Eclipse Attacks on Overlay Networks: Threats and Defenses By Atul Singh, et. al Presented by Samuel Petreski March 31, 2009.

Slides:

Advertisements

Similar presentations

Correctness of Gossip-Based Membership under Message Loss Maxim GurevichIdit Keidar Technion.

Advertisements

Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.

Pastry Peter Druschel, Rice University Antony Rowstron, Microsoft Research UK Some slides are borrowed from the original presentation by the authors.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

Identity Theft Protection in Structured Overlays Lakshmi Ganesh Ben Y. Zhao University of California, Santa Barbara NPSec 2005.

SplitStream by Mikkel Hesselager Blanné Erik K. Aarslew-Jensen.

Authors Haifeng Yu, Michael Kaminsky, Phillip B. Gibbons, Abraham Flaxman Presented by: Jonathan di Costanzo & Muhammad Atif Qureshi 1.

Mudhakar Srivatsa, Ling Liu and Arun Iyengar Presented by Mounica Atluri.

Search and Replication in Unstructured Peer-to-Peer Networks Pei Cao, Christine Lv., Edith Cohen, Kai Li and Scott Shenker ICS 2002.

LightFlood: An Optimal Flooding Scheme for File Search in Unstructured P2P Systems Song Jiang, Lei Guo, and Xiaodong Zhang College of William and Mary.

Secure routing for structured peer-to-peer overlay networks M. Castro, P. Druschel, A. Ganesch, A. Rowstron, D.S. Wallach 5th Unix Symposium on Operating.

Open Problems in Data- Sharing Peer-to-Peer Systems Neil Daswani, Hector Garcia-Molina, Beverly Yang.

P2p, Spring 05 1 Topics in Database Systems: Data Management in Peer-to-Peer Systems March 29, 2005.

Pastry: Scalable, decentralized object location and routing for large-scale peer-to-peer systems Antony Rowstron and Peter Druschel Proc. of the 18th IFIP/ACM.

An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.

Secure routing for structured peer-to-peer overlay networks Miguel Castro, Ayalvadi Ganesh, Antony Rowstron Microsoft Research Ltd. Peter Druschel, Dan.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

1 Denial-of-Service Resilience in P2P File Sharing Systems Dan Dumitriu (EPFL) Ed Knightly (Rice) Aleksandar Kuzmanovic (Northwestern) Ion Stoica (Berkeley)

Dynamic Hypercube Topology Stefan Schmid URAW 2005 Upper Rhine Algorithms Workshop University of Tübingen, Germany.

Small Worlds and the Security of Ubiquitous Computing From ： IEEE CNF Author ： Harald Vogt Presented by Chen Shih Yu.

Efficient Content Location Using Interest-based Locality in Peer-to-Peer Systems Presented by: Lin Wing Kai.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

Secure routing for structured peer-to-peer overlay networks (by Castro et al.) Shariq Rizvi CS 294-4: Peer-to-Peer Systems.

Chord-over-Chord Overlay Sudhindra Rao Ph.D Qualifier Exam Department of ECECS.

Wide-area cooperative storage with CFS

An Evaluation of Scalable Application-level Multicast Using Peer-to-peer Overlays Miguel Castro, Michael B. Jones, Anne-Marie Kermarrec, Antony Rowstron,

Peer-to-Peer Networks Slides largely adopted from Ion Stoica’s lecture at UCB.

SybilGuard: Defending Against Sybil Attacks via Social Networks Haifeng Yu, Michael Kaminsky, Phillip B. Gibbons, and Abraham Flaxman Presented by Ryan.

1 Freenet  Addition goals to file location: -Provide publisher anonymity, security -Resistant to attacks – a third party shouldn’t be able to deny the.

Correctness of Gossip-Based Membership under Message Loss Maxim Gurevich, Idit Keidar Technion.

 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.

1CS 6401 Peer-to-Peer Networks Outline Overview Gnutella Structured Overlays BitTorrent.

