26
Eclipse Attacks on Overlay Networks: Threats and Defenses By Atul Singh, et. al Presented by Samuel Petreski March 31, 2009

Eclipse Attacks on Overlay Networks: Threats and Defenses

  • Upload
    fritz

  • View
    58

  • Download
    1

Embed Size (px)

DESCRIPTION

Eclipse Attacks on Overlay Networks: Threats and Defenses. By Atul Singh, et. al. Outline. Eclipse Attack Description Existing Defenses New Defenses Effectiveness Evaluation Conclusion Resources. Eclipse Attack Description. Overlay network - PowerPoint PPT Presentation

Citation preview

Page 1: Eclipse Attacks on Overlay Networks: Threats and Defenses

Eclipse Attacks on Overlay Networks: Threats and Defenses

By Atul Singh, et. al

Presented by Samuel Petreski

March 31, 2009

Page 2: Eclipse Attacks on Overlay Networks: Threats and Defenses

Eclipse Attack Description Existing Defenses New Defenses Effectiveness Evaluation Conclusion Resources

Outline

Page 3: Eclipse Attacks on Overlay Networks: Threats and Defenses

Overlay network› Decentralized graph of nodes on edge of

network› Each node maintains a neighbor set› Typically limited control over membership

Eclipse Attack› Malicious nodes conspire to hijack and

dominate the neighbor set of correct nodes› Eclipse correct nodes from each other› Control data traffic through routing

Eclipse Attack Description

Page 4: Eclipse Attacks on Overlay Networks: Threats and Defenses

Unstructured Overlays› Little constraints on neighbor selection› Easy to bias neighbor discovery

Random walks Learning from other neighbors

Structured Overlays› Constrained routing table to bound number

of hops› Typically, long-distance hops are less

restrictive and more susceptible

Eclipse Attack Description (cont.)

Page 5: Eclipse Attacks on Overlay Networks: Threats and Defenses

Eclipse Attack› Can perform an Eclipse attack with a Sybil

attack› A Sybil attack is not required for an Eclipse

attack In Gnutella, malicious nodes can only

advertise other malicious nodes during neighbor discovery

Eclipse Attack Description (cont.)

Page 6: Eclipse Attacks on Overlay Networks: Threats and Defenses

Central Authority (BitTorrent tracker) Constrained Routing Tables (CRT)

› Certified, random-unique ID for every node› Neighbors consist of picking nodes with IDs

closest to a specified point› Lacks proximity optimizations

Proximity Constraints› Select node with lowest delay (but satisfies

constraints)› Attacker may be able to