Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reliable Client Accounting for P2P-Infrastructure Hybrids Paarijaat Aditya †, Ming-Chen Zhao ‡, Yin Lin *, Andreas Haeberlen ‡, Peter Druschel †, Bruce.

Published byRogelio Basford Modified over 9 years ago

Similar presentations

Presentation on theme: "Reliable Client Accounting for P2P-Infrastructure Hybrids Paarijaat Aditya †, Ming-Chen Zhao ‡, Yin Lin *, Andreas Haeberlen ‡, Peter Druschel †, Bruce."— Presentation transcript:

1 Reliable Client Accounting for P2P-Infrastructure Hybrids Paarijaat Aditya †, Ming-Chen Zhao ‡, Yin Lin *, Andreas Haeberlen ‡, Peter Druschel †, Bruce Maggs *◊, Bill Wishon ◊ † Max Planck Institute for Software Systems (MPI-SWS) ‡ University of Pennsylvania * Duke University ◊ Akamai Technologies NSDI 2012, San Jose, April 25, 2012

2 Trends in Content Distribution Networks Centralized CDN Clients download from CDN servers, customers pay CDN provider New trend: hybrid or peer assisted distribution Clients download from peers and CDN servers Scalability of P2P + reliability & manageability of a centralized system E.g. Akamai NetSession, Velocix P2P Assisted delivery, … 2 source: velocix.com (TODO) CDN Servers (Infrastructure) Clients Customers – Content providers Paarijaat Aditya, MPI-SWS

3 Hybrid Systems - Challenges Untrusted clients + Infrastructure can’t observe P2P communication What could go wrong? In principle clients may Mishandle content: modify, inject or censor content Affect service quality: delay or abort transfers Misreport P2P transfers 3 Paarijaat Aditya, MPI-SWS

4 What Do CDNs Currently Do Infrastructure provides signed metadata Clients can verify content integrity Infrastructure as fallback Maintain service quality in case of failed transfers 4 Paarijaat Aditya, MPI-SWS

5 What Could Still Go Wrong? Inherent problem: infrastructure can’t observe P2P communication Clients could still misreport CDN may end up reporting downloads that did not happen Clients could still affect service quality 5 I downloaded 1 TB from A & B! ?! A B File X was downloaded 1 billion times! Carried out on Akamai NetSession! CDN Servers (Infrastructure) Clients Customers – Content providers Paarijaat Aditya, MPI-SWS I uploaded 0.1 TB to C C I did not upload anything CDNs need a mechanism to reliably account for client activity!

6 Periodic progress reports while downloading Akamai NetSession Peer assisted CDN operated by Akamai Used for distributing large files – software installers and videos Client software is bundled with customer specific installer Request file List of clients & signed metadata Download from clients & edge servers Verify with metadata Controller Edge servers Clients running NetSession software Akamai Download completion 6 Accounting logs for customers Paarijaat Aditya, MPI-SWS A B C Expect to hear from C

7 Inflation Attack on NetSession Have an unmodified NetSession client report fake downloads Performed with Akamai’s permission Targeted a dummy customer 7 Day in December 2010 Data downloaded (GB/hr) Load spike Could have been much worse with modified client software! (Obtained from actual accounting logs) Single client can cause significant accounting inaccuracies! Paarijaat Aditya, MPI-SWS

8 Outline Introduction Hybrid CDNs: clients can misreport Need a way to reliably account for client activities Reliable Client Accounting (RCA) Reliably capture client activities Identify misbehaving/suspicious clients Handle misbehavior without affecting service quality Evaluation Related work & Conclusion 8 Paarijaat Aditya, MPI-SWS

9 Types of Attacks Misbehaving client software Unilateral – deviations from the correct protocol Misreport interactions with honest clients Serve bad content to disrupt quality of service Collusion – multiple clients collude to misreport activities Difficult in practice because infrastructure assigns peers Suspicious user behavior Repeatedly downloading content to drive up demand Can be amplified by a Sybil attack Not unique to hybrid systems 9 RCA can detect deterministically Require statistical checks Paarijaat Aditya, MPI-SWS

10 Reliable Client Accounting – Overview 10 CDN Servers (Infrastructure) Clients maintain a tamper evident log of their network activity Logs periodically uploaded to infrastructure and verified Quarantine clients if suspicious A's log A B B's log MM MM Verify client’s actions Paarijaat Aditya, MPI-SWS

11 Reliably Capturing Client Activity 11 Tamper evident logging & log consistency checks [PeerReview, SOSP 2007] Log entries form a hash chain Signed hash (authenticator) is included with every message sent Client commits to its entire event history Log hash chains + authenticators are sufficient to Verify whether all clients report a consistent sequence of message exchange Clients cannot unilaterally report fake downloads M 473: RECV(B, W) 472: RECV(B, Y) 471: SEND(B, X)... 474: SEND(B, M) A B A’s log Paarijaat Aditya, MPI-SWS

