Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

ppt

advertisement 
Peer-to-Peer Systems
Security Issues
Kulesh Shanmugasundaram
SYN
 SYN
 P2P Basics
 Attack Classification
 Attacks and Defenses
 Further Research
 FIN
P2P Basics
 All nodes are created equal, not really!
 Network classification based on network
connectivity
– Exponential Networks:
Homogenous network, [average] node
connectivity is equally distributed
– Scale-free networks:
Follows power-law for connectivity, that is there
are some highly connected nodes and many not to
highly connected nodes
 Current P2P systems are scale-free networks
Network Maps
 Partial map of Gnutella Network
 Note the hierarchical structure of the network
Network Maps…
 Gnutella Neighborhood Map
Failure vs. Attack [1]
 Failure:
– Random failure of nodes and/or infrastructure
elements
 Attack:
– Systematic failure of nodes and/or infrastructure
elements
 Scale-free networks are failure-tolerance
 Exponential networks are attack-tolerance
 Why?
 Most P2P systems give priority for failure-
tolerance over attack-tolerance
Possible Targets
 Underlying protocol layers
 P2P routing mechanism
 Nodes themselves
 Trust system
 Homeostasis (of the system)
 Applications
 Users
Attack Classification
 Infrastructure Attacks:
– Attacks aimed at disabling p2p system
e.g: eliminating nodes, attacks on routing protocols
 Semantic Attacks:
– Attacks aimed at p2p system but not to disable the
system but to make users abandon the system
e.g: bad content, asymmetric consumption
 Both attacks are equally effective because
p2p is a “peoples’ system”
Attacks & Defenses
 Attack detection & recovery involves…
– Identifying Invariants in the System
– Monitoring the Invariants
– Detecting/Ascertain Attacks
– Triggering Recovery Procedure
 Infrastructure Attacks
– Attacks on nodes
– Attacks on routing mechanism
 Semantic Attacks
– Storage & Retrieval Attacks
– Flooding
– Face/Off
Attacks on Nodes [2]
 Goal of the adversary is to fragment the network
 Since p2p networks follow power-law an adversary
can selectively knock down highly connected nodes
 Interesting questions?
– How to find highly connected nodes?
• Queries can provide some intelligence…
– How would one fragment a network while always being part
of the largest cluster?
– Lower bound on malicious nodes?
Attacks on Nodes…
 Detection Mechanism
– During an attack a node would loose many 2nd order nodes
than 1st order nodes.
– For a fixed window of time if number of 2nd order nodes
drops below a threshold then flag it as an attack
 Recovery Mechanism
– Attack is possible because p2p networks are scale-free
networks
– Maintain an overlay exponential network network and
switch to it during attacks
Attacks on Nodes…
 So, how would one build an exponential network
from a scale-free network?
– Use an RDP (Random Discovery Protocol)
– Send out an RDP with TTL 20. Why 20?
– For first half of TTL choose nodes with probability scaling
linearly to number of neighbors
– For the second half choose the opposite strategy
 Collect enough random nodes to create an
exponential network
 During an attack replace each lost node with a node
from the exponential network
 Resulting network is resilient to attacks but…
Attacks on Routing [3]
 P2P routing mechanism in general…
–
–
–
–
–
A key identifier space
A node identifier space
Rules for associating keys to particular nodes
Per-node routing tables that refer to other nodes
Rules for updating the tables as nodes join and leave
 Routing Attacks
– Incorrect Lookup Routing
– Incorrect Routing Updates
– Partitioning
Incorrect Lookup Routing
 Malicious node forwards lookups to incorrect
or non-existence node
 Detection Mechanism: At each hop lookup is
suppose to get “closer” to the key identifier
 For the detection to work, querier must be
allowed to observe lookup progress
 Criteria for verifiable lookup
– Querier should ensure that the destination itself
agrees that it is the correct termination point
– Assign keys to nodes in a verifiable way
 Long term identities using public-keys
Incorrect Routing Update
 A malicious node could corrupt the routing
table with incorrect updates to neighbors
 Systems that have the freedom to choose
between multiple routes are especially
vulnerable
 Detection Mechanism: Verifiable routing
updates e.g. Pastry’s update prefix
requirements
Partitioning
 Set of malicious nodes form a parallel
network and trap new nodes inside them
rendering the network useless for new nodes
 Detection Mechanism: Incorrect functioning
of the network/queries etc.
 Criteria for reliable join:
– Use history of queries and verify the current
network’s results with random queries
– Out-of-band trusted source
– Use of public-key for trust systems
Semantic Attacks
 Goal is not to knock down the entire system
but to make the system look inefficient or
faulty to the user and convince them to
abandon the system (probably what RIAA will do)
– E.g. For all the queries to MP3 return false data
but queries for text files return proper results
 Semantic Attacks
– Storage and Retrieval Attacks
– Flooding
– Face/Off
Storage & Retrieval
 Storage and Retrieval Attacks
– Disinformation about storage
– Deny access to stored data (natural on p2p)
– Return incorrect data (overpeering inc.)
 Detection Mechanism: Wrong results, denial
of service etc.
 Criteria for Reliable Storage & Retrieval:
– Maintain replication invariant
– Avoid single point responsibilities
– Verification queries from different sources
Miscellaneous Attacks
 Face/Off
– Just like the movie…
– Show good face to part of the network and the
other face to rest
 Flooding/DoS
– As usual
– Replication may provide certain level of defense
 Rapid Joins & Leaves
 Unsolicited Messages
P2P Design Principles
 Define verifiable system invariants
 Verify system invariants during opetion
 Allow the querier to observe lookup progress
 Assigns keys to nodes in a verifiable way
 Server selection in routing may be abused
 Cross-check routing tables using random
queries
 Avoid single points of responsibilities
References…
1.
2.
3.
4.
Error and Attack Tolerance of Complex Networks, Reka
Albert, Hawoong Jeong et. al.
Peer Pressure: Distributed Recovery from Attacks in Peerto-Peer Systems, Pedram Keyani, Brian Larson et. al.
Security Considerations for Peer-to-Peer Distributed Hash
Tables, Emil Sit, Robert Morris
The Sybil Attack, John R. Douceur
FIN
Questions, comments, concerns?
Related documents
Chapter 1 Exploring the Network
Chapter 1 Exploring the Network
Some sentences from you Informatics Corpus
Some sentences from you Informatics Corpus
Title: Instructional-Design Theory to Guide the Creation of Online
Title: Instructional-Design Theory to Guide the Creation of Online
A graph-based system for network
A graph-based system for network
Deepak_Abstract
Deepak_Abstract
Cryptography and Network Security Chapter 1
Cryptography and Network Security Chapter 1
Revenge-Seeking Behaviors
Revenge-Seeking Behaviors
Download
advertisement