect to other peers. Tor does not support UDP communications that are used by the DHT. As a BitTorrent client will fail to connect to the DHT using its Tor interface, it connects to the DHT using the public network interface and publishes its public IP and listening port into the DHT. Therefore, even though Alice connects to Bob through Tor, Bob can lookup Alice’s public IP address in the DHT. We have validated this behavior with μTorrent, the most popular BitTorrent client…”

The second paper take a more generalized approach. Instead of looking at users who employ Tor, this research discovered the vulnerabilities inherent with BitTorrent trackers. Again, the methods were relatively simple. The researchers merely connected to a tracker and waited for a torrent upload – the IP address belonging to the uploader would be the origin point, or seeder.
“An adversary can exploit the newly injected contents to contact the tracker at the very beginning of the content distribution and if he is alone with a peer, conclude that this peer is the content provider.”

The research identifies several other exploits where identifying users is possible. Perhaps most sobering is their conclusion that very few users are providing a majority of the content – a fact of life in the file-sharing ecosystem.

“… we were able to identify the IP address of the content providers for 70% of the new contents injected into BitTorrent and to profile them. In particular, we have shown that a few content providers inject most of the contents into BitTorrent making us wonder why anti-piracy groups targeted random users instead.”

This story is filed in these Slyck News categories
BitTorrent :: BitTorrent Community

You can discuss this article here - 11 replies

© 2001-2017