Pastry: Scalable, decentralized object location and routing for large-scale peer-to-peer systems (Antony Rowstron and Peter Druschel) Shariq Rizvi First.

Freenet. Anonymity  Napster, Gnutella, Kazaa do not provide anonymity  Users know who they are downloading from  Others know who sent a query  Freenet.

Slicing the Onion: Anonymity Using Unreliable Overlays Sachin Katti Jeffrey Cohen & Dina Katabi.

PIC: Practical Internet Coordinates for Distance Estimation Manuel Costa joint work with Miguel Castro, Ant Rowstron, Peter Key Microsoft Research Cambridge.

Securing Every Bit: Authenticated Broadcast in Wireless Networks Dan Alistarh, Seth Gilbert, Rachid Guerraoui, Zarko Milosevic, and Calvin Newport.

Content Overlays (Nick Feamster). 2 Content Overlays Distributed content storage and retrieval Two primary approaches: –Structured overlay –Unstructured.

HERO: Online Real-time Vehicle Tracking in Shanghai Xuejia Lu 11/17/2008.

Disrupting Peer-to-Peer Networks Sybil & Eclipse Attacks Lee Brintle University of Iowa.

An efficient secure distributed anonymous routing protocol for mobile and wireless ad hoc networks Authors: A. Boukerche, K. El-Khatib, L. Xu, L. Korba.

Impact of Neighbor Selection on Performance and Resilience of Structured P2P Networks IPTPS Feb. 25, 2005 Byung-Gon Chun, Ben Y. Zhao, and John Kubiatowicz.

1 BitHoc: BitTorrent for wireless ad hoc networks Jointly with: Chadi Barakat Jayeoung Choi Anwar Al Hamra Thierry Turletti EPI PLANETE 28/02/2008 MAESTRO/PLANETE.

Aadil Zia Khan and Shahab Baqai LUMS School of Science and Engineering QoS Aware Path Selection in Content Centric Networks Fahad R. Dogar Carnegie Mellon.

Using the Small-World Model to Improve Freenet Performance Hui Zhang Ashish Goel Ramesh Govindan USC.

1 Distributed Hash Tables (DHTs) Lars Jørgen Lillehovde Jo Grimstad Bang Distributed Hash Tables (DHTs)

Security Michael Foukarakis – 13/12/2004 A Survey of Peer-to-Peer Security Issues Dan S. Wallach Rice University,

CIS 640-2, Presenter: Yun Mao1 Security for Structured Peer- to-peer Overlay Networks By Miguel Castro et al. OSDI ’ 02 Presented by Yun Mao in CIS640.

Securing Distributed Sensor Networks Udayan Kumar Subhajit Sengupta Sharad Sonapeer.

Peer Pressure: Distributed Recovery in Gnutella Pedram Keyani Brian Larson Muthukumar Senthil Computer Science Department Stanford University.

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.

An IP Address Based Caching Scheme for Peer-to-Peer Networks Ronaldo Alves Ferreira Joint work with Ananth Grama and Suresh Jagannathan Department of Computer.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.

Peer Centrality in Socially-Informed P2P Topologies Nicolas Kourtellis, Adriana Iamnitchi Department of Computer Science & Engineering University of South.

Attacks in Sensor Networks Team Members: Subramanian Madhanagopal Sivasankaran Rahul Poondy Mukundan.

Secure Routing for Structured Peer-to-Peer Overlay Networks M. Castro, P. Druschel, A. Ganesh, A. Rowstron and D. S. Wallach Proc. Of the 5 th Usenix Symposium.

On Heterogeneous Overlay Construction and Random Node Selection in Unstructured P2P Networks Presenter: 游創文.

15 November 2005LCN Collision Detection and Resolution in Hierarchical Peer-to-Peer Systems Verdi March 1, Yong Meng Teo 1,2, Hock Beng Lim 2, Peter.

SybilGuard: Defending Against Sybil Attacks via Social Networks.