12 Reducing Processing Overhead on the CDN Signature verification overhead α number of authenticators Previous implementations Records one authenticator for each message Overhead: O(number of messages sent or received) RCA: cumulative authenticators Records only two authenticators for each remote client Overhead: O(number of communicating client pairs) << O(number of messages) 12 Paarijaat Aditya, MPI-SWS

13 Verifying Client Activity A consistent log might still be implausible Contact clients not assigned by infrastructure Serve bad content Plausibility checking Verify whether the log is consistent with a valid execution of software NetSession protocol can be modeled as a simple state machine Manually identified rules a correct client must obey Verify logs against these rules 13 =? Input Output if ≠ Paarijaat Aditya, MPI-SWS Client is provably incorrect

14 Types of Attacks Misbehaving client software Unilateral – deviations from the correct protocol Misreport interactions with honest clients Serve bad content to disrupt quality of service Collusion – multiple clients collude to misreport activities Difficult in practice because infrastructure assigns peers Suspicious user behavior Repeatedly downloading content to drive up demand Can be amplified by a Sybil attack Not unique to hybrid systems 14 RCA can detect deterministically Require statistical checks Paarijaat Aditya, MPI-SWS

15 Statistical Checks Look for anomalous client behavior Large amount of prior work Assume the availability of correct information RCA provides a sound basis for anomaly detection 15 Flag clients who download more than a threshold Analyze communication patterns to identify colluding clients Paarijaat Aditya, MPI-SWS

16 Handling Malicious/Suspicious Clients Blacklist clients False positives – blacklist an innocent client? Quarantine clients Not allowed to upload content Can still download from the infrastructure Quarantining an innocent client is safe Does not affect service quality of client Slight increase in resource cost to infrastructure Enables aggressive anomaly detectors Tamper evident logging: provides accurate information Quarantining: safe way to handle false positives 16 Paarijaat Aditya, MPI-SWS

17 Outline Introduction Hybrid CDNs: clients can misreport Need a way to reliably account for client activities Reliable Client Accounting (RCA) Reliably capture client activities Identify misbehaving/suspicious clients Handling misbehavior without affect service quality Evaluation Related work & Conclusion 17 Paarijaat Aditya, MPI-SWS

18 Evaluation Implemented a clone of NetSession client & Infrastructure software Experiments performed in a network emulation environment Driven by actual client activity traces of Akamai NetSession for Dec 2010 Experiment: Reproduce clients’ download activity over a month 500 randomly selected clients 1 edge server and 1 control plane server 18 Paarijaat Aditya, MPI-SWS

19 Evaluation - Questions Client’s Perspective Network overhead CPU overhead Log storage CDN’s Perspective Log processing overhead Statistical checks Effectiveness 19 Paarijaat Aditya, MPI-SWS

20 Client’s Perspective Network overhead (in terms of % of actual content downloaded) CPU overhead Maximum additional client CPU usage = 0.5% Log Storage (with daily log uploads) On average: 100 KB/day 20 Avg extra client B/W: 192 KB/day (signatures + log upload) Paarijaat Aditya, MPI-SWS

21 CDN’s Perspective Projections for a large deployment: 100 million clients, downloading 100 PB content/month Log Uploads & Log Processing 0.05 PB/month of logs uploads (0.05% of transferred content) 35 machines required to process these logs For comparison, NetSession as of Dec 2011 has 25 million clients, downloading 0.85 PB/month uses about 10 machines for log processing Effectiveness Tried out various attacks. RCA caught them as expected 21 Paarijaat Aditya, MPI-SWS

22 Related Work Misbehavior in P2P systems Maze [Q. Lian et al., 2007] Empirically study client misbehavior in p2p file sharing systems Dandelion [M. Sirivianos et al., 2007], Antfarm [Peterson et al., 2009] Use cryptographic virtual currency to handle selfish peers  RCA doesn’t aim for fairness and considers more general Byzantine behavior Anomaly detection An intrusion detection model [D. Denning, 1987] BotGrep [S. Nagaraja et al., 2010] Detect BotNets by studying client interactions  RCA enables building complex statistical checks 22 Paarijaat Aditya, MPI-SWS

23 Conclusion Fundamental challenge for P2P-Infrastructure hybrids Infrastructure cannot observe P2P communication Demonstrated an inflation attack on the live Akamai NetSession system Reliable Client Accounting (RCA) Reliably capture client activity Sound basis for anomaly detection Quarantine: safely handle suspicious clients Applied RCA to Akamai NetSession Comprehensive evaluation using actual client traces RCA overhead is reasonable 23 Paarijaat Aditya, MPI-SWS

Download ppt "Reliable Client Accounting for P2P-Infrastructure Hybrids Paarijaat Aditya †, Ming-Chen Zhao ‡, Yin Lin *, Andreas Haeberlen ‡, Peter Druschel †, Bruce."

