Unknown attackers are sabotaging popular TV and movie torrents by flooding swarms with IPv6 peers. The vulnerability, which affects the popular uTorrent client, makes it nearly impossible for torrent users to download files. It's unclear who's orchestrating the attacks but it could be a guerrilla anti-piracy move.

Generally speaking, BitTorrent is a highly robust file-sharing protocol that’s not easily disrupted. However, in recent weeks there have been systematic efforts to prevent large groups of people from sharing popular pirated TV-shows and movies.

The sabotaging technique tries to make it impossible for downloaders to connect to other people by overwhelming BitTorrent swarms with IPv6 peers.

Because of its focus on IPv6, not all users are affected, but those who are sometimes see their download speeds grind to a halt. As a result it can take days to download a file, if at all.

In short the process works as follows. The attacker joins a popular torrent swarm with hundreds, if not thousands of IPv6 addresses. These fake peers request data from real downloaders, quickly filling up their request queues.

The fake peers never exchange any data but keep the client busy until they are banned, as is shown in the screenshot below.

The attack has been confirmed to affect the popular client uTorrent. After a few minutes uTorrent does ban the malicious peers, but this makes little difference as the attackers use so many different IP-addresses.

Because all the fake peers have filled up the connection slots, real peers can no longer connect. This means that hardly any real data is transferred.

“Got unchoke from µTorrent 3.4.3 (12.345.678.9:9999), can’t request immediately because request queue is full”

TF was tipped off by the operator of one of the largest torrent trackers, who informed us that this type of attack is rampant. Many people are complaining about slow download speeds or torrents that are stuck.

“This new method of peer flooding makes a lot of people think there are issues with torrents. From an anti-piracy point of view it is achieving the purposed effect,” the tracker operator, who prefers to remain anonymous, said.

We were able to replicate the effect, which indeed makes downloading nearly impossible. After testing all of the larger BitTorrent clients it appears that only uTorrent and BitTorrent Mainline are vulnerable to the attack. However, together these two clients are used by the majority of all BitTorrent users.

We informed BitTorrent Inc, who develop the two clients, about the vulnerability. The company informed us that they are currently looking into the issue and may comment later.

Without an immediate fix, the tracker operator is advising affected users to switch to a different client for the time being, or disable IPv6 in Windows (not recommended for Windows 7 and up), if that’s an option.

“People experiencing download slowness – torrents stuck at 0% for more than 10 minutes, in a case where there are seeds available, should immediately switch to a different client or disable IPv6 in Windows,” the tracker operator says.

It is unclear who is behind the attacks, but considering the fact that it targets nearly all new TV and movie torrents, it could very well be a novel anti-piracy strategy. In any case, it’s definitely one of the most effective attempts to disrupt BitTorrent downloads in recent years.

Update: The IPv6 addresses which are used appear to be fictional. They haven’t been allocated yet and are non-routable.