P2PSIP Security Analysis and evaluation draft-song-p2psip-security-eval-00 Song Yongchao Ben Y. Zhao

Gerhard Haßlinger Search Methods in Dynamic Wireless Networks  Challenges for search in wireless networks  Random walks and flooding for search with.

Spring 2000CS 4611 Routing Outline Algorithms Scalability.

A Sybil-Proof Distributed Hash Table Chris Lesniewski-LaasM. Frans Kaashoek MIT 28 April 2010 NSDI

A Key Management Scheme for Distributed Sensor Networks Laurent Eschaenauer and Virgil D. Gligor.

CS 6401 Intra-domain Routing Outline Introduction to Routing Distance Vector Algorithm.

CS 268: Lecture 22 (Peer-to-Peer Networks)

Pastry Scalable, decentralized object locations and routing for large p2p systems.

Impact of Neighbor Selection on Performance and Resilience of Structured P2P Networks Sushma Maramreddy.

Controlling the Cost of Reliability in Peer-to-Peer Overlays

Anupam Das , Nikita Borisov

Presentation transcript:

Eclipse Attacks on Overlay Networks: Threats and Defenses By Atul Singh, et. al Presented by Samuel Petreski March 31, 2009

 Eclipse Attack Description  Existing Defenses  New Defenses  Effectiveness Evaluation  Conclusion  Resources Outline

 Overlay network › Decentralized graph of nodes on edge of network › Each node maintains a neighbor set › Typically limited control over membership  Eclipse Attack › Malicious nodes conspire to hijack and dominate the neighbor set of correct nodes › Eclipse correct nodes from each other › Control data traffic through routing Eclipse Attack Description

 Unstructured Overlays › Little constraints on neighbor selection › Easy to bias neighbor discovery  Random walks  Learning from other neighbors  Structured Overlays › Constrained routing table to bound number of hops › Typically, long-distance hops are less restrictive and more susceptible Eclipse Attack Description (cont.)

 Eclipse Attack › Can perform an Eclipse attack with a Sybil attack › A Sybil attack is not required for an Eclipse attack  In Gnutella, malicious nodes can only advertise other malicious nodes during neighbor discovery Eclipse Attack Description (cont.)

 Central Authority (BitTorrent tracker)  Constrained Routing Tables (CRT) › Certified, random-unique ID for every node › Neighbors consist of picking nodes with IDs closest to a specified point › Lacks proximity optimizations  Proximity Constraints › Select node with lowest delay (but satisfies constraints) › Attacker may be able to manipulate this Existing Defenses

 Degree Bounds › Eclipse attackers will have a high in-degree in the overlay › Every other node has an average in-degree  Enforcing Degree Bounds › Use centralized membership service › Distributed auditing of neighboring nodes by checking backpointer lists New Defenses

 Checking backpointer lists › Periodically, a node x challenges each of its neighbors for its backpointer list › If the list is too large or does not contain x, the auidt fails and the node is removed › Periodically, a node x also checks its backpointer list to make sure each node on the list has a correct neighbor set/routing table size New Defenses (cont.)

 Checking backpointer lists (cont.) › Node x includes a random nonce in the challenge to ensure replies are fresh and authentic › The auditee node sends back the nonce and digitally signs the response › Node x checks the signature and the nonce before accepting the reply New Defenses (cont.)

 Anonymous Auditing › Use an anonymizer node to perform the audit via › Ex: Node x picks a random node y, called anonymizer, to relay the challenge to node z  Case 1: z is malicious, y is correct  Case 2: z is malicious, y is malicious  Case 3: z is correct, y is correct  Case 4: z is correct, y is malicious New Defenses (cont.)

 Anonymization Analysis › Assume node y is malicious with probability f › Probability of a correct node be detected as malicious › Probability of a malicious node passing the audit New Defenses (cont.)

 Marking Malicious/Correct Suspicious › More malicious nodes make it harder to detect them › Correct nodes may also be marked as suspicious New Defenses (cont.)