Similar presentations

Mitigating Routing Misbehavior in Mobile Ad-Hoc Networks Reference: Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, Sergio Marti, T.J. Giuli,

Mitigating Routing Misbehavior in Mobile Ad-Hoc Networks Reference: Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, Sergio Marti, T.J. Giuli,
Accountable systems or how to catch a liar? Jinyang Li (with slides from authors of SUNDR and PeerReview)

Accountable systems or how to catch a liar? Jinyang Li (with slides from authors of SUNDR and PeerReview)
© 2010 Andreas Haeberlen 1 Accountable Virtual Machines OSDI (October 4, 2010) Andreas Haeberlen University of Pennsylvania Paarijaat Aditya Rodrigo Rodrigues.

© 2010 Andreas Haeberlen 1 Accountable Virtual Machines OSDI (October 4, 2010) Andreas Haeberlen University of Pennsylvania Paarijaat Aditya Rodrigo Rodrigues.
Clayton Sullivan PEER-TO-PEER NETWORKS. INTRODUCTION What is a Peer-To-Peer Network A Peer Application Overlay Network Network Architecture and System.

Clayton Sullivan PEER-TO-PEER NETWORKS. INTRODUCTION What is a Peer-To-Peer Network A Peer Application Overlay Network Network Architecture and System.
1 The Case for Byzantine Fault Detection. 2 Challenge: Byzantine faults Distributed systems are subject to a variety of failures and attacks Hacker break-in.

1 The Case for Byzantine Fault Detection. 2 Challenge: Byzantine faults Distributed systems are subject to a variety of failures and attacks Hacker break-in.
LADIS workshop (Oct 11, 2009) A Case for the Accountable Cloud Andreas Haeberlen MPI-SWS.

LADIS workshop (Oct 11, 2009) A Case for the Accountable Cloud Andreas Haeberlen MPI-SWS.
P. Kouznetsov, 2006 Abstracting out Byzantine Behavior Peter Druschel Andreas Haeberlen Petr Kouznetsov Max Planck Institute for Software Systems.

P. Kouznetsov, 2006 Abstracting out Byzantine Behavior Peter Druschel Andreas Haeberlen Petr Kouznetsov Max Planck Institute for Software Systems.
On the Effectiveness of Measurement Reuse for Performance-Based Detouring David Choffnes Fabian Bustamante Fabian Bustamante Northwestern University INFOCOM.

On the Effectiveness of Measurement Reuse for Performance-Based Detouring David Choffnes Fabian Bustamante Fabian Bustamante Northwestern University INFOCOM.
Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.

Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
CS 582 / CMPE 481 Distributed Systems Fault Tolerance.

CS 582 / CMPE 481 Distributed Systems Fault Tolerance.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
CS 268: Active Networks Ion Stoica May 6, 2002 (* Based on David Wheterall presentation from SOSP ’99)

CS 268: Active Networks Ion Stoica May 6, 2002 (* Based on David Wheterall presentation from SOSP ’99)
SRG PeerReview: Practical Accountability for Distributed Systems Andreas Heaberlen, Petr Kouznetsov, and Peter Druschel SOSP’07.

SRG PeerReview: Practical Accountability for Distributed Systems Andreas Heaberlen, Petr Kouznetsov, and Peter Druschel SOSP’07.
An Analysis of Internet Content Delivery Systems Stefan Saroiu, Krishna P. Gommadi, Richard J. Dunn, Steven D. Gribble, and Henry M. Levy Proceedings of.

An Analysis of Internet Content Delivery Systems Stefan Saroiu, Krishna P. Gommadi, Richard J. Dunn, Steven D. Gribble, and Henry M. Levy Proceedings of.
DISTRIBUTED CONSISTENCY MANAGEMENT IN A SINGLE ADDRESS SPACE DISTRIBUTED OPERATING SYSTEM Sombrero.

DISTRIBUTED CONSISTENCY MANAGEMENT IN A SINGLE ADDRESS SPACE DISTRIBUTED OPERATING SYSTEM Sombrero.
NSDI (April 24, 2009) © 2009 Andreas Haeberlen, MPI-SWS 1 NetReview: Detecting when interdomain routing goes wrong Andreas Haeberlen MPI-SWS / Rice Ioannis.

NSDI (April 24, 2009) © 2009 Andreas Haeberlen, MPI-SWS 1 NetReview: Detecting when interdomain routing goes wrong Andreas Haeberlen MPI-SWS / Rice Ioannis.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.

Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
CS-550 (M.Soneru): Recovery [SaS] 1 Recovery. CS-550 (M.Soneru): Recovery [SaS] 2 Recovery Computer system recovery: –Restore the system to a normal operational.

CS-550 (M.Soneru): Recovery [SaS] 1 Recovery. CS-550 (M.Soneru): Recovery [SaS] 2 Recovery Computer system recovery: –Restore the system to a normal operational.
© 2006 Andreas Haeberlen, MPI-SWS 1 The Case for Byzantine Fault Detection Andreas Haeberlen MPI-SWS / Rice University Petr Kouznetsov MPI-SWS Peter Druschel.

© 2006 Andreas Haeberlen, MPI-SWS 1 The Case for Byzantine Fault Detection Andreas Haeberlen MPI-SWS / Rice University Petr Kouznetsov MPI-SWS Peter Druschel.

Similar presentations

Ads by Google