Defeating Vanish with Low-Cost Sybil Attacks

Against Large DHTsWritten By:

Scott Wolchok1 Owen S. Hofmann2 Nadia Heninger3 Edward W. Felten3 J. Alex Halderman1 Christopher J. Rossbach2 Brent Waters2 Emmett Witchel2

Presented By: Xinghuang Leon Xu1 The University of Michigan

2 The University of Texas at Austin 3 Princeton University

2

Outline

1. What is Vanish?

2. Attacking Vanish

3. Costs and performance

4. Countermeasures

5. What went wrong?

3

Vanish

VDO Creation {C, L, N, Threshold}

VDO via Email

K : Random Enc Key

L : Locator Key

Secret Sharing

DHT

VDO {C, L, N, Threshold}

Reconstruction Encryption Key

L : Locator Key

Data = DK (C)

C= EK (Data)

4

Vanish & Vuze

Vuze DHT

Vanish uses the Vuze DHT (Distributed Hash Table)Over 1 million nodes, mostly BitTorrentNodes delete values after 8 hours

5

Vanish and Vuze (2)

Vuze DHT

Key shares placed at random locations in the DHTReplicated to 20 “closest” nodes

M

6

Is Vanish Secure?• Vanish authors anticipated this attack and estimated would need

87,000 Sybils at a cost of $860,000/year……… • Can we do better?

7

Outline

1. What is Vanish?

2. Attacking Vanish

3. Costs and performance

4. Countermeasures

5. What went wrong?

8

DHT Crawling Threat• Threat: attacker might continuously archive all data in the DHT

• Later, query archive to decrypt messages

• Don’t need specific targets when recording

9

Making the Attack PracticalInsight: have 8 hours to observe fragments

Vuze replicates to 20 nearest nodes1. Every 30 minutes2. On join!

10

11

“Hopping” StrategySybils “hop” to new IDs every 3 minutes

160x resource amplification over 8 hours

Practical attack needs only ~2000 concurrent Sybils with hopping

12

Making the Attack PracticalInsight: Vuze client is a notorious resource hog

Only 50 instances fit in 2 GB of RAM!

Can we more efficiently support 2000 Sybils?

13

Optimized Sybil Client• C, lightweight, event-based implementation

• Listen-only (no Vuze routing table!)

• Thousands of Sybils in one ec2 instance

14

Outline

1. What is Vanish?

2. Attacking Vanish

3. Costs and performance

4. Countermeasures

5. What went wrong?

15

Attack Costs?Vanish paper estimate (for 25% recovery at k=45, n=50):• 87,000 Sybils• $860,000/year

What does attacking Vanish really cost?

16

Experiments1. Insert key shares into the DHT2. Run attack from 10 Amazon EC2 instances3. Measure:

DHT coverage = % key shares recoveredKey coverage = % messages decryptedAttack cost = EC2 charges (Sep. 2009)

17

Experimental ResultsCost for >99% Vanish key recovery?

Attack Concurrent Sybils

Key Shares Recovered

Annual Attack Cost*

Hopping (Unvanish)

500 92% $23,500

Hopping + Optimized

Client (ClearView)

2000 99.5% $9,000

18

P(recover VDO) vs P(recover share)

25% p=0.85

90% p=0.93

19

DHT Coverage vs. Attack Size

0%

20%

40%

60%

80%

100%

0 30k 60k 90k 120k 150k 180k 210k 240k 270k

DH

T C

over

age

Effective Sybils

Experiment

Model

Key Recovery vs. Attack Size

0%

20%

40%

60%

80%

100%

0 30k 60k 90k 120k 150k 180k 210k 240k 270k

Key

Rec

over

y

Effective Sybils

7/109/1045/50

25% @ 70k Sybils

99% @ 136k Sybils

$0

$2,000

$4,000

$6,000

$8,000

$10,000

$12,000

$14,000

0% 20% 40% 60% 80% 100%

Ann

ual A

ttack

Cos

t

Key Recovery

7/10

9/10

45/50

Annual Cost vs. Key Recovery

25% @ $5000

90% @ $7000

99% @ $9000

Key-sharingparameters(k/n)

22

Storage$1400/yr for all observed data

$80/yr for potential key shares

23

Outline

1. What is Vanish?

2. Attacking Vanish

3. Costs and performance

4. Countermeasures

5. What went wrong?

24

Increase Key Recovery Threshold?Required coverage increases in n and k/n

Why not raise them? (99/100?)

Reliability: some shares lost due to churnPerformance: pushing shares is slow!

25

Limit Replication?Attack exploits aggressive replication

Less replication might make the attack harder, but how much?

More in a few slides…

26

Sybil Defenses from the Literature?Client puzzles

Limit ports/IP, IPs/subnet, etc.

Social networking

27

Detecting AttackersFind and target IPs with too many clients

Use node enumerator, Peruze

Can detect attack IPs hours after the attack

Detected the Vanish demo

28

Outline

1. What is Vanish?

2. Attacking Vanish

3. Costs and performance

4. Countermeasures

5. What went wrong?

29

Recall Vanish Authors’ AnalysisCost estimates for 25% recovery at 45/50:• 87,000 Sybils• $860,000/year

Extrapolated from 8000-node DHT

Actual cost:- 70,000 Sybils- $5000/year

30

Cost Estimation Issues

Vanish paper extrapolated from 8000-node DHT

Assumed Sybils must run continuously

Assumed attacker uses inefficient Vuze client

31

Cost Not Linear in Recovery

0.0 0.2 0.4 0.6 0.8 1.00.0

0.2

0.4

0.6

0.8

1.0

P recover share

Pre

co

ve

rV

DO

7/109/1045/50

Key

Reco

very

Fra

ction

Key-sharingparameters(k/n)

Coverage Fraction

32

Response to Our WorkSecond report and prototype by Vanish team1

New defenses • Use both Vuze DHT and OpenDHT• Disable replicate-on-join in Vuze• Use less aggressive “threshold replication”

Will these defenses stop real attackers?

33

ConclusionShowed attacks that defeat Vanish 0.1 in practice for $9000/yearVanish team has proposed new defensesFuture work: are new defenses effective?

Our take: building Vanish with DHTs seems risky.

34

Questions?