That was an interesting read!

tl;dr: Bittorrent and extensions can be exploited to cause a reflected DDoS.

The spiciest method exploits Message Steam Encryption(MSE) which combines the dynamic port nature of bittorrent with just-sufficient crypto to make mitigation a nightmare. MSE can get between 4-32.5 times amplification depending on available peers; its robustness makes up for the middling amplification capabilities[1].

Mitigation on the uTP protocol level is as simple(?) as switching to a three way handshake but that would be quite the change for such a widely deployed protocol.

[1]https://en.wikipedia.org/wiki/Denial-of-service_attack#Refle...

For libtorrent, v1.0.6 changelog seems to hint that this has been fixed? https://github.com/arvidn/libtorrent/releases/tag/libtorrent... "* fixed uTP vulnerability"