Home
Premium
NEW

Security of Peer-to-Peer Systems

Report as inappropriate Your report has been received
Shared by: hcj
Categories
Tags
-
Stats
views:
1
posted:
9/9/2012
language:
pages:
22
Document Sample
scope of work template 
							Peer-to-Peer Systems
     Security Issues




 Kulesh Shanmugasundaram
SYN

 SYN
 P2P Basics
 Attack Classification
 Attacks and Defenses
 Further Research
 FIN
P2P Basics
 All nodes are created equal, not really!
 Network classification based on network
  connectivity
   – Exponential Networks:
     Homogenous network, [average] node
     connectivity is equally distributed
   – Scale-free networks:
     Follows power-law for connectivity, that is there
     are some highly connected nodes and many not to
     highly connected nodes
 Current P2P systems are scale-free networks
Network Maps




 Partial map of Gnutella Network
 Note the hierarchical structure of the network
Network Maps…




 Gnutella Neighborhood Map
Failure vs. Attack [1]
 Failure:
   – Random failure of nodes and/or infrastructure
     elements
 Attack:
   – Systematic failure of nodes and/or infrastructure
     elements
 Scale-free networks are failure-tolerance
 Exponential networks are attack-tolerance
 Why?
 Most P2P systems give priority for failure-
  tolerance over attack-tolerance
Possible Targets
 Underlying protocol layers
 P2P routing mechanism
 Nodes themselves
 Trust system
 Homeostasis (of the system)
 Applications
 Users
Attack Classification
 Infrastructure Attacks:
   – Attacks aimed at disabling p2p system
     e.g: eliminating nodes, attacks on routing protocols


 Semantic Attacks:
  – Attacks aimed at p2p system but not to disable the
    system but to make users abandon the system
     e.g: bad content, asymmetric consumption


