E08-2E1 - Preventing DDoS Attacks with P2P Systems - sun19@ecn.purdue.edu - ENS

Preventing DDoS Attacks with P2P SystemsPreventing DDoS Attacks with P2P SystemsXin Sun, Ruben Torres, Sanjay Rao

Vulnerabilities commonly exist in the membership protocols of many P2P systems;

• KAD, BitTorrent-DHT, Overnet, Gnutella, ESM…DDoS attacks are feasible by exploiting those

vulnerabilities;Such attacks can be launched towards any hosts,

even those do not participate in any P2P systems!

Two different P2P systems are exploited:

• DHT-based KAD•Gossip–based ESM

Traffic seen by the victim is shown in the graphs.

ESM (Broadcasting, Gossip)

5 attackers

KAD (File Distribution, DHT)

The large scale of P2P systems (>1M concurrent users) makes such DDoS attacks huge magnitude (~Gbps), hard to stop and hard to trace back.

200 attackers

10% attackers

Preventing such DDoS attacks through

Validation through Multiple Sources Bounding Logical IDs for a Physical IDPull + Direct Validation

Robust Membership ManagementRobust Membership Management

Nodes will not accept anyinformation until learn from at least K members.

An at tacker could repeatedly redirect an innocent node to a victim, using different logical IDs for the same physical ID, to amplify the attack.

Solution: bind the number of logical IDs for a physical ID a node can talk to.

Pull: Any information conveyed by a member is always in response to a prior solicitation

Direct Validation: Immediately probe any new node learned through a third party before considering it as a neighbor.

Pull + Direct Validation: Neither of the two is enough by itself. Combine them for improved system robustness.

A

B

C

X

M

A-REQ: F

M-RESP: V

1

A-REQ: F

B-RESP: X

A-REQ: F

B-RESP: X

2

3

A contacts X 4

Learn from 2 members

A

B

C

X

M

A-REQ: F

M-RESP: V

1

A-REQ: F

B-RESP: X

A-REQ: F

B-RESP: X

2

3

A contacts X 4

Learn from 2 members

ID1 ID2

ID3 ID4

IP-X, Port-Y

A

A-REQ: F

M-RESP: ID1…ID4M

Fake IDs

Bound rate of messages sent to many logical IDs with same IP/Port

ID1 ID2

ID3 ID4

IP-X, Port-Y

A

A-REQ: F

M-RESP: ID1…ID4M

Fake IDs

Bound rate of messages sent to many logical IDs with same IP/Port

Exploiting KAD search mechanism to generate a redirection DDoS attack towards a host that’s not part of KAD.

A

B

C

I

A-REQ: F

B-RESP: CA-REQ: F

C-RESP: I

A-REQ: F

I-RESP: Sources

Index for F

A

A-REQ: F

M-RESP: Victim

M

VictimNormal Search in KAD Redirection Attack

12

3

A-REQ: FA

B

C

I

A-REQ: F

B-RESP: CA-REQ: F

C-RESP: I

A-REQ: F

I-RESP: Sources

Index for F

A

A-REQ: F

M-RESP: Victim

M

VictimNormal Search in KAD Redirection Attack

12

3

A-REQ: F

DDoS attacks are feasible with P2P Systems

E08_2E1.pdf 1 3/1/2007 4:13:09 PM