Exploiting BitTorrent For Fun But Not Profit

1
Exploiting BitTorrent For Fun(But Not Profit)

• Nikitas Liogkas, Robert Nelson, Eddie Kohler,
  Lixia Zhang
• Readable Software Systems group
• University of California, Los Angeles

2
Motivation

• Robustness system always provides useful
  service to all connected peers
• depends on peers willingness to contribute
• but uploading not in peers direct self interest
• Fairness those who do not contribute should not
  be able to receive good service
• Can fairness violations reduce robustness?

3
Selfishness

• BitTorrents fairness model
• sets rules for data exchange between peers
• tit-for-tat for upload decisions
• Selfish peers those who violate fairness while
  evading detection
• by abusing existing protocol mechanisms
• does selfish behavior lead to fairness
  violations?
• what is the impact on honest peers?

4
Contributions

• Designed and evaluated three selfish exploits
• used as tools for measuring impact on robustness
• Despite selfishness, BitTorrent quite robust
• at most 29 higher rates for the selfish peer
• but no considerable degradation of service
• How is this robustness achieved?
• identify worst-case scenarios
• pinpoint responsible protocol mechanisms
• propose five guiding design principles

5
Presentation outline

• BitTorrent operation
• Experimental methodology
• Design and evaluation of exploits
• Proposed design principles
• Conclusions
• Ongoing and future work

6
Joining a torrent
metadata file
peer list
join
datarequest

• Peers divided into
• seeds have the entire file
• leechers still downloading

1. obtain the metadata file (out of band)
2. contact the tracker
3. obtain a peer list (contains seeds leechers)
4. contact peers from that list for data
7
Exchanging data
!
I have
? verify pieces using hashes
? download sub-pieces in parallel
? advertise received pieces to the entire peer
list
? download the rarest pieces first
8
Peer selection - unchoking

• periodically (typically every 10 seconds)
  calculate data-receiving rates from other
  leechers
• upload to (unchoke) the fastest

• constant number of unchoking slots
• based on the tit-for-tat policy

9
Optimistic unchoking

• periodically select a peer at random and upload
  to it
• typically every 3 unchoke periods (30 seconds)
• multi-purpose mechanism
• allow bootstrapping of new clients
• continuously look for the fastest partners
• keep the network connected every peer has a
  non-zero chance off interacting with any other
  peer

10
Implementation

• Implemented exploits in the CTorrent client
• Instrumented the client to collect statistics
• Exploits clearly do not exhaust the
  completespace of selfish behavior
• but can be used as valuable tools for evaluating
  the impact of fairness violations on robustness

11
Experimental methodology

• Private torrents
• eight leechers one seed on Planetlab
• most torrents are small Guo et al., IMC05
• impose download and upload limits
• purpose measure benefit to selfish (fairness),
  impact on honest (robustness)
• Public torrents
• selfish and honest join the same torrent together
  
• purpose reveal impact in real settings

12
Presentation outline

• BitTorrent operation
• Experimental methodology
• Design and evaluation of exploits
• Proposed design principles
• Conclusions
• Ongoing and future work

13
Exploit 1 Downloading only from seeds
new listrequest
peer list
? Download only from seeds no need to upload
? Repeatedly query the tracker for peer lists
? Distinguish the seeds, and receive data from
them
? Violates fairness model also harmful to honest
peers
14
Evaluation Exploit 1in private torrents
Download rates for all peers

• Limit bandwidth of leechers 1 to 6. No limit on
  seed.
• Modest fairness violation (22 better rate) when
  selfish peer is fast
• Robustness does not suffer most honest slower by
  

15
Evaluation Exploit 1with modified seed
Download rates for all peers
155

• Seed only unchokes one leecher at a time
• Considerable fairness violation selfish peer
  faster by 155
• Reduces robustness honest peers slower by at
  least 32

16
Evaluation Exploit 1in public torrents

• Tested with small ( 150
  peers) torrents
• Selfish leecher gets consistently higher
  download rates (7-20)
• Does particularly well in torrents with many
  seeds
• wider choice for the selfish peer
• greater incentive to cheat in popular torrents

17
Exploit 2 Downloading only from the fastest
peers
!
I have
? Download only from fast leechers, do not
waste time and resources on slow ones
? Do not perform optimistic unchokes
? Observe frequency of piece advertisements
to infer bandwidth of peers
? Especially harmful at the start of a peers
lifetime
18
Evaluation Exploit 2in private torrents
Download rates for all peers

• Selfish peer interacts only with the two fastest
  leechers in its peer list
• Modest fairness violation selfish peer faster by
  29
• Robustness does not suffer impact on honest
  peers small