 Discovery of Anonymizer Nodes › a) randomly › b) Node closest to H(x) › c) Random node among the L closest to H(x) New Defenses (cont.)

 Effectiveness Evaluation Questions › How serious are Eclipse attacks on structured overlays? › How effective is the existing defense based on PNS against Eclipse attacks? › Is degree bounding a more effective defense? › What is the impact on degree bounding on the performance of PNS? › Is distributed auditing effective and efficient at bounding node degrees? Effectiveness Evaluation

 Experimental Setup › MSPastry (b = 4 and l = 16) › GT-ITM trans-stub topolgy of 5050 routers › Measure pair-wised latency values from the King tool › Set f = 0.2  Malicious Nodes › Misroute join messages to malicious nodes › Supply only malicious nodes as references › Have only good nodes in routing table (16 per row) Effectiveness Evaluation

 With PSN turned off (GT-ITM) › 70% on 1000 node-overlay, 80% on 5000 › 90% for top-row on 1000, 100% on 5000 Effectiveness Evaluation

 With PSN turned on (King) › As overlay size increases, PSN becomes less effective › In real Internet, large fraction of nodes lie in small latency band › Easier to hijack top row of routing table (less restrictive) › Also the most dangerous because it tends to be the first hop for sending its own message Effectiveness Evaluation

 Effectiveness of Degree Bounding  Used oracle to maintain idealized degree-bounding  Effective decreases with larger overlays and looser in- bound restrictions  Increase of 25% average delay with degree-bounding (8% with bound increased to 32) due to tighter constraints on neighbor selection Effectiveness Evaluation f = 0.2, t=1: ft/(1-f) = 0.25

 Effectiveness of Auditing › Neighbor nodes randomly audited every 2 minutes › It takes 24 challenges to audit a node › 2000 node simulation › Churn rate: 0%, 5%, 10%, 15% per hour › Target environment is low to moderately high churn › When malicious nodes reply, they reply with a random subset that follow bounding limits Effectiveness Evaluation

 In-Degree Distribution › Before auditing has started, malicious nodes are able to obtain high in-degrees › After 10 hours of operating (assuming static) all nodes had in-degree <= 16 Effectiveness Evaluation

 Reducing Fraction of Malicious Nodes › Auditing starts 1.5 hours into simulation › Correct nodes always enforce in-degree bound of 16 per row › Top Row Analysis shows that high churn requires more auditing Effectiveness Evaluation Entire Routing TableTop Row

 Communication Overhead of Auditing › Overhead includes everything (Pastry overlay w/ PSN, Secured routing, and Auditing) and is (4.2 msg/node/sec) › Overhead of Auditing rate of once per 2 mins is (2 msg/node/sec) › Spike is due to every node searching for anonymizer nodes it will use Effectiveness Evaluation

 Effectiveness Evaluation Questions › How serious are Eclipse attacks on structured overlays? › How effective is the existing defense based on PNS against Eclipse attacks? › Is degree bounding a more effective defense? › What is the impact on degree bounding on the performance of PNS? › Is distributed auditing effective and efficient at bounding node degrees? Effectiveness Evaluation

 Eclipse attack are a real threat › Possible even in structured overlays or PSN-aware networks › Doesn’t require Sybil attack to be effective  Bounding degree of nodes in network is a simple and effective measure › Distributive enforcement using anonymous auditing › Lightweight and allows PSN optimization  Limitations › Sensitive to high churn rates › High overhead for low application traffic › Doesn’t work in all cases › Requires secure routing (CRT) for locating anonymizer set Conclusion

Questions

 Atul Singh, et. al. Eclipse Attacks on Overlay Networks: Threats and Defenses  /slides/Eclipse.pdf /slides/Eclipse.pdf  1ig/Eclipse.ppt 1ig/Eclipse.ppt  Baptiste Pretre. Attacks on Peer-to-Peer Networks.  John R. Douceur. The Sybil Attack. Resources