Disrupting Peer-to-Peer Networks

Sybil & Eclipse Attacks

Lee BrintleUniversity of Iowa

Sybil & Eclipse Attacks

Many organizations may wish to disrupt some part of a P2P network

Motivations

•Intellectual Property OwnersBoth piracy and legitimate content

•GovernmentsBanned content, censorship

•CorporationsAdvertising, reputation, public relations

Sybil & Eclipse Attacks

More subtle actions than just shutting it down

Disruptions

•Missing ResultsOnly censor some items

•Degraded ResultsIntentionally provide damaged or slow results

•Delayed ActionsFunction normally until a point in the future

Sybil & Eclipse Attacks

Single entity posing as multiple entities

Sybil Attack

•One attacker with many identities

•Named after character with MPD

•Many real-world examples

John R. Douceur, Microsoft Research

Sybil & Eclipse Attacks

How does a peer know about the trustworthiness of other peers?

Three Sources of Information

•ItselfResults of protocol interactions

•Other peersTrust in a large number of strangers

•External agenciesDirect or indirect vouching for uniqueness of peers

Sybil & Eclipse Attacks

Weed out duplicates by asking all to performing a task that a single entity cannot

Direct Entity Validation Tests

•Ask all to perform task that one cannot doMake the attacker “too busy” to simulate all of them

•Simultaneously validate peersThe attacker should not be allowed to focus on one

•Limit number of Sybil identitiesRatio of resources – attacker / weakest legitimate user

Sybil & Eclipse Attacks

Ways to see if a number of peers are sharing resources

Sample Validation Tests

•StorageRequire each to prove they can store Y GB

•ComputationRequire each to solve a “hard” puzzle

•CommunicationRequire each to prove they have X Mb/s bandwidth

Sybil & Eclipse Attacks

Trust a new entity based on the word of an already-verified entity

Vouched-For Entities

•Verified Users May Vouch for SybilsOnce they gain your trust, invite in other Sybils

•Faulty Verifications are Amplified

•One Sybil Vouches for them AllPushes the problem around

Sybil & Eclipse Attacks

Attacking entity has more resources than the average user of the network

Attackers Have Resources

•Lots of Bandwidth

•Lots of Disk Space

•Lots of CPU

•Lots of Identities

Sybil & Eclipse Attacks

Knowing information about a peer beyond the peering protocol

Direct Physical Knowledge

•ExplicitSigning authorities, well-known users, software authors

•ImplicitIP address allocation, network locale

•IrrelevantIgnore bad results, accept performance loss

Sybil & Eclipse Attacks

Attackers gain disproportionate influence compared to legitimate users

Eclipse Attack

•Fewer attackers

•Disproportionate level of influence

•Attackers eclipse legitimate users

Singh, Ngan, Druschel, Wallach

Sybil & Eclipse Attacks

Constrained routing table networks are difficult to attack – but perform poorly

Structured Networks

•Topology is “fixed” – nodes have constant influence

The routing is hard-wired based on address

•No flexibility in neighbor selection Cannot take advantage of proximity

•Some resistance to Eclipse attacksThe more structure, the less susceptible

Sybil & Eclipse Attacks

Eclipse attacks target the neighbor peering decision

Unstructured Neighbor Selection

•Neighbors are selected, not assignedEach node picks “good” neighbors

•Nodes that look “good” have influenceIf a node is selected more often, gains more influence

•Potentially vulnerable to Eclipse attacksAttacking nodes become more influential

Sybil & Eclipse Attacks

Mitigate Eclipse attacks by additional network structure, proximity, or degree bounds

Eclipse Defenses

•Enforce strong structural routing Routes are dictated randomly, but performance suffers

•Select neighbors based on proximityBut... most non-LAN nodes have roughly same delay

•Place a limit on number of degreesDegree bounds prevent nodes from being too influential

Sybil & Eclipse Attacks

Detect hostile nodes, so they can be avoided in neighbor selection

Profile of a Hostile Node

•High in-degreeMust have higher influence than average

•High out-degreeTries to consume resources of average nodes

•Extremely effective20% of nodes eventually have almost complete control

Sybil & Eclipse Attacks

Avoid peers with large numbers of in-degree links

Enforce In-Degree Bounds

•Refuse to peer with overloaded nodesForce each node to have “typical” influence

•Bound based on expected average degreeLower bounds more defense, worse performance•Performance hit is 25% at average degree

Degree bounds mean that less-optimal nodes are selected

Sybil & Eclipse Attacks

Anonymously verify link set contains known nodes

Catch a Lying Node: Audit Links

•Ask each peer for list of in-nodesFor now, assume peer tells truth

•Drop peer if list is too longDo not allow a peer to gain too much influence

•Drop peer if list does not contain usIf peer returns sub-set of true list, drop peer

Sybil & Eclipse Attacks

Ask someone else to verify the node list

Catch Lying Nodes: Distributed Audit

Random node among the l closest to H(x)

(chart from paper)

•Use random seed point•Select multiple nodes•Audits are aggregated

Sybil & Eclipse Attacks

The auditor may be lying too...

Distributed Audit Results

Pass

Fail

Auditor legit, Target legitAuditor hostile, Target hostileAuditor legit, Target lucky hostile

Audit legit, Target hostileAudit hostile, Target legit

Sybil & Eclipse Attacks

Parameters which impact detection and performance

Distributed Audit Tuning

f: fraction of hostile nodes (.2)n: number of audits (24) (.2% false ID)k: number of successful audits (n/2)r: overload ratio on hostile nodes (1.2)t: permitted overload ratio (1)audit period (2 minutes)churn rate (0%, 5%, 10%, 15%)

Sybil & Eclipse Attacks

Profile before auditing starts

Distributed Audit Results

Without prevention, malicious nodes have great influence

(chart from paper)

Sybil & Eclipse Attacks

Profile during auditing

Distributed Audit Results

f/(1-f)Auditing is effective in mitigating Eclipse

attacks(chart from paper)

Sybil & Eclipse Attacks

Optimized neighbors with auditing is still faster than non-optimized neighbors

Performance Gain

At t=.2, auditing rate=2 min, churn = 5 min:

4.75 msg/node/min messaging overhead

Sybil & Eclipse Attacks

Yeah, but....

Caveats

“The idea of churn as shelter from route poisoning attacks...”•Unstructured networks need structured

auditingBitTorrent can use a distributed tracker, for example

•Does not help super-node networks (KaZaAa)Asymmetry is part of performance gain

•Still weak against localized attacksCan target users on same network