by
KH on 2015/08/19 09:28:28 AM
Thanks for posting that research paper, it was an interesting read.
No, Tixati is not an effective bandwidth-amplifier that can be used for these types of UDP reflective attacks.
When I originally wrote the DHT and UPC implementations I was very mindful of avoiding bandwidth amplification as much as possible.
The technical details of potential UPC/uTP problems are outlined in section 3.2 of the paper. These do not affect Tixati, as it does not send bitfield/HAVEs/extension in the second half of the first round-trip, just the bare handshake. Also I should point out that unlike every other client out there, Tixati has it's own hardened UPC/uTP implementation, and does not use the "official" reference implementation, which has more problems than just this.
The Tixati DHT is also designed for the lowest-possible bandwidth amplification factor, does not support DHT-scrape extension (for this very reason), and has extensive query/response rate-limiting at various prefix-group levels. The bandwidth multiplication factor in a real-world scenario certainly isn't high enough to be of practical use to an attacker.
