tl;dr: Bittorrent and extensions can be exploited to cause a reflected DDoS.
The spiciest method exploits Message Steam Encryption(MSE) which combines the dynamic port nature of bittorrent with just-sufficient crypto to make mitigation a nightmare. MSE can get between 4-32.5 times amplification depending on available peers; its robustness makes up for the middling amplification capabilities[1].
Mitigation on the uTP protocol level is as simple(?) as switching to a three way handshake but that would be quite the change for such a widely deployed protocol.
Bittorrent over uTP already effectively uses a three way handshake because the connection initiator is required to send the BT handshake first. The uTP vulnerabilities in the paper were caused by bugs in uTorrent and libtorrent's implementations. Both projects have released fixes for these bugs.
tl;dr: Bittorrent and extensions can be exploited to cause a reflected DDoS.
The spiciest method exploits Message Steam Encryption(MSE) which combines the dynamic port nature of bittorrent with just-sufficient crypto to make mitigation a nightmare. MSE can get between 4-32.5 times amplification depending on available peers; its robustness makes up for the middling amplification capabilities[1].
Mitigation on the uTP protocol level is as simple(?) as switching to a three way handshake but that would be quite the change for such a widely deployed protocol.
[1]https://en.wikipedia.org/wiki/Denial-of-service_attack#Refle...