Tracing Internet Peerto-Peer Piracy (HKICC2007)
K.P. Chow Associate Professor, Department of Computer Science Associate Director, Center for Information Security and Cryptography University of Hong Kong
6-7 September 2007
�Center for Information Security and Cryptography (CISC)
Background
Dec 98: Establishment of Center for Information Security and Cryptography in HKU Faculty of Engineering
Mission
CISC represents a coordinated effort to promote academic research and industrial collaboration with a mission of becoming a center of excellence, in the University of Hong Kong and in the Asia-Pacific region.
Our website
http://www.cs.hku.hk/cisc/
6-7 September 2007
�Center for Information Security and Cryptography (CISC)
Computer Forensics Research
Forensic tools Digital video surveillance Basic digital forensics research
Our website:
http://i.cs.hku.hk/~cisc/forensics/
6-7 September 2007
�Our discussion today
Tracing P2P piracy on the Internet
Techniques Tools
Can we hide behind TOR?
6-7 September 2007
�What are the problems of P2P?
Illegitimate use on unauthorized sharing of copyrighted files using peer-to-peer (P2P) communication technologies is increasingly BitTorrent (BT) is the most popular P2P protocol – 50% of all P2P-related traffic
BT traffic is difficult to trace using traditional method
6-7 September 2007
�BitTorrent Basics
A peer-to-peer file distribution protocol Allow efficient distribution of large files (e.g. video files) Principle - Every user’s computer contributes
When people are downloading the same file at the same time, they upload pieces of the file to each other.
6-7 September 2007
�Working Protocol
From Peer to Tracker
Tracker
Information about its status (ip, port, etc)
From Tracker to Peer
Addresses of peers available in the swarm
Peer Peer
Between Each Pair of Connected Peers (Peer Wire Protocol)
Handshakes, requests and responses of pieces of files
Peer Peer
6-7 September 2007
Tracker = A server allowing information (e.g. peers’ IP addresses) exchange Torrent file = A file containing the address of the tracker and metadata about files to be shared Peer = A computer participating in a download Seeder = A peer possessing a complete copy of the file and offers it for download
�How to Distribute a file
Tracker
1
Generate a torrent file using some BT client software (e.g. BitComet)
Peer
2
Peer
2
Register the torrent file with one or more trackers Put the torrent file on a website or somewhere else to make it available to other Internet users
1
Peer
Peer
3
3 Internet Internet
6-7 September 2007
�How to Download a file
Tracker
1
Get the torrent file from the Internet and save it to a local drive Open the torrent file with some BT client program (e.g. BitComet), which will a. Connect to the tracker and receive information about other peers downloading the file b. Initiate and manage the transfer of the file c. Report its status to the tracker and obtain information about other peers regularly
Peer
2a
2c
Peer
2
2b
Peer Peer
1 Internet Internet
6-7 September 2007
�Investigation Tool - BTM
BitTorrent Monitoring System (Also known as Lineament Monitoring System) A monitoring tool that searches, analyzes and reports any suspected infringement of IP rights activities over the Internet using BT technology Estimated to be in live operation by local law enforcement agency in year 2007 Reference:
http://i.cs.hku.hk/~cisc/forensics/papers/BTM.pdf
6-7 September 2007
�Introduction to BTM
Objective
To automate the monitoring and recording of suspicious BT traffic on the Internet
Technologies used
Web search BT protocol Expert System (ES)
6-7 September 2007
�Overview of the BTM System
Torrent Searcher
Torrent Analyzer
6-7 September 2007
�Torrent Searcher
BitTorrent is a file-sharing protocol only It relies on other mechanisms for locating torrent files Torrent Searcher searches over public forums, where BT users communicate with each other and exchange torrent files
6-7 September 2007
�Layout of a general public forum
6-7 September 2007
�Torrent Searcher
Searches over public forums, where BT users communicate with each other and exchange torrent files Features:
Automatic logon: automatically complete the login process without user’s intervention Keyword search Monitoring:
Torrent searcher and analyzer can be scheduled to run periodically History-sensitive
6-7 September 2007
�Searching Algorithm
Concept of levels
Level 1 Front Page (List of sub-forums) Level 2 Sub-forum Index (List of topics) Level 3 Post’s content (Links to torrent files) Level 4 Torrent links (Torrent files downloadable)
…
…
…
6-7 September 2007
�Searching Algorithm (cont’d)
Depth First Search (DFS) with finite depth
