The recent research revealed that BitTorrent swarms are relatively harmless, but still there’s potential for abuse. Various experiments confirmed that the flaw affects the uTP, DHT, Message Stream Encryption and BitTorrent Sync protocols. It was pointed out that the attacks were most effective via the BitTorrent Sync app, where the original bandwidth can be increased 120 times. As for the most popular torrent apps – uTorrent and Vuze, the effect is also noticeable, boosting attacks by 39 and 54 times respectively.
The researchers say that it’s quite easy to launch a distributed reflective DoS attack via BitTorrent, as the hacker just needs a valid info-hash, or the “secret” in case of BitTorrent Sync. Such attack is easy to run, because the hacker is able to collect millions of possible amplifiers by using trackers, DHT or PEX with a single BitTorrent Sync ping message.
The researchers informed BitTorrent Inc. about the flaw, and the company patched some of vulnerabilities in a recent beta release. However, thus far, uTorrent is still vulnerable to a DHT attack. As for Vuze, the company was also contacted but has yet to release a patch.
Users of BitTorrent-based clients should have no security concern other than the fact that they can be participating in a distributed denial of service attack without their knowledge. The bugs mostly lead to wasted bandwidth.