peer-to-peer systems
DESCRIPTION
Peer-to-Peer Systems. Security Issues. Kulesh Shanmugasundaram. SYN. SYN P2P Basics Attack Classification Attacks and Defenses Further Research FIN. P2P Basics. All nodes are created equal, not really! Network classification based on network connectivity - PowerPoint PPT PresentationTRANSCRIPT
Peer-to-Peer Systems
Kulesh Shanmugasundaram
Security Issues
SYN SYN P2P Basics Attack Classification Attacks and Defenses Further Research FIN
P2P Basics All nodes are created equal, not really! Network classification based on network
connectivity– Exponential Networks:
Homogenous network, [average] node connectivity is equally distributed
– Scale-free networks:Follows power-law for connectivity, that is there are some highly connected nodes and many not to highly connected nodes
Current P2P systems are scale-free networks
Network Maps
Partial map of Gnutella Network Note the hierarchical structure of the
network
Network Maps…
Gnutella Neighborhood Map
Failure vs. Attack [1]
Failure:– Random failure of nodes and/or infrastructure
elements Attack:
– Systematic failure of nodes and/or infrastructure elements
Scale-free networks are failure-tolerance Exponential networks are attack-tolerance Why? Most P2P systems give priority for failure-
tolerance over attack-tolerance
Possible Targets Underlying protocol layers P2P routing mechanism Nodes themselves Trust system Homeostasis (of the system) Applications Users
Attack Classification Infrastructure Attacks:
– Attacks aimed at disabling p2p systeme.g: eliminating nodes, attacks on routing protocols
Semantic Attacks:– Attacks aimed at p2p system but not to
disable the system but to make users abandon the systeme.g: bad content, asymmetric consumption
Both attacks are equally effective because p2p is a “peoples’ system”
Attacks & Defenses Attack detection & recovery involves…
– Identifying Invariants in the System– Monitoring the Invariants– Detecting/Ascertain Attacks– Triggering Recovery Procedure
Infrastructure Attacks– Attacks on nodes– Attacks on routing mechanism
Semantic Attacks– Storage & Retrieval Attacks– Flooding– Face/Off
Attacks on Nodes [2]
Goal of the adversary is to fragment the network
Since p2p networks follow power-law an adversary can selectively knock down highly connected nodes
Interesting questions?– How to find highly connected nodes?
• Queries can provide some intelligence…– How would one fragment a network while always
being part of the largest cluster?– Lower bound on malicious nodes?
Attacks on Nodes… Detection Mechanism
– During an attack a node would loose many 2nd order nodes than 1st order nodes.
– For a fixed window of time if number of 2nd order nodes drops below a threshold then flag it as an attack
Recovery Mechanism– Attack is possible because p2p networks are scale-
free networks– Maintain an overlay exponential network network
and switch to it during attacks
Attacks on Nodes… So, how would one build an exponential
network from a scale-free network?– Use an RDP (Random Discovery Protocol)– Send out an RDP with TTL 20. Why 20?– For first half of TTL choose nodes with probability
scaling linearly to number of neighbors– For the second half choose the opposite strategy
Collect enough random nodes to create an exponential network
During an attack replace each lost node with a node from the exponential network
Resulting network is resilient to attacks but…
Attacks on Routing [3]
P2P routing mechanism in general…– A key identifier space– A node identifier space– Rules for associating keys to particular nodes– Per-node routing tables that refer to other nodes– Rules for updating the tables as nodes join and
leave Routing Attacks
– Incorrect Lookup Routing– Incorrect Routing Updates– Partitioning
Incorrect Lookup Routing Malicious node forwards lookups to
incorrect or non-existence node Detection Mechanism: At each hop lookup
is suppose to get “closer” to the key identifier
For the detection to work, querier must be allowed to observe lookup progress
Criteria for verifiable lookup– Querier should ensure that the destination itself
agrees that it is the correct termination point– Assign keys to nodes in a verifiable way
Long term identities using public-keys
Incorrect Routing Update A malicious node could corrupt the
routing table with incorrect updates to neighbors
Systems that have the freedom to choose between multiple routes are especially vulnerable
Detection Mechanism: Verifiable routing updates e.g. Pastry’s update prefix requirements
Partitioning Set of malicious nodes form a parallel
network and trap new nodes inside them rendering the network useless for new nodes
Detection Mechanism: Incorrect functioning of the network/queries etc.
Criteria for reliable join:– Use history of queries and verify the current
network’s results with random queries– Out-of-band trusted source– Use of public-key for trust systems
Semantic Attacks Goal is not to knock down the entire
system but to make the system look inefficient or faulty to the user and convince them to abandon the system (probably what RIAA will do)
– E.g. For all the queries to MP3 return false data but queries for text files return proper results
Semantic Attacks– Storage and Retrieval Attacks– Flooding– Face/Off
Storage & Retrieval Storage and Retrieval Attacks
– Disinformation about storage– Deny access to stored data (natural on p2p)– Return incorrect data (overpeering inc.)
Detection Mechanism: Wrong results, denial of service etc.
Criteria for Reliable Storage & Retrieval:– Maintain replication invariant– Avoid single point responsibilities– Verification queries from different sources
Miscellaneous Attacks Face/Off
– Just like the movie…– Show good face to part of the network and
the other face to rest Flooding/DoS
– As usual– Replication may provide certain level of
defense Rapid Joins & Leaves Unsolicited Messages
P2P Design Principles Define verifiable system invariants Verify system invariants during opetion Allow the querier to observe lookup
progress Assigns keys to nodes in a verifiable way Server selection in routing may be abused Cross-check routing tables using random
queries Avoid single points of responsibilities
References…1. Error and Attack Tolerance of Complex Networks,
Reka Albert, Hawoong Jeong et. al.2. Peer Pressure: Distributed Recovery from Attacks in
Peer-to-Peer Systems, Pedram Keyani, Brian Larson et. al.
3. Security Considerations for Peer-to-Peer Distributed Hash Tables, Emil Sit, Robert Morris
4. The Sybil Attack, John R. Douceur
FIN
Questions, comments, concerns?