{"schema_version":"0.1","map_id":"paper-5-map","publication_id":5,"publication_anchor":"paper-5","slug":"paper-5","canonical_path":"/knowledge/papers/paper-5/","machine_path":"/knowledge/papers/paper-5.json","root_node_id":"paper-5","stage":"mapped_draft","contribution_type_vocabulary_version":"0.1","contribution_types":[],"title":"BotTorrent: Misusing BitTorrent to Launch DDoS Attacks","year":2007,"venue":"USENIX Steps to Reducing Unwanted Traffic on the Internet (SRUTI)","topic":"secure-systems-networks","labels":["Applied"],"authors":["Karim Eldefrawy","Minas Gjoka","Athina Markopoulou"],"keywords":["BitTorrent","DDoS","protocol abuse"],"research_question":"Can an attacker convert ordinary BitTorrent clients into a distributed denial-of-service source against an arbitrary nonparticipant, and how severe is that abuse in a real Internet experiment?","central_answer":"Yes. A malicious torrent can list a victim as one of multiple trackers while a modified tracker advertises an attractive swarm. Because clients repeatedly contact listed trackers without first authenticating a BitTorrent endpoint, legitimate peers send traffic to the victim. Small proof-of-concept experiments observed tens of thousands of source addresses and sustained connection load, while also exposing protocol-level defenses and their availability tradeoffs.","curation":{"drafted_at":"2026-07-11","drafted_by":[{"actor_type":"ai","name":"OpenAI Codex","role":"full-text extraction, evidence linking, and initial assessment"}],"method":"Full-source audit of the checked-in official USENIX paper and conference record.","source_scope":"full_source_audit","approval":{"status":"pending","note":"AI-drafted, source-linked map awaiting author verification before approval."}},"sources":[{"id":"source-paper-5-paper","type":"official_full_text","title":"BotTorrent: Misusing BitTorrent to Launch DDoS Attacks","url":"/pubs/2007/bottorrent-sruti2007.pdf","media_type":"application/pdf","sha256":"37d3de8bcb6bfed3181cd6d95e6306a40192258d82b53b82f2042f2810ab2f01","page_count":6,"provenance_category":"official","version_note":"Official USENIX-hosted workshop paper; local copy checked 2026-07-11."},{"id":"source-paper-5-official","type":"official_publication_record","title":"USENIX paper page","url":"https://www.usenix.org/conference/sruti-07/bottorrent-misusing-bittorrent-launch-ddos-attacks"},{"id":"source-paper-5-citations","type":"citation_search","title":"Dated scholarly-web citation search","url":"https://scholar.google.com/scholar?q=%22BotTorrent%3A+Misusing+BitTorrent+to+Launch+DDoS+Attacks%22","version_note":"Search attempted 2026-07-11; no transparent citation count was retrievable in this environment."}],"source_anchors":[{"id":"anchor-paper-5-problem","source_id":"source-paper-5-paper","label":"Problem, contribution, and scope","locator":"Abstract and Section 1, PDF page 1","url":"/pubs/2007/bottorrent-sruti2007.pdf#page=1"},{"id":"anchor-paper-5-attack","source_id":"source-paper-5-paper","label":"Attack taxonomy and multi-tracker exploit","locator":"Section 3 and Table 1, PDF pages 2-3","url":"/pubs/2007/bottorrent-sruti2007.pdf#page=2"},{"id":"anchor-paper-5-setup","source_id":"source-paper-5-paper","label":"Internet experiment design and safeguards","locator":"Section 4.1, PDF page 3","url":"/pubs/2007/bottorrent-sruti2007.pdf#page=3"},{"id":"anchor-paper-5-results","source_id":"source-paper-5-paper","label":"Attack volume, duration, and source spread","locator":"Section 4.2, Table 2, and Figures 3-7, PDF pages 3-5","url":"/pubs/2007/bottorrent-sruti2007.pdf#page=3"},{"id":"anchor-paper-5-defenses","source_id":"source-paper-5-paper","label":"Proposed fixes and tradeoffs","locator":"Section 5, PDF page 5","url":"/pubs/2007/bottorrent-sruti2007.pdf#page=5"},{"id":"anchor-paper-5-boundaries","source_id":"source-paper-5-paper","label":"Comparison, limitations, and conclusion","locator":"Sections 6-7, PDF page 6","url":"/pubs/2007/bottorrent-sruti2007.pdf#page=6"},{"id":"anchor-paper-5-publication","source_id":"source-paper-5-official","label":"Official publication and full-text provenance","locator":"USENIX SRUTI 2007 paper page","url":"https://www.usenix.org/conference/sruti-07/bottorrent-misusing-bittorrent-launch-ddos-attacks"},{"id":"anchor-paper-5-citation-search","source_id":"source-paper-5-citations","label":"Citation