The Index Poisoning Attack in P2P File Sharing Systems

1. The Index Poisoning Attack in P2P File Sharing Systems Keith W. Ross Polytechnic University

2. Jian Liang Naoum Naoumov Joint work with:

3. Internet Traffic CF: CacheLogic

4. File Distribution Systems: 2005

5. Attacks on P2P: Decoying Two types: • File corruption: pollution • Index poisoning Investigated in two networks: • FastTrack/Kazaa • Unstructured P2P network • Overnet • Structured (DHT) P2P network • Part of eDonkey

6. File Pollution original content polluted content pollution company

7. File Pollution pollution server pollution company file sharing network pollution server pollution server pollution server

8. File Pollution Unsuspecting users spread pollution !

9. File Pollution Unsuspecting users spread pollution ! Yuck

10. Index Poisoning index titlelocationbigparty 123.12.7.98smallfun 23.123.78.6heyhey 234.8.89.20 23.123.78.6 123.12.7.98 file sharing network 234.8.89.20

11. Index Poisoning index titlelocationbigparty 123.12.7.98smallfun 23.123.78.6heyhey 234.8.89.20 index titlelocationbigparty 123.12.7.98smallfun 23.123.78.6heyhey 234.8.89.20bighit 111.22.22.22 23.123.78.6 123.12.7.98 234.8.89.20 111.22.22.22

14. Overnet: DHT • (version_id, location) stored in nodes with ids close to version_id • (hash_title, version_id) stored in nodes with ids close to hash_title • First search hash_title, get version_id and metada • Then search version_id, get location

15. Overnet 0001 0011 1111 0100 Publish Query 1100 0101 Download 1010 1000

16. FastTrack Overlay ON = ordinary node SN = super node SN ON ON ON Each SN maintains a local index

17. FastTrack Query ON = ordinary node SN = super node SN ON ON ON

18. FastTrack Download ON = ordinary node SN = super node HTTP request for hash value SN ON ON ON

19. FastTrack Download ON = ordinary node SN = super node P2P file transfer SN ON ON ON

20. Attacks: How Effective? • For a given title, what fraction of the “copies” are • Clean ? • Poisoned? • Polluted? • Brute-force approach: • attempt download all versions • For those versions that download, listen/watch each one • How do we determine pollution levels without downloading?

21. Titles, versions, hashes & copies • The title is the title of song/movie/software • A given title can have thousands of versions • Each version has its own hash • Each version can have thousands of copies • A title can also have non-existent versions, each identified by a hash

22. Definition of Pollution and Poisoning Levels • (t, t+ Δ): investigation interval • V: set of all versions of title T • V1, V2, V3: sets of poisoned, polluted, clean versions • Cv: number of advertised copies of version v

23. How to Estimate? • Need Cv, vєV • Need V1, V2, V3 • Don’t want to download and listen to files! Solution: • Harvest Cv, vєV, and copy locations • Overnet: Insert node, receive publish msg’s • FastTrack: Crawl • Heuristic for V1, V2, V3

24. Copies at Users FastTrack Overnet

25. Identify heavy and light publishers Hh = set of hashes from heavy publishers Hl = set of hashes from light publishers Heuristic polluted versions Hh Hl clean versions poisonedversions

26. Heuristic: More Heuristic is accurate & does not involve any downloading!

27. FastTrack Versions

28. FastTrack Copies

29. Overnet Copies

30. Blacklisting • Assign reputations to /n subnets • Bad reputation to subnets with large number of advertised copies of any title • Obtain reputations locally; share with distributed algorithm • Locally blacklist /n subnets with bad reputations

31. Blacklisting: More

32. The Inverse Attack • Attacks on P2P systems: • But can also exploit P2P sytems for DDoS attacks against innocent host:

33. Summary&Thank You!