a sybil-proof distributed hash table

of 30/30
A Sybil-Proof Distributed Hash Table Chris Lesniewski-Laas M. Frans Kaashoek MIT 28 April 2010 NSDI http://pdos.csail.mit.edu/whanau/slides.pptx

Post on 23-Feb-2016




0 download

Embed Size (px)


A Sybil-Proof Distributed Hash Table. Chris Lesniewski-Laas M. Frans Kaashoek MIT 28 April 2010 NSDI http://pdos.csail.mit.edu/whanau/slides.pptx. Distributed Hash Table. Interface: PUT( key , value ), GET( key ) → value Route to peer responsible for key. GET( sip://[email protected] ). - PowerPoint PPT Presentation


A Secure Distributed Hash Table

A Sybil-Proof Distributed Hash TableChris Lesniewski-LaasM. Frans KaashoekMIT

28 April 2010NSDIhttp://pdos.csail.mit.edu/whanau/slides.pptxDistributed Hash TableInterface: PUT(key, value), GET(key)valueRoute to peer responsible for keyGET( sip://[email protected] )PUT( sip://[email protected], )2The Sybil attack on open DHTsCreate many pseudonyms (Sybils), join DHTSybils join the DHT as usual, disrupt routingBrute-force attackClustering attack3Sybil state of the artP2P mania!Chord, Pastry, Tapestry, CANThe Sybil Attack [Douceur], Security Considerations [Sit, Morris]Restricted tables [Castro et al]BFT [Rodrigues, Liskov]SPROUT, Turtle, Bootstrap graphsPuzzles [Borisov]CAPTCHA [Rowaihy et al]SybilLimit [Yu et al]SybilInfer, SumUp, DSybil(This work)P2P mania!- Sybil attack: recognized soon after DHTs invented- Much activity since (this is a sample)4ContributionWhnau: an efficient Sybil-proof DHT protocolGet cost: O(1) messages, one RTT latencyCost to build routing tables: O(N log N) storage/bandwidth per node (for N keys)Oblivious to number of Sybils!

Proof of correctnessPlanetLab implementationLarge-scale simulations vs. powerful attackWhanau is a Maori word meaning family.5Division of laborApplication provides integrityWhnau provides availability

E.g., application signs values using private keyProc Get(key):Until valid value found:Try value = Lookup(key)RepeatPossible to use Whnau for other DHT apps, but only makes sense for open systems. (Key churn?)6ApproachUse a social network to limit SybilsAddresses brute-force attackNew technique: layered identifiersAddresses clustering attacks7Setup: periodically build tables using social linksLookup: use tables to route efficientlyTwo main phasesSetupLookupSocial NetworkRouting TableskeyvaluekeyvaluePut(key, value)Put QueueSocial links come from outside the system8Social links created

Social links maintained over Internet

Sybil regionSocial networkHonest regionAttack edgesCellphone address book, physical rendezvous11Random walksc.f. SybilLimit [Yu et al 2008]12Building tables using random walksc.f. SybilLimit [Yu et al 2008]What have we accomplished?Small fraction (e.g. < 50%) of bad nodes in routing tablesBad fraction is independent of number of Sybil nodes13SetupLookupSocial NetworkRouting TableskeyvaluekeyvaluePut(key, value)Put QueueSocial links come from outside the system14Routing table structureO(n) fingers and O(n) keys stored per nodeFingers have random IDs, cover all keys WHPLookup: query closest finger to target keyFinger tables: (ID, address)Key tables: (key,value)KeynesAardvarkZyzzyvaKelvinWe chose these fingers using random walks

Each slice starts at a random key (ID)

Ignoring evil nodes for nowLookup: repeat with next closest if failedIf structure is correct, expect O(1) tries.15From social network to routing tablesFinger table: randomly sample O(n) nodesMost samples are honestIDIP address16Honest nodes pick IDs uniformlyPlenty of fingers near key17Sybil ID clustering attack[Hypothetical scenario: 50% Sybil IDs, 50% honest IDs]Many bad fingers near keyIf the attacker has a limited number of Sybil IDs, what can he do? Attack a single key.18Honest layered IDs mimic Sybil IDsLayer 0Layer 1Every range is balanced in some layerLayer 0Layer 120Two layers is not quite enoughLayer 0Layer 1Ratio =1 honest :10 SybilsRatio =10 honest :100 Sybils21Log n parallel layers is enoughlog n layered IDs for each nodeLookup steps:Pick a random layerPick a finger to queryGOTO 1 until success or timeoutLayer 0Layer 1Layer 2Layer LMain theorem: secure DHT routingIf we run Whnaus Setup using:A social network with walk length = O(log n) and number of attack edges = O(n/log n)Routing tables of size (N log N) per node

Then, for any input key and all but n nodes:

Each lookup attempt (i.e., coin flip) succeeds with probability (1)Thus Get(key) uses O(1) messages (expected)The constant is ~20With high probability depends on coin flips and routing table size23Evaluation: HypothesesRandom walk technique yields good samples

Lookups succeed under clustering attacks

Layered identifiers are necessary for security

Performance scales the same as a one-hop DHT

Whnau handles network failures and churnMethodEfficient message-based simulatorSocial network data spidered from Flickr, Youtube, DBLP, and LiveJournal (n=5.2M)Clustering attack, varying number of attack edges

PlanetLab implementationEscape probability[Flickr social network: n 1.6M, average degree 9.5]Walk length tradeoff[Flickr social network: n 1.6M, average degree 9.5]Whnau delivers high availability[Flickr social network: n 1.6M, 3n 4000]3nEverything rests on the modelHeres what we dont claim29ContributionsWhnau: an efficient Sybil-proof DHTUse a social network to filter good nodesResist up to O(n/log n) attack edgesTable size per node: O(N log N)Messages to route: O(1)

Introduced layers to combat clustering attacks30