search attempted","locator":"Exact-title search, 2026-07-11; no verified count retrieved","url":"https://scholar.google.com/scholar?q=%22BotTorrent%3A+Misusing+BitTorrent+to+Launch+DDoS+Attacks%22"}],"nodes":[{"id":"paper-5","kind":"paper","parent_id":null,"order":1,"epistemic_status":"published","title":"BotTorrent","summary":"An empirical security study showing that BitTorrent's multi-tracker behavior can redirect legitimate clients into a DDoS attack against an arbitrary host.","source_anchor_ids":["anchor-paper-5-problem","anchor-paper-5-publication"]},{"id":"paper-5-question","kind":"question","parent_id":"paper-5","order":1,"epistemic_status":"research_question","title":"Research question","summary":"Can unauthenticated BitTorrent coordination metadata be weaponized at Internet scale without compromising or infecting the clients?","source_anchor_ids":["anchor-paper-5-problem"]},{"id":"paper-5-answer","kind":"contribution","parent_id":"paper-5","order":2,"epistemic_status":"experimentally_demonstrated","title":"Central answer","summary":"A torrent can pair one responsive modified tracker with victim addresses in its tracker list, causing clients to contact a host that neither joined the swarm nor runs BitTorrent.","source_anchor_ids":["anchor-paper-5-attack","anchor-paper-5-results"]},{"id":"paper-5-mechanism","kind":"mechanism","parent_id":"paper-5","order":3,"epistemic_status":"demonstrated","title":"Multi-tracker redirection","summary":"The attacker publishes attractive torrents whose first tracker returns fabricated swarm statistics and whose remaining tracker entries name the victim; the missing peer-to-tracker handshake prevents clients from recognizing the victim as a non-tracker.","source_anchor_ids":["anchor-paper-5-attack"]},{"id":"paper-5-taxonomy","kind":"taxonomy","parent_id":"paper-5","order":4,"epistemic_status":"specified","title":"Four attack forms","summary":"The paper distinguishes announcing the victim as a peer, listing it as a centralized tracker, spoofing it into the DHT, and combinations; the experiments focus on the more potent tracker-list method.","source_anchor_ids":["anchor-paper-5-attack"]},{"id":"paper-5-evidence","kind":"evidence_group","parent_id":"paper-5","order":5,"epistemic_status":"real_world_proof_of_concept","title":"Internet experiment","summary":"Twenty-five deliberately small torrents targeted an author-controlled UCI host. Traffic was captured with tcpdump while torrent count, open/closed ports, and a combined peer-announcement variant were varied.","source_anchor_ids":["anchor-paper-5-setup","anchor-paper-5-results"]},{"id":"paper-5-result-scale","kind":"result","parent_id":"paper-5-evidence","order":1,"epistemic_status":"measured","title":"Sustained connection and traffic load","summary":"The strongest experiment reports 58,046 unique IP addresses, roughly 1,400 attempted TCP connections per second on average, and 176.69 Kbps average incoming traffic with a 482.81 Kbps maximum over multiple days.","source_anchor_ids":["anchor-paper-5-results"]},{"id":"paper-5-result-spread","kind":"result","parent_id":"paper-5-evidence","order":2,"epistemic_status":"measured","title":"Highly distributed sources","summary":"About 87% of observed source addresses lay in different /24 networks and 12% in different /16 networks, weakening simple victim-gateway source filtering.","source_anchor_ids":["anchor-paper-5-results"]},{"id":"paper-5-defenses","kind":"mitigation","parent_id":"paper-5","order":6,"epistemic_status":"proposed_not_evaluated","title":"Protocol and publication defenses","summary":"Clients can validate tracker responses and back off from non-trackers; torrent sites can test or constrain tracker lists and deter automated uploads. These controls trade openness, redundancy, and load balancing for security.","source_anchor_ids":["anchor-paper-5-defenses"]},{"id":"paper-5-boundaries","kind":"limitation_group","parent_id":"paper-5","order":7,"epistemic_status":"material","title":"Interpretation limits","summary":"The study intentionally limited its own attack volume and evaluated a 2007 centralized multi-tracker ecosystem. Larger-scale damage is an extrapolation, not an experiment, and implementation diversity affects both attack and defense.","source_anchor_ids":["anchor-paper-5-setup","anchor-paper-5-boundaries"]},{"id":"paper-5-artifacts","kind":"artifact","parent_id":"paper-5","order":8,"epistemic_status":"paper_available_no_dataset","title":"Artifacts","summary":"The official full text is fixed locally. The modified tracker, torrent corpus, packet logs, and analysis scripts were not located as public artifacts.","source_anchor_ids":["anchor-paper-5-setup","anchor-paper-5-publication"]},{"id":"paper-5-scrutiny","kind":"scrutiny","parent_id":"paper-5","order":9,"epistemic_status":"peer_reviewed","title":"Scrutiny and lineage","summary":"The study appeared at USENIX SRUTI 2007, compares its method with an earlier peer-announcement attack, and documents ethical scale restraint; no independent reproduction was located.","source_anchor_ids":["anchor-paper-5-boundaries","anchor-paper-5-publication"]}],"relations":[{"id":"paper-5-relation-mechanism-realizes-answer","type":"realizes","from_id":"paper-5-mechanism","to_id":"paper-5-answer"},{"id":"paper-5-relation-taxonomy-context","type":"contextualizes","from_id":"paper-5-taxonomy","to_id":"paper-5-mechanism"},{"id":"paper-5-relation-evidence-supports-answer","type":"supports","from_id":"paper-5-evidence","to_id":"paper-5-answer"},{"id":"paper-5-relation-scale-supports-answer","type":"supports","from_id":"paper-5-result-scale","to_id":"paper-5-answer"},{"id":"paper-5-relation-spread-supports-answer","type":"supports","from_id":"paper-5-result-spread","to_id":"paper-5-answer"},{"id":"paper-5-relation-defenses-mitigate","type":"mitigates","from_id":"paper-5-defenses","to_id":"paper-5-mechanism"},{"id":"paper-5-relation-boundaries-qualify","type":"qualifies","from_id":"paper-5-boundaries","to_id":"paper-5-answer"}],"assessment":{"id":"paper-5-assessment-2026-07-11","rubric_version":"0.2","assessed_at":"2026-07-11","status":"ai_draft_author_review_pending","note":"These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.","axes":[{"id":"epistemic_evidence","level":"high","rationale":"The attack is specified and demonstrated on the public Internet with a controlled victim, four experiments, packet measurements, and concrete quantitative results; scale extrapolations remain separate from measurements.","basis_source_anchor_ids":["anchor-paper-5-attack","anchor-paper-5-setup","anchor-paper-5-results","anchor-paper-5-boundaries"]},{"id":"auditability","level":"high","rationale":"The official full text is checked in with page count and hash, making methods, measurements, and caveats inspectable, though raw traces and code are unavailable.","basis_source_anchor_ids":["anchor-paper-5-results","anchor-paper-5-publication"]},{"id":"production_provenance","level":"medium","rationale":"Named authorship, official provenance, experimental host, instrumentation, and support are documented; author roles, revision history, and raw-data lineage are not.","basis_source_anchor_ids":["anchor-paper-5-setup","anchor-paper-5-publication"]},{"id":"external_scrutiny","level":"medium","rationale":"The work has an official USENIX workshop publication record; public reviews and an independent reproduction were not located.","basis_source_anchor_ids":["anchor-paper-5-publication"]},{"id":"reception","level":"low","rationale":"No citations were verifiably located in the constrained dated search. Under the author's 0-8 rule this is low, but it is not a claim that the paper has no citations.","basis_source_anchor_ids":["anchor-paper-5-citation-search"]},{"id":"contribution_significance","level":"high","rationale":"The paper demonstrates a protocol-abuse path that redirects uncompromised clients, quantifies its distribution and persistence, and derives concrete defenses with explicit tradeoffs.","basis_source_anchor_ids":["anchor-paper-5-problem","anchor-paper-5-results","anchor-paper-5-defenses"]}]},"reception_snapshot":{"as_of":"2026-07-11","method":"Exact-title scholarly-web search; transparent index count unavailable","source":"Google Scholar query route plus general scholarly-web search","citation_count":0,"signals":[],"limitation":"Zero means no citations were verifiably located during this constrained search, not a total bibliometric count; author should replace it with a confirmed index snapshot."}}
