Update Deluge with libuTP patch correct bug allowing DRDoS ?

Suggestions and discussion of future versions
Post Reply
Valeryan_24
New User
New User
Posts: 2
Joined: Sat Aug 29, 2015 6:38 pm

Update Deluge with libuTP patch correct bug allowing DRDoS ?

Post by Valeryan_24 »

Hi, I use regularly Deluge to share torrent files.

I just read an article about an important fix on BitTorrent clients:
http://blog.bittorrent.com/2015/08/27/m ... ecosystem/

It explains that developers made a patch to the libuTP software to stop "possibility of exploiting BitTorrent protocols for Distributed Reflective Denial of Service Attacks (DRDoS)".
https://github.com/bittorrent/libutp/co ... 6cea885760

As libuTP is an essential component for BT apps, I wonder if Deluge also needs to be updated ?

Thanks, Xavier
Shryp
Moderator
Moderator
Posts: 521
Joined: Mon Apr 20, 2015 10:20 pm

Re: Update Deluge with libuTP patch correct bug allowing DRD

Post by Shryp »

This would be something to be fixed in libtorrent as opposed to deluge. Deluge uses libtorrent for the main torrenting protocol and is just a fancy gui for the front end.

You could use the LtConfig plugin to disable uTP. That might work to disable the issue.
doadin
Seeder
Seeder
Posts: 113
Joined: Mon Jun 30, 2014 9:24 am

Re: Update Deluge with libuTP patch correct bug allowing DRD

Post by doadin »

https://github.com/arvidn/libtorrent/co ... 9cc5e0a2e1

I believe this is the fix for us. And you can find libtorrent builds for linux on the deluge ubuntu ppa and i have build of libtorrent i made for windows here: http://doadin.github.io/ .

If anyone is wondering about my builds of libtorrent they are made with boost 1.59_msvc9_32 and msvc9.
Valeryan_24
New User
New User
Posts: 2
Joined: Sat Aug 29, 2015 6:38 pm

Re: Update Deluge with libuTP patch correct bug allowing DRD

Post by Valeryan_24 »

Hi, thanks for the quick reply - and the excellent work on Deluge !

And for the explanations - I'm not developer, I don't understand the code.

OK, it seems we have to wait libtorrent package update on distributions.

The link you posted regarding libtorrent patch (back-ported utp vulnerability fix) dated from 19th July, as the libuTP fix from the article was only 11 days ago, but it seems libtorrent has its own uTP implementation:
http://arstechnica.com/civis/viewtopic.php?p=29648417

And libtorrent maintainer just confirmed me that 1.0.6 version has the fix in it.

Nevertheless, even not correlated to this DRDoS vulnerability, bug has already been filled on Ubuntu for upgrading to latest libtorrent version, it should be available soon:
https://bugs.launchpad.net/ubuntu/+sour ... ug/1485365

For Debian it's done: https://bugs.debian.org/cgi-bin/bugrepo ... bug=785676

For those interested, this publication:
http://www.researchgate.net/publication ... oS_Attacks
Post Reply