19
Evaluation Exploit 2in public torrents

• Exploit fails in public torrents
• consistently lower download rates (1-30)
• Observations
• optimistic unchoking critical in discovering the
  best partners
• BitTorrents short-term calculations beat our
  advertisement-based estimations
• Mechanism for continuous adaptation is
  indispensable

20
Exploit 3 Advertisingfalse pieces
2
1
1
2
4
!
I have
3
garbage
1
2
3
? Lie about the pieces you have
? Gradually advertise the rarest pieces
? Send garbage when you do not have a piece
? pollution is not primary objective
21
Evaluation Exploit 3in private torrents
Download rates for all peers

• Modest fairness violation selfish peer faster by
  22
• Robustness does not suffer some of the honest
  peers even increase their download rates!

22
Evaluation Exploit 3in public torrents

• Exploit fails in public torrents
• modern implementations keep state about the
  origin of pieces
• lying leechers easily detected and blacklisted
• Remembering past interactions enables defending
  against false piece advertisements

23
Presentation outline

• BitTorrent operation
• Experimental methodology
• Design and evaluation of exploits
• Proposed design principles
• Conclusions
• Ongoing and future work

24
Design principles

• Parallel downloading
• Memory of past interactions
• Problem partitioning
• Export minimal information
• Keep the network connected

25
Principles 1 and 2

• Maintain parallel interactionswith multiple
  peers
• the download-only-from-seeds exploit has limited
  impact due to multiple unchoke slots
• Keep memory of past interactions
• prevents the false-advertisements exploit
• trade-off between performance and robustness

26
Principle 3

• Enforce problem partitioning Shneidman et al.,
  PODC04
• No peer should be able to influence another
  peers decision-making by declaring false
  information.
• some BitTorrent clients do not enforce that
• should decouple data needs (missing pieces) from
  the provided service (unchoking)
• could harm performance

27
Principles 4 and 5

• Export minimal information necessary
• example hide that you are a seed
• super seeding policy does just that
• Keep the network connected
• optimistic unchoking includes random choice that
  aids robustness
• limits the impact of the download-from-the-
  fastest-peers exploit in public torrents

28
Conclusions

• Presented three selfish-peer exploits
• BitTorrent quite robust, despite fairness
  violations
• Identified protocol characteristics that enable
  robustness
• Proposed five guiding design principles

29
Ongoing work

• What other exploits might be possible?
• Key observations
• peer selection is critical to performance
• seeds may be more vulnerable, as they have no way
  of determining peers data contributions
• Currently investigating Sybil attacks on seeds

30
Sybil attack

• seed unchoking algorithm
• unchoke the fastest leechers
• problem fast malicious peers may monopolize seeds

• contact the tracker, get peer lists, distinguish
  seeds
• open multiple connections to each seed,
  pretending to
• be a different leecher each time
• try to take up all unchoking slots at the seeds

31
Potential defenses

• Key insight seeds do not need data, thus they
  can employ a more fair mechanism to spread their
  bandwidth uniformly among peers who need service
• Solutions
• unchoke leechers round-robin, e.g. based on the
  last unchoke time
• listen for advertisements of pieces you send out,
  maybe with the help of the tracker

32
(not so far in the) future work

• Our exploits clearly do not exhaust the complete
  space of selfish behavior
• develop an attack model (what exploits are
  possible)
• how to methodically defend against all exploits
• End goal come up with the principles that
  facilitate reasoning about and designing defenses
  against all potential exploits in a
  BitTorrent-like system

33
Resources 1

• Basic BitTorrent mechanisms Cohen, P2PECON03
• BitTorrent specificationhttp//wiki.theory.org/Bi
  tTorrentSpecification
• Measurement studies Izal et al., PAM04,
  Pouwelse et al., Delft TR 2004 and IPTPS05,
  Guo et al., IMC05, andLegout et al.,
  INRIA-TR-2006

34
Resources 2

• Theoretical analysis and modeling Qiu et al.,
  SIGCOMM04, andTian et al., Infocom06
• Simulations Bharambe et al., MSR-TR-2005
• Sharing incentives and exploiting them
  Shneidman et al., PINS04,Jun et al.,
  P2PECON05, andLiogkas et al., IPTPS06

35
Exploiting BitTorrent For Fun(But Not Profit)

• Nikitas Liogkas, Robert Nelson, Eddie Kohler,
  Lixia Zhang
• Readable Software Systems group
• University of California, Los Angeles
• Questions?

36
Bonus slide Exploit 1all-selfish scenario
Download rates for all peers

• Appears as if everyone benefits when everyone is
  being selfish
• Artifact of the imposed bandwidth limits seed
  serving similar clients
• Degenerates into a client-server model