65 research outputs found
Security Considerations for Peer-to-Peer Distributed Hash Tables
Recent peer-to-peer research has focused on providing efficient hash lookup systems that can be used to build more complex systems. These systems have good properties when their algorithms are executed correctly but have not generally considered how to handle misbehaving nodes. This paper looks at what sorts of security problems are inherent in large peerto -peer systems based on distributed hash lookup systems. We examine the types of problems that such systems might face, drawing examples from existing systems, and propose some design principles for detecting and preventing these problems
Symmetric Replication for Structured Peer-to-Peer Systems
Structured peer-to-peer systems rely on replication as a basic means to provide fault-tolerance in presence of high churn. Most select replicas using either multiple hash functions, successor-lists, or leaf-sets. We show that all three alternatives have limitations. We present and provide full algorithmic speciÂŻcation for a generic replication scheme called symmetric replication which only needs O(1) message for every join and leave operation to maintain any replication degree. The scheme is applicable to all existing structured peer-to-peer systems, and can be implemented on-top of any DHT. The scheme has been implemented in our DKS system, and is used to do load-balancing, end-to-end fault-tolerance, and to increase the security by using distributed voting. We outline an extension to the scheme, implemented in DKS, which adds routing proximity to reduce latencies. The scheme is particularly suitable for use with erasure codes, as it can be used to fetch a random subset of
the replicas for decoding
ModĂ©lisation et Ăvaluation des Attaques CiblĂ©es dans un Overlay StructurĂ©
Session SĂ©curitĂ© RĂ©seauInternational audienceDans cet article, nous nous intĂ©ressons aux attaques ciblĂ©es dans le cadre des systĂšmes pair-Ă -pair large Ă©chelle. Ces attaques ont pour but d'affaiblir les nĆuds ciblĂ©s de maniĂšre Ă diminuer leur capacitĂ© Ă fournir ou Ă utiliser des services de l'overlay. Pour se prĂ©munir de telles attaques, nous tirons parti du clustering de l'overlay sous-jacent. Cela permet de mettre en place un systĂšme de churn induit prĂ©servant la rĂ©partition alĂ©atoire des identifiants des nĆuds dans l'overlay et ainsi rendre impossible toute prĂ©diction de l'adversaire quant Ă celle-ci. Nous montrons qu'en randomisant lĂ©gĂšrement les opĂ©rations Ă©lĂ©mentaires de l'overlay, ainsi qu'en introduisant des temps de sĂ©jour adaptĂ©s, l'effet de ces attaques ciblĂ©es est sensiblement amoindri, et la propagation des effets de l'attaque Ă l'ensemble du systĂšme est Ă©vitĂ©e
Statistical Basics of a Reliable World Wide Web Peer to Peer Storage System
Peer-to-peer networks are highly distributed and unreliable networks. Peers log in and off the network at their own needs without any overall plan. In the real peer-to-peer case there are no central nodes planning the resources of the network or having an overview about the state of the network. The paper on hand describes and mathematically analyzes a storage algorithm allowing information to be stored within the network without the originator of the information needs to stay online. Information is optimally âblurredâ within the network meaning that the information is reconstructable with a high probability and a long time interval, but stored as least redundant as possible. The main focus is to analyze the mathematical and statistical properties of the presented peer-to-peer storage algorithm. Technical procedures are described at a high level and need further improvement. Thus, the paper on hand is primarily purely statistically peer-to-peer theory at this stage of research
Privacy preservation using spherical chord
Structured overlay networks are primarily used in data storage and data lookup, but they are vulnerable against many kinds of attacks. Within the realm of security, overlay networks have demonstrated applicability in providing privacy, availability, integrity, along with scalability. The thesis first analyses the Chord and the SALSA protocols which are organized in structured overlays to provide data with a certain degree of privacy, and then defines a new protocol called Spherical Chord which provides data lookup with privacy, while also being scalable, and addresses critical existing weaknesses in Chord and SALSA protocols. Spherical Chord is a variant of the Chord, and utilizes the concept of distributed hash table (DHT). Chord sends packets uni-directionally over a virtual id space in the overlay. While this feature provides lower latencies, it can be used by attackers to misroute and drop packets. Spherical Chord protocol introduces additional connections in the structured overlay and increases the path length and the number of paths for sending messages, hence making it more resilient to routing attacks. A new protocol focusing for constructing the Spherical Chord, followed by a new lookup protocol is defined in this thesis. The protocols are analyzed and it is demonstrated using both theoretical analysis and simulations that improved path availability helps in maintaining privacy, while also limiting the impact of routing attacks. --Abstract, page iii
Detection and mitigation of the eclipse attack in chord overlays
Distributed hash table-based overlays are widely used to support efficient information
routing and storage in structured peer-to-peer networks, but they are also subject to numerous
attacks aimed at disrupting their correct functioning. In this paper, we analyse the impact of the
eclipse attack on a chord-based overlay in terms of number of key lookups intercepted by a
collusion of malicious nodes. We propose a detection algorithm for the individuation of ongoing
attacks to the chord overlay, relying on features that can be independently estimated by each
network peer, which are given as input to a C4.5-based binary classifier. Moreover, we propose
some modifications to the chord routing protocol in order to mitigate the effects of such attacks.
The countermeasures introduce a limited traffic overhead and can operate either in a distributed
fashion or assuming the presence of a centralised trusted entity. Numerical results show the
effectiveness of the proposed mitigation techniques
AnKLe: Detecting Attacks in Large Scale Systems via Information Divergence
In this paper, we consider the setting of large scale distributed systems, in which each node needs to quickly process a huge amount of data received in the form of a stream that may have been tampered with by an adversary. In this situation, a fundamental problem is how to detect and quantify the amount of work performed by the adversary. To address this issue, we propose AnKLe (for Attack-tolerant eNhanced Kullback-Leibler divergence Estimator), a novel algorithm for estimating the KL divergence of an observed stream compared to the expected one. AnKLe combines sampling techniques and information-theoretic methods. It is very efficient, both in terms of space and time complexities, and requires only a single pass over the data stream. Experimental results show that the estimation provided by AnKLe remains accurate even for different adversarial settings for which the quality of other methods dramatically decreases
X-Vine: Secure and Pseudonymous Routing Using Social Networks
Distributed hash tables suffer from several security and privacy
vulnerabilities, including the problem of Sybil attacks. Existing social
network-based solutions to mitigate the Sybil attacks in DHT routing have a
high state requirement and do not provide an adequate level of privacy. For
instance, such techniques require a user to reveal their social network
contacts. We design X-Vine, a protection mechanism for distributed hash tables
that operates entirely by communicating over social network links. As with
traditional peer-to-peer systems, X-Vine provides robustness, scalability, and
a platform for innovation. The use of social network links for communication
helps protect participant privacy and adds a new dimension of trust absent from
previous designs. X-Vine is resilient to denial of service via Sybil attacks,
and in fact is the first Sybil defense that requires only a logarithmic amount
of state per node, making it suitable for large-scale and dynamic settings.
X-Vine also helps protect the privacy of users social network contacts and
keeps their IP addresses hidden from those outside of their social circle,
providing a basis for pseudonymous communication. We first evaluate our design
with analysis and simulations, using several real world large-scale social
networking topologies. We show that the constraints of X-Vine allow the
insertion of only a logarithmic number of Sybil identities per attack edge; we
show this mitigates the impact of malicious attacks while not affecting the
performance of honest nodes. Moreover, our algorithms are efficient, maintain
low stretch, and avoid hot spots in the network. We validate our design with a
PlanetLab implementation and a Facebook plugin.Comment: 15 page
- âŠ