1 / 26

Eclipse Attacks on Overlay Networks: Threats and Defenses

Eclipse Attacks on Overlay Networks: Threats and Defenses. By Atul Singh, et. al. Outline. Eclipse Attack Description Existing Defenses New Defenses Effectiveness Evaluation Conclusion Resources. Eclipse Attack Description. Overlay network

fritz
Télécharger la présentation

Eclipse Attacks on Overlay Networks: Threats and Defenses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Eclipse Attacks on Overlay Networks: Threats and Defenses By Atul Singh, et. al Presented by Samuel Petreski March 31, 2009

  2. Outline • Eclipse Attack Description • Existing Defenses • New Defenses • Effectiveness Evaluation • Conclusion • Resources

  3. Eclipse Attack Description • Overlay network • Decentralized graph of nodes on edge of network • Each node maintains a neighbor set • Typically limited control over membership • Eclipse Attack • Malicious nodes conspire to hijack and dominate the neighbor set of correct nodes • Eclipse correct nodes from each other • Control data traffic through routing

  4. Eclipse Attack Description (cont.) • Unstructured Overlays • Little constraints on neighbor selection • Easy to bias neighbor discovery • Random walks • Learning from other neighbors • Structured Overlays • Constrained routing table to bound number of hops • Typically, long-distance hops are less restrictive and more susceptible

  5. Eclipse Attack Description (cont.) • Eclipse Attack • Can perform an Eclipse attack with a Sybil attack • A Sybil attack is not required for an Eclipse attack • In Gnutella, malicious nodes can only advertise other malicious nodes during neighbor discovery

  6. Existing Defenses • Central Authority (BitTorrent tracker) • Constrained Routing Tables (CRT) • Certified, random-unique ID for every node • Neighbors consist of picking nodes with IDs closest to a specified point • Lacks proximity optimizations • Proximity Constraints • Select node with lowest delay (but satisfies constraints) • Attacker may be able to manipulate this

  7. New Defenses • Degree Bounds • Eclipse attackers will have a high in-degree in the overlay • Every other node has an average in-degree • Enforcing Degree Bounds • Use centralized membership service • Distributed auditing of neighboring nodes by checking backpointer lists

  8. New Defenses (cont.) • Checking backpointer lists • Periodically, a node x challenges each of its neighbors for its backpointer list • If the list is too large or does not contain x, the auidt fails and the node is removed • Periodically, a node x also checks its backpointer list to make sure each node on the list has a correct neighbor set/routing table size

  9. New Defenses (cont.) • Checking backpointer lists (cont.) • Node x includes a random nonce in the challenge to ensure replies are fresh and authentic • The auditee node sends back the nonce and digitally signs the response • Node x checks the signature and the nonce before accepting the reply

  10. New Defenses (cont.) • Anonymous Auditing • Use an anonymizer node to perform the audit via • Ex: Node x picks a random node y, called anonymizer, to relay the challenge to node z • Case 1: z is malicious, y is correct • Case 2: z is malicious, y is malicious • Case 3: z is correct, y is correct • Case 4: z is correct, y is malicious

  11. New Defenses (cont.) • Anonymization Analysis • Assume node y is malicious with probability f • Probability of a correct node be detected as malicious • Probability of a malicious node passing the audit

  12. New Defenses (cont.) • Marking Malicious/Correct Suspicious • More malicious nodes make it harder to detect them • Correct nodes may also be marked as suspicious

  13. New Defenses (cont.) • Discovery of Anonymizer Nodes • a) randomly • b) Node closest to H(x) • c) Random node among the L closest to H(x)

  14. Effectiveness Evaluation • Effectiveness Evaluation Questions • How serious are Eclipse attacks on structured overlays? • How effective is the existing defense based on PNS against Eclipse attacks? • Is degree bounding a more effective defense? • What is the impact on degree bounding on the performance of PNS? • Is distributed auditing effective and efficient at bounding node degrees?

  15. Effectiveness Evaluation • Experimental Setup • MSPastry (b = 4 and l = 16) • GT-ITM trans-stub topolgy of 5050 routers • Measure pair-wised latency values from the King tool • Set f = 0.2 • Malicious Nodes • Misroute join messages to malicious nodes • Supply only malicious nodes as references • Have only good nodes in routing table (16 per row)

  16. Effectiveness Evaluation • With PSN turned off (GT-ITM) • 70% on 1000 node-overlay, 80% on 5000 • 90% for top-row on 1000, 100% on 5000

  17. Effectiveness Evaluation • With PSN turned on (King) • As overlay size increases, PSN becomes less effective • In real Internet, large fraction of nodes lie in small latency band • Easier to hijack top row of routing table (less restrictive) • Also the most dangerous because it tends to be the first hop for sending its own message

  18. Effectiveness Evaluation • Effectiveness of Degree Bounding • Used oracle to maintain idealized degree-bounding • Effective decreases with larger overlays and looser in-bound restrictions • Increase of 25% average delay with degree-bounding (8% with bound increased to 32) due to tighter constraints on neighbor selection f = 0.2, t=1: ft/(1-f) = 0.25

  19. Effectiveness Evaluation • Effectiveness of Auditing • Neighbor nodes randomly audited every 2 minutes • It takes 24 challenges to audit a node • 2000 node simulation • Churn rate: 0%, 5%, 10%, 15% per hour • Target environment is low to moderately high churn • When malicious nodes reply, they reply with a random subset that follow bounding limits

  20. Effectiveness Evaluation • In-Degree Distribution • Before auditing has started, malicious nodes are able to obtain high in-degrees • After 10 hours of operating (assuming static) all nodes had in-degree <= 16

  21. Effectiveness Evaluation • Reducing Fraction of Malicious Nodes • Auditing starts 1.5 hours into simulation • Correct nodes always enforce in-degree bound of 16 per row • Top Row Analysis shows that high churn requires more auditing Entire Routing Table Top Row

  22. Effectiveness Evaluation • Communication Overhead of Auditing • Overhead includes everything (Pastry overlay w/ PSN, Secured routing, and Auditing) and is (4.2 msg/node/sec) • Overhead of Auditing rate of once per 2 mins is (2 msg/node/sec) • Spike is due to every node searching for anonymizer nodes it will use

  23. Effectiveness Evaluation • Effectiveness Evaluation Questions • How serious are Eclipse attacks on structured overlays? • How effective is the existing defense based on PNS against Eclipse attacks? • Is degree bounding a more effective defense? • What is the impact on degree bounding on the performance of PNS? • Is distributed auditing effective and efficient at bounding node degrees?

  24. Conclusion • Eclipse attack are a real threat • Possible even in structured overlays or PSN-aware networks • Doesn’t require Sybil attack to be effective • Bounding degree of nodes in network is a simple and effective measure • Distributive enforcement using anonymous auditing • Lightweight and allows PSN optimization • Limitations • Sensitive to high churn rates • High overhead for low application traffic • Doesn’t work in all cases • Requires secure routing (CRT) for locating anonymizer set

  25. Questions

  26. Resources • Atul Singh, et. al. Eclipse Attacks on Overlay Networks: Threats and Defenses • http://cs.unc.edu/~fabian/courses/CS600.624/slides/Eclipse.pdf • http://www.cs.uiuc.edu/class/sp06/cs591ig/Eclipse.ppt • BaptistePretre. Attacks on Peer-to-Peer Networks. • John R. Douceur. The Sybil Attack.

More Related