The Current Landscape of P2P File Sharing: Challenges and Future Directions Kevin Bauer Ph.D. candidate University of Colorado

Talk Outline P2P background Past P2P investigations Evading investigations with anonymity tools Alternate techniques to identify file sharers An emerging threat: “One-click” hosting services Proposal for a future study 1

Context: The Rise of Peer-to-Peer 2000: Peer-to-peer (P2P) protocols like Gnutella, FastTrack, Napster, & BitTorrent becoming popular for file sharing : Early Internet saw mostly web traffic 2006-Present: P2P traffic growing Source: CacheLogic Research January Web FTP Peer-to-Peer

Current P2P Landscape Source: Ipoque Internet Study 2008/2009 P2P still most common protocol class in 2008/2009 BitTorrent dominates P2P around the world 3

BitTorrent Background 1.Download torrent metadata for the file one wants to obtain 2.Contact tracker server to get peer list 3.Interact with other peers to share parts of the file File sharer Torrent metadata Peer list Implicitly register with tracker 4

What Kind of Content is Shared? Source: Ipoque Internet Study 2008/2009

Past Copyright Investigations Experience has shown that BitTorrent is often used to distribute copyright-protected media files Copyright holders hire investigators to identify and even prosecute suspected file sharers Investigators can query tracker for peer list Distribute DMCA take-down letters (US) to each IP address 6 Ping each peer’s IP address Copyright investigators Source: Piatek et al., HotSec 2008

Past Copyright Investigations Tracker lists can be corrupted with arbitrary IP addresses – Example: Register any IP addresses to the tracker lists Tracker lists cannot be trusted to prove file sharing 7 Source: Piatek et al., HotSec 2008 Copyright investigators

Consumer Advocate Reactions 8

Virtual Private Network Anonymizers Anonymous VPN services (BTGuard, IPREDator) are now available 9 Encrypted tunnel mitigates traffic shaping Hides identity Limitations of centralized VPN approach: 1.Technically feasible to know and disclose both client and destination 2.Susceptible to legal pressure Single-hop VPN service

Defeating Peer Identification with Strong Anonymity: Tor Client (file sharer) Destination Entry Guard Middle Router Exit Router Directory Server Circuit Router List Tor provides anonymity for TCP by tunneling traffic through a virtual circuit of three Tor routers using layered encryption 10 Tracker First hop knows the client Last hop knows the destination Tor Network Copyright investigators

Can BitTorrent Users Hide with Tor? We characterized how Tor is used in practice and observed significant BitTorrent traffic over a four day observation period Only 3.33%, but over 400,000 connections 11 Source: McCoy et al., Privacy Enhancing Technologies Symposium 2008

Can BitTorrent Users Hide with Tor? BitTorrent is using a disproportionate amount of Tor’s available bandwidth Over 40% of all Tor traffic 12 Source: McCoy et al., Privacy Enhancing Technologies Symposium 2008

Alternatives for Peer Identification 13 Tracker list queries are efficient, but not accurate Instead, we could download the entire file from every peer Accuracy Efficiency Accurate, but inefficient We want a technique that is accurate, but still efficient Worst Best

Identification Through Active Probing Our method accurately and efficiently collects concrete forensic evidence of a peer’s participation in file sharing 14 Obtain list of suspected peers from tracker Attempt a TCP connection Attempt handshake exchangeAttempt bitfield exchangeRequest a 16 KB data block Increasingly strong levels of evidence Peer is alive and listening on correct TCP port Peer speaks BitTorrent, provides SHA1 hash describing content being shared Provides list of all pieces that the peer possesses Concrete file data can be verified as the expected data

Experimental Setup We evaluate our approach with 10 real, large BitTorrent file shares – Popular TV shows and movies 15 Source: Bauer et al., 1 st IEEE International Workshop on Information Forensics and Security 2009

Fraction of Peers that Respond to Probes Repeating the probing increases the fraction that respond Over ten repetitions: – TCP connections: 26 – 44% – Handshakes and Bitfields: 18 – 36% – Block requests: 0.6 – 2.4% 16 Average fraction of peers identified by each probe type Low because of BitTorrent’s reciprocity mechanisms

Tides are Changing from P2P Back to HTTP 17 Source: CacheLogic Research 2006 P2P 2006: P2P made up 70% of traffic 2008/2009: P2P made up 43-70% of traffic Source: Ipoque Internet Study 2008/ /2010: P2P makes up < 14% of traffic HTTP makes up 57% of traffic Source: Maier et al., ACM Internet Measurement Conference 2009

Beyond P2P: “One-Click” Hosting Services 18 Example “one-click” hosting services: Source: Maier et al., ACM Internet Measurement Conference 2009 Distribution of HTTP Content Types Most Popular HTTP Destination Types

Beyond P2P: “One-Click” Hosting Services 19 Step 1. Transfer file to RapidShare Step 2. Give uploader a URL for file Step 3. Post URL to indexing site Upload user Download user Indexing site “One-click” hosting service Step 4. Search Step 5. Download

RapidShare vs. BitTorrent Throughput One-Click Hosting vs. BitTorrent 20 Content Availability for RapidShare vs. BitTorrent Fraction of Content Copyrighted (n=100) Source: Antoniades et al., ACM Internet Measurement Conference 2009

A Proposal for a Future Study File sharing trends change quickly We want to conduct a study aimed at identifying emerging file sharing trends One avenue of future study: 21 P2P traffic declined from > 43% in 2008 to < 14% in 2009/2010 The Road (2009) Up in the Air (2009)

Summary and Conclusion P2P is being replaced by file hosting services New investigative tools need to be developed to curb this new type of illegal file sharing – Monitor hosting sites for copyright-protected content – Partner with ISPs to identify file uploaders Up-to-date information on emerging file sharing trends is essential to proactively implement effective countermeasures 22

Questions? Kevin Bauer Department of Computer Science, University of Colorado 23

References Demetris Antoniades, Evangelos P. Markatos, Constantine Dovrolis. One-click hosting services: a file-sharing hideout. Proceedings of the 9 th ACM SIGCOMM conference on Internet measurement Kevin Bauer, Dirk Grunwald, Douglas Sicker. The Challenges of Stopping Illegal Peer-to-Peer File Sharing. National Cable & Telecommunications Association Technical Papers Kevin Bauer, Dirk Grunwald, Douglas Sicker. The Arms Race in P2P. 37 th Research Conference on Communication, Information, and Internet Policy (TPRC) Kevin Bauer, Damon McCoy, Dirk Grunwald, Douglas Sicker. BitStalker: Accurately and Efficiently Monitoring BitTorrent Traffic. 1 st IEEE International Workshop on Information Forensics and Security Gregor Maier, Anja Reldmann, Vern Paxson, Mark Allman. On dominant characteristics of residential broadband Internet traffic. Proceedings of the 9 th ACM SIGCOMM conference on Internet measurement Damon McCoy, Kevin Bauer, Dirk Grunwald, Tadayoshi Kohno, Douglas Sicker. Shining Light in Dark Places: Understanding the Tor Network. 8 th Privacy Enhancing Technologies Symposium Michael Piatek, Tadayoshi Kohno, Arvind Krishnamurthy. Challenges and Directions for Monitoring P2P File Sharing Networks –or– Why My Printer Received a DMCA Takedown Notice. 3 rd USENIX Workshop on Hot Topics in Security Ipoque Internet Study 2008/ _ _2009 P2P File Sharing-The Evolving Distribution Chain. CacheLogic Research