Maximum length of search path can be specified Ensure more torrent files can be located within a predefined stopping time * The numbered lines show the order of processing *
6-7 September 2007
�Torrent Analyzer
Based on Expert System technology Perform analysis using the information available from the torrent files, the responses from trackers and peers’ statuses
Torrent Searcher
Tracker Torrent files
Torrent Analyzer
Tracker response
Report
Rule Engine
Peer information
Action
rules
Peers
6-7 September 2007
�Rule System in BTM
Purpose
For digging out specific information about the torrent or connected peers
Attributes
Fundamental units for matching Peer-attributes and torrent-attributes
For a Peer P, defined attributes are
Attribute BT Client IP Address ISP Country Percentage Definition Name of the BT client used by P IP Address of P Internet Service Provider of P Country in which P is located The percentage of file(s) available at P Operators supported ‘is’, ‘isn't’, ‘contains’, ‘doesn't contain’ ‘is’, ‘isn't’, ‘=’, ‘!=’, ‘’
6-7 September 2007
�Rule System (cont’d)
For a Torrent File T, defined attributes are
Attribute Created By Torrent Name Creation Date Seeder Country Non-Seeder Country Number of Seeders Percentage of nonseeder obtain Definition Client program by which T is created Name of the files to be distributed by T Date on which T is created Country in which connected seeders are located Country in which connected non-seeders are located Number of connected seeders associated with T Percentage of file of which non-seeders have obtained =, !=, Operators supported is, isn't, contains, doesn't contain is, isn't, before, after is, isn't
6-7 September 2007
�Rule Evaluation Example Look for
Look for A peer located in Hong Kong with a complete copy of the files A torrent file created in November 2006 in Hong Kong
Rule #1
C1: Country is ‘HK’ C2: Percentage is ‘100’%
Rule #2
C1: Creation Date after ‘1-11-2006’ C2: Creation Date before ‘30-11-2006’ C3: Seeder Country is ‘HK’
6-7 September 2007
�How about using TOR
The Onion Router (TOR) A network of virtual tunnels that allows people and groups to improve their privacy on the Internet Users
use TOR to keep websites from tracking them, or connect to news sites that are blocked by their local Internet providers
Supported by Electronic Frontier Foundation (EFF) 6-7 September 2007
�Main Features of TOR
Support anonymous web surfing: TOR can keep websites from tracking individual user’s IP address that visits the web site Protect against traffic analysis: TOR protect Internet user against the Internet Surveillance technique called “traffic analysis”
Traffic analysis can be used to infer who is talking to whom over a public network even the communication channel is encrypted
6-7 September 2007
�Basic Principles of TOR
Distribute the connection from you to the server over several places on the Internet, so that no single point can link you to the server To connect you to the server, a circuit of encrypted connections through routers in TOR is created, and each hop is encrypted with different key The TOR uses the same circuit for connections that happen within the same minute; later requests are given a new circuit
6-7 September 2007
�Example : Time 0
You Exit Router
6-7 September 2007
Server
�Example : Time 1
You Exit Router
6-7 September 2007
The exit router is not the actual requester for the server: you are hidden from the server
Server
�BT client using TOR: incoming You
3. Peer attempts to connect to You using exit router’s IP: FAIL
1. You’s IP: exit router’s IP
2. Peer: download2007 6-7 September information from tracker
Public Internet
Tracker
�You
BT client using TOR: outgoing
2. You get Peer’s IP 3. You attempt to connect to Peer’s IP through exit router’s IP: SUCCESS
1. Peer: submit information 6-7 September 2007 to tracker with Peer’s IP
Public Internet
Tracker
�You
BT seeder using TOR
1. You waits for incoming connection
4. Peer attempts to connect to You using exit router’s IP: FAIL to seed
2. You’s IP: exit router’s IP
3. Peer: download2007 6-7 September information from tracker
Public Internet
Tracker
�Our Experience
All traffics going through TOR are very SLOW Outgoing connection from client behind TOR will only show the exit router’s IP address BT client behind TOR can connect to a public tracker BT client behind TOR was unable to connect a public peer
6-7 September 2007
�Conclusion
BTM is an automated system for monitoring illegitimate BitTorrent activities Preliminary evaluation
Torrent Searcher
Checked 124 threads and downloaded 114 files in 5 minutes
Torrent Analyzer
Identified over 3000 peers and 126 seeders in 90 minutes
Can you hide behind TOR? Yes, BUT
It’s very slow You can’t share your pieces
6-7 September 2007
�CISC Website: http://www.cs.hku.hk/cisc/
6-7 September 2007