 Both attacks are equally effective because
  p2p is a “peoples’ system”
Attacks & Defenses
 Attack detection & recovery involves…
   – Identifying Invariants in the System
   – Monitoring the Invariants
   – Detecting/Ascertain Attacks
   – Triggering Recovery Procedure
 Infrastructure Attacks
   – Attacks on nodes
   – Attacks on routing mechanism
 Semantic Attacks
   – Storage & Retrieval Attacks
   – Flooding
   – Face/Off
Attacks on Nodes [2]
 Goal of the adversary is to fragment the network
 Since p2p networks follow power-law an adversary
  can selectively knock down highly connected nodes
 Interesting questions?
   – How to find highly connected nodes?
      • Queries can provide some intelligence…
   – How would one fragment a network while always being part
     of the largest cluster?
   – Lower bound on malicious nodes?
Attacks on Nodes…
 Detection Mechanism
  – During an attack a node would loose many 2nd order nodes
    than 1st order nodes.
  – For a fixed window of time if number of 2nd order nodes
    drops below a threshold then flag it as an attack
 Recovery Mechanism
  – Attack is possible because p2p networks are scale-free
    networks
  – Maintain an overlay exponential network network and
    switch to it during attacks
Attacks on Nodes…
 So, how would one build an exponential network
  from a scale-free network?
   – Use an RDP (Random Discovery Protocol)
   – Send out an RDP with TTL 20. Why 20?
   – For first half of TTL choose nodes with probability scaling
     linearly to number of neighbors
   – For the second half choose the opposite strategy
 Collect enough random nodes to create an
  exponential network
 During an attack replace each lost node with a node
  from the exponential network
 Resulting network is resilient to attacks but…
Attacks on Routing [3]
 P2P routing mechanism in general…
  –   A key identifier space
  –   A node identifier space
  –   Rules for associating keys to particular nodes
  –   Per-node routing tables that refer to other nodes
  –   Rules for updating the tables as nodes join and leave
 Routing Attacks
  – Incorrect Lookup Routing
  – Incorrect Routing Updates
  – Partitioning
Incorrect Lookup Routing
 Malicious node forwards lookups to incorrect
  or non-existence node
 Detection Mechanism: At each hop lookup is
  suppose to get “closer” to the key identifier
 For the detection to work, querier must be
  allowed to observe lookup progress
 Criteria for verifiable lookup
  – Querier should ensure that the destination itself
    agrees that it is the correct termination point
  – Assign keys to nodes in a verifiable way
 Long term identities using public-keys
Incorrect Routing Update
 A malicious node could corrupt the routing
  table with incorrect updates to neighbors
 Systems that have the freedom to choose
  between multiple routes are especially
  vulnerable
 Detection Mechanism: Verifiable routing
  updates e.g. Pastry’s update prefix
  requirements
Partitioning
 Set of malicious nodes form a parallel
  network and trap new nodes inside them
  rendering the network useless for new nodes
 Detection Mechanism: Incorrect functioning
  of the network/queries etc.
 Criteria for reliable join:
  – Use history of queries and verify the current
    network’s results with random queries
  – Out-of-band trusted source
  – Use of public-key for trust systems
Semantic Attacks
 Goal is not to knock down the entire system
  but to make the system look inefficient or
  faulty to the user and convince them to
  abandon the system (probably what RIAA will do)
   – E.g. For all the queries to MP3 return false data
     but queries for text files return proper results
 Semantic Attacks
   – Storage and Retrieval Attacks
   – Flooding
   – Face/Off
Storage & Retrieval
 Storage and Retrieval Attacks
   – Disinformation about storage
   – Deny access to stored data (natural on p2p)
   – Return incorrect data (overpeering inc.)
 Detection Mechanism: Wrong results, denial
  of service etc.
 Criteria for Reliable Storage & Retrieval:
   – Maintain replication invariant
   – Avoid single point responsibilities
   – Verification queries from different sources
Miscellaneous Attacks
 Face/Off
   – Just like the movie…
   – Show good face to part of the network and the
     other face to rest
 Flooding/DoS
   – As usual
   – Replication may provide certain level of defense
 Rapid Joins & Leaves
 Unsolicited Messages
P2P Design Principles
 Define verifiable system invariants
 Verify system invariants during opetion
 Allow the querier to observe lookup progress
 Assigns keys to nodes in a verifiable way
 Server selection in routing may be abused
 Cross-check routing tables using random
  queries
 Avoid single points of responsibilities
References…
1.   Error and Attack Tolerance of Complex Networks, Reka
     Albert, Hawoong Jeong et. al.
2.   Peer Pressure: Distributed Recovery from Attacks in Peer-
     to-Peer Systems, Pedram Keyani, Brian Larson et. al.
3.   Security Considerations for Peer-to-Peer Distributed Hash
     Tables, Emil Sit, Robert Morris
4.   The Sybil Attack, John R. Douceur
FIN




  Questions, comments, concerns?
Related docs
Peer-to-Peer Security
Views: 1  |  Downloads: 1
Peer-to-Peer Botnets Overview an
Views: 67  |  Downloads: 0
Peer-to-Peer Systems
Views: 8  |  Downloads: 0
Peer to Peer Systems
Views: 21  |  Downloads: 0
peer_to_peer
Views: 33  |  Downloads: 0
A Survey of Peer-to-Peer Security Issues
Views: 0  |  Downloads: 0
Peer to Peer (PowerPoint)
Views: 1  |  Downloads: 0
Other docs by hcj
Chapter 5 Consumer Behavior - Jenne Meyer PhD_4_
Views: 0  |  Downloads: 0
Chapter 5 Consumer Behavior - Jenne Meyer PhD_5_
Views: 0  |  Downloads: 0
Chapter 5 Culture Shock
Views: 0  |  Downloads: 0
Chapter 6 How to Measure an Economy
Views: 0  |  Downloads: 0
Chapter 5 Section 2_ Culture and Society in the
Views: 1  |  Downloads: 0
Chapter 5.1_ Airline Cost Categorization - Center for Air
Views: 1  |  Downloads: 0
Chapter 5_ Balance Sheet _ Cash Flows - Wiley_ Home
Views: 1  |  Downloads: 0
Chapter 6 Consumer Perception - PPT presentation
Views: 0  |  Downloads: 0
Chapter 6 – Business Costs _ Revenue - IGCSEBus
Views: 0  |  Downloads: 0
Chapter 6 The production_ costs_ and technology of health care.ppt
Views: 0  |  Downloads: 0