Upload
maitland
View
44
Download
0
Tags:
Embed Size (px)
DESCRIPTION
“Defeating Vanish with low-cost sybil attacks against large dhts ”. Privacy Enhancing Technologies (CS898AB) Review by Jason Tomlinson. Scott Wolchok , Owen S. Hofmann, Nadia Heninger , Edward W. Felten , J. Alex Halderman , Christopher J. Rossbach , Brent Waters, and Emmet Witchel. - PowerPoint PPT Presentation
Citation preview
Defeating Vanish with Low-Cost Sybil Attacks
Against Large DHTsWritten By:
Scott Wolchok1 Owen S. Hofmann2 Nadia Heninger3 Edward W. Felten3 J. Alex Halderman1 Christopher J. Rossbach2 Brent Waters2 Emmett Witchel2
Presented By: Xinghuang Leon Xu1 The University of Michigan
2 The University of Texas at Austin 3 Princeton University
2
Outline
1. What is Vanish?
2. Attacking Vanish
3. Costs and performance
4. Countermeasures
5. What went wrong?
3
Vanish
VDO Creation {C, L, N, Threshold}
VDO via Email
K : Random Enc Key
L : Locator Key
Secret Sharing
DHT
VDO {C, L, N, Threshold}
Reconstruction Encryption Key
L : Locator Key
Data = DK (C)
C= EK (Data)
4
Vanish & Vuze
Vuze DHT
Vanish uses the Vuze DHT (Distributed Hash Table)Over 1 million nodes, mostly BitTorrentNodes delete values after 8 hours
5
Vanish and Vuze (2)
Vuze DHT
Key shares placed at random locations in the DHTReplicated to 20 “closest” nodes
M
6
Is Vanish Secure?• Vanish authors anticipated this attack and estimated would need
87,000 Sybils at a cost of $860,000/year……… • Can we do better?
7
Outline
1. What is Vanish?
2. Attacking Vanish
3. Costs and performance
4. Countermeasures
5. What went wrong?
8
DHT Crawling Threat• Threat: attacker might continuously archive all data in the DHT
• Later, query archive to decrypt messages
• Don’t need specific targets when recording
9
Making the Attack PracticalInsight: have 8 hours to observe fragments
Vuze replicates to 20 nearest nodes1. Every 30 minutes2. On join!
10
11
“Hopping” StrategySybils “hop” to new IDs every 3 minutes
160x resource amplification over 8 hours
Practical attack needs only ~2000 concurrent Sybils with hopping
12
Making the Attack PracticalInsight: Vuze client is a notorious resource hog
Only 50 instances fit in 2 GB of RAM!
Can we more efficiently support 2000 Sybils?
13
Optimized Sybil Client• C, lightweight, event-based implementation
• Listen-only (no Vuze routing table!)
• Thousands of Sybils in one ec2 instance
14
Outline
1. What is Vanish?
2. Attacking Vanish
3. Costs and performance
4. Countermeasures
5. What went wrong?
15
Attack Costs?Vanish paper estimate (for 25% recovery at k=45, n=50):• 87,000 Sybils• $860,000/year
What does attacking Vanish really cost?
16
Experiments1. Insert key shares into the DHT2. Run attack from 10 Amazon EC2 instances3. Measure:
DHT coverage = % key shares recoveredKey coverage = % messages decryptedAttack cost = EC2 charges (Sep. 2009)
17
Experimental ResultsCost for >99% Vanish key recovery?
Attack Concurrent Sybils
Key Shares Recovered
Annual Attack Cost*
Hopping (Unvanish)
500 92% $23,500
Hopping + Optimized
Client (ClearView)
2000 99.5% $9,000
18
P(recover VDO) vs P(recover share)
25% p=0.85
90% p=0.93
19
DHT Coverage vs. Attack Size
0%
20%
40%
60%
80%
100%
0 30k 60k 90k 120k 150k 180k 210k 240k 270k
DH
T C
over
age
Effective Sybils
Experiment
Model
Key Recovery vs. Attack Size
0%
20%
40%
60%
80%
100%
0 30k 60k 90k 120k 150k 180k 210k 240k 270k
Key
Rec
over
y
Effective Sybils
7/109/1045/50
25% @ 70k Sybils
99% @ 136k Sybils
$0
$2,000
$4,000
$6,000
$8,000
$10,000
$12,000
$14,000
0% 20% 40% 60% 80% 100%
Ann
ual A
ttack
Cos
t
Key Recovery
7/10
9/10
45/50
Annual Cost vs. Key Recovery
25% @ $5000
90% @ $7000
99% @ $9000
Key-sharingparameters(k/n)
22
Storage$1400/yr for all observed data
$80/yr for potential key shares
23
Outline
1. What is Vanish?
2. Attacking Vanish
3. Costs and performance
4. Countermeasures
5. What went wrong?
24
Increase Key Recovery Threshold?Required coverage increases in n and k/n
Why not raise them? (99/100?)
Reliability: some shares lost due to churnPerformance: pushing shares is slow!
25
Limit Replication?Attack exploits aggressive replication
Less replication might make the attack harder, but how much?
More in a few slides…
26
Sybil Defenses from the Literature?Client puzzles
Limit ports/IP, IPs/subnet, etc.
Social networking
27
Detecting AttackersFind and target IPs with too many clients
Use node enumerator, Peruze
Can detect attack IPs hours after the attack
Detected the Vanish demo
28
Outline
1. What is Vanish?
2. Attacking Vanish
3. Costs and performance
4. Countermeasures
5. What went wrong?
29
Recall Vanish Authors’ AnalysisCost estimates for 25% recovery at 45/50:• 87,000 Sybils• $860,000/year
Extrapolated from 8000-node DHT
Actual cost:- 70,000 Sybils- $5000/year
30
Cost Estimation Issues
Vanish paper extrapolated from 8000-node DHT
Assumed Sybils must run continuously
Assumed attacker uses inefficient Vuze client
31
Cost Not Linear in Recovery
0.0 0.2 0.4 0.6 0.8 1.00.0
0.2
0.4
0.6
0.8
1.0
P recover share
Pre
co
ve
rV
DO
7/109/1045/50
Key
Reco
very
Fra
ction
Key-sharingparameters(k/n)
Coverage Fraction
32
Response to Our WorkSecond report and prototype by Vanish team1
New defenses • Use both Vuze DHT and OpenDHT• Disable replicate-on-join in Vuze• Use less aggressive “threshold replication”
Will these defenses stop real attackers?
33
ConclusionShowed attacks that defeat Vanish 0.1 in practice for $9000/yearVanish team has proposed new defensesFuture work: are new defenses effective?
Our take: building Vanish with DHTs seems risky.
34
Questions?