Presentation on theme: "New Threat Based Chinese P2P Network"— Presentation transcript:
1New Threat Based Chinese P2P Network LabsCanSecWest 2012
2Agenda Who am I Background Thunder Network Architecture Security Issue ExploitDemoQuestions
3Who am I Security researcher @McAfee IDT team Network Intrusion Prevention System signature developmentFocus on vulnerability researchP2P application protocol analysisBotnets detectionMalware researchReverse engineeringMobile system security research
4Background Background in China 420 million internet users in china (From CNNIC 2010)Popular ApplicationOnline video, game, B2C, B2B,etc.P2P business marketXunlei (A.K.A Thunder network)QQDownloadFlashgetPPTVPPSetc.
6Thunder Network Architecture What is it?A downloading software like (Bittorent , emule , etc)downloading and uploading data through multi-protocolsP2SPP2PIntegrated Bittorent, emule networkClouding service
8Thunder Network Architecture How is it work?Server sideHash information query serviceMulti-downloading link query serviceMulti-Peer nodes query serviceHigh speed download channel query service (For VIP users)Clouding service & offline downloading (For VIP users)Client sidedownloading dataAssembling dataCalculate HashUploading data for sharingUpdate file information to server and peers status
9Thunder Network Architecture Server sideServerHash db serverResource link serverP2P serverPeer nodes server
10Thunder Network Architecture Server sideHash db serverEvery single file have a unique file SHA1 hash(not hash all of data),and depends on it’s file data length, split to multi-pieces datasegment, every piece of data length 0x40000/0x80000/0x100000/0x200000bytes.keyword: Unique HASH = every single file’s SHA1 hashFile segment HASH= every single file segment SHA1 hashHash ‘s Hash =All of File segment HASH’s SHA1 hashDEMO show
11Thunder Network Architecture Server sideResource link db serverThis table maintained for every single file with multi-links mappingrelationship [1=>N].Peer nodes db serverThis table maintained for every single file with multi-nodes mappingP2P serversThese servers help peer node communication with other nodes, like(join Thunder P2P network, leave P2P network, P2P punch NAT hole, etc.
13Thunder Network Architecture Client sideEvery single Thunder Client have a Unique ID---CID(16 bytes string)“00E04C042121XTH4”, first 12 bytes indicated Client MAC address“00:E0:4C:04:21”, “XTH” random bytes, the last byte is a special flag.“Q” indicate normal users, “I” indicated VIP users, etc.downloading datadownloading data from HTTP/FTP servers or thunder peers, emuleor BiTtorrent peer nodes.Assembling dataClient get hash block list from Hash DB server, then verify thedownloaded data, check that correct or not.Uploading data for sharingUpdate client current state
14Thunder Network Architecture Client sidehow to let Thunderresource server knowwhat you want todownload?Unique file hashconstruct
17Security Issue Client side File integrity check every data block length is 0x40000/0x80000/0x100000/0x200000if last data block length less than 0x40000/0x80000/0x100000/data of length (0<length<block_len-0x5000) haven’t hashedMalware code injection?(hard to exploit)
18Security IssueServer side Index Poison Passive DDOS (verified, and easy to do.)haven’t check client submit download informationdownload link(HTTP/FTP)download link’s rank(speed)so in the client side, we can fake these information.Attack website what you want1. Web server rich content file attack(CC attack, pictures, big file request)fake many link redirecting one file.like
19Security Issue Customer Privacy Information leak multi-feature make the client trapped the critical issue.user’s downloaded history should be leak (Verification weak)DEMO
20Exploit Launch passive DDOS attack Thunder Client feature Thunder server haven’t check client submitted informationSOwe can submit fake HTTP/FTP linklike we can fake actually inthis site haven’t foo.exewe can submit fake HTTP/FTP link ranklike we can fake download speed of foo.exe from
21Exploit Launch passive DDOS attack How to fake resource link?(HTTP/FTP link)Attacker can commit many file information with http link relationship.Others users query resource server find victim server can download file what they wanted.Finally many Thunder users request victim server for downloading
22Exploit Launch passive DDOS attack Real-world testing 2011 May 21 http request log, haven’t launch http flood from Thunder network
23Exploit Launch passive DDOS attack Real-world testing Fake file information with victim server relationship
25Exploit Compare with BitTorrent P2P attack BitTorrent Thunder Fake resource infofake .torrent file and publish in online channelFake file info commit in resource server directlyFlexibilityDifficult to launch an attackeasyEffectivenessNeed much more timeAbout one or two hoursAttack limitationJust attack single IP, if using CDN ,attack power should down.
26Exploit Attack Thunder Client Mechanism client share file feature client will share it’s history of downloaded fileevery single client have a unique IDyou need know target CID, and fake downloaded file info with CIDrelationship.
27Demo Thunder Client query demo Insert fake resource information to resource serverJoin Thunder P2P demo
28Future work Expect next year can finish About P2P emulator The New Generation of Botnets Based on Thunder P2P