Detecting malware hidden in P2P traffic

Question

Consider a network situation involving (only) Peer to Peer traffic in medium sized network.

For the sake of convenience, a simple P2P application like DC++ may be assumed, although I am aiming at a broader set involving torrents etc. too.

Peer A does a search for file qwerty.mp3, and then starts pulling the file, in pieces, from different Peers- B, C, D and E.

Now say Mr. C is the one who has shared this file amongst Peers, and he is a malicious peer and the file contains a malware/trojan etc.

Since the file is being downloaded in pieces from different Peers, it is unlikely that a standard Intrusion Detection system will be able to detect it since most of them involve signature-based detection techniques.
And most likely when the pieces are re-assembled at the system of Mr. A, his anti-virus will flag off a warning about the malicious content.

So, my question:
At the network level, what approach an admin may take so that innocent peers like A are protected from such situations?

Kindly do not suggest actions or measures relating to the end user. Whatever has to be done, must be done at the network level.

Please note that I am looking at this more from a research point of view and it is perfectly alright to not to point me towards existing techniques used in production environments but share links for research papers and give answers which tell of an open-ended techniques.

What protocol are you using for your peer-to-peer transfer? Is it inhouse or off-the-shelf? Also, have you considered a related case - a user simply shares malicious content with the filename of 'real' content? — randomdude, Jul 25 '12 at 14:23
@randomdude I must consider all possible cases- for protocols, for inhouse transfer and off the shelf (I am not very sure of what is "off the shelf"), etc. Yes, a user may simply share malicious content. I think i covered this when i wrote "...and the file at his end contains a malware/ virus/ trojan etc.". — pnp, Jul 25 '12 at 14:38
Until you run qwerty.mp3 then it is harmless. What exactly is your question? The solution is to block Peer 2 Peer traffic as a network admin. The few useful uses can be approved by you on a case by case situation ( or simply worked around ) as those same cases have direct download solutions. — Ramhound, Jul 25 '12 at 16:07
@Ramhound "block P2P traffic" !! NO!!!! I _have_ to deal with P2P traffic, and only P2P traffic, and all kinds of varieties of it. I am _not_ looking for work arounds. In my estimate I need a (so as to say) P2P aware IDS- firewall (both or either)- and that is exactly what I asked... — pnp, Jul 25 '12 at 16:14
@pnp - Your estimate is wrong. You need security software, that is not a workaround, despite the fact you claim it is. As I already indicated until the file is ran, its harmless, use P2P software that doesn't auto-execute files and your safe. — Ramhound, Jul 26 '12 at 11:14
With a lot of p2p software(such as freenet) a network admin can't see what data is transmitted). So trying to block malware at the network level is doomed. — CodesInChaos, Jul 26 '12 at 11:28
BitTorrent also has an encryption feature which prevents throttling by ISPs (because its harder to tell that it's bittorrent traffic). So I think the only way to do this is at the application layer - as suggested by Tom Newton. — sourcejedi, Oct 14 '12 at 10:00
I dont understand how a malicious file has (IN case of A) is matching with that of B & C. ? — Novice User, Jan 16 '13 at 16:32
@sourcejedi : Bittorrent encrption ( Assuming you are talking about Encryption options in clients) are not fully proof. For instance in Iran it doesnt help. — Novice User, Jan 16 '13 at 16:36

score 4 · Answer 1 · answered Jul 25 '12 at 14:47

4

Many P2P software will create hashes of each piece to prevent a malicious entity from modifying the pieces in-flight. When your P2P client gets a piece, it verifies it's hash. This will prevent one malicious entity modifying a piece of a valid file, but it won't help you if the file itself (qwerty.mp3) is malicious.

If the file itself is malicious, a simple solution is to just run an anti-virus scan against the final file, and see if there are any problems. This will satisfy your signature/anomaly based detection (depending on what the Anti-virus does)

answered Jul 25 '12 at 14:47

Oleksi

4,809
2
19
26

Run an anti-virus?!?! I _can't_ just suggest that as a solution to a project work!! Whatever I need to do, I must do as a network admin/designer -say use Open source firewall or use Snort and configure them for this specific scenario... – pnp Jul 25 '12 at 15:04
So you want an overly complicate solution? You can always set up scans to run automatically when the P2P client finishes the download. – Oleksi Jul 25 '12 at 15:19
1

@pnp - Unless you compare the signature of the file to a known database of malicious files you can't know for sure its not malicious. Running an anti-virus is a perfectly valid solution. – Ramhound Jul 25 '12 at 16:08

score 2 · Answer 2 · answered Oct 14 '12 at 09:46

Perhaps you could run the p2p programs on a proxy, download the whole file (this is the first time you're going to see it and be able to fully virus scan it... the p2p transmission is irrelevant), then scan it and serve it to the user.

Easy way: web UI for people to search, request & download. Hard way: intercept from p2p clients and pretend to be the only peer whilst in fact downloading from loads of other peers, not letting much file hit the downloader until you've scanned it

Ali Ahmad · Accepted Answer · 2013-01-17T10:43:30.333

1

P2P traffic has in fact have directly impacted the performance of most of the IDS/IPS and there is a significant increase in the false positive. The issues lies with the behavior of P2P traffic which is lot alike malicious traffic.

For the second part of your question the most idealistic approach that can be adopted at network level is DPI (Deep packet inspection). The idea is to segregate P2P traffic from the normal traffic as much as possible, though DPI is not applicable on encrypted P2P traffic. In the next phase signatures are applied on this segregated P2P traffic for separating malicious for benign P2P traffic.

Source: What Is the Impact of P2P Traffic on Anomaly Detection

edited Jan 17 '13 at 10:43

answered Jan 17 '13 at 04:37

Ali Ahmad

4,784
8
35
61

1

Thanks for your input. I have read that and have been following that work. Rather I got this question only after reading this and some other related papers. Although I must say that your suggestions for DPI will not be welcomed by those who advocate privacy ! – pnp Jan 17 '13 at 07:04
Agreed DPI will always have privacy concerns. You will find some interesting research articles on P2P botnet detection using P2P as C&C channels. – Ali Ahmad Jan 17 '13 at 13:48

score -1 · Answer 4 · edited Jun 16 '20 at 09:49

-1

This is similar to IP fragmentation attack. By fragmenting IP datagram into smaller pieces, one kind of DOS attack is done, as far as I know. You can google it. This is the 4th result in google but OffensiveSecurity is generally one of the best in security issues.

Hope this helps

edited Jun 16 '20 at 09:49

Community

1

answered Jan 16 '13 at 16:10

smttsp

366
2
12

why -1? This is definitely helpful, I think the one giving -1 never do research in his/her life!!! – smttsp Jan 17 '13 at 20:02

Detecting malware hidden in P2P traffic

4 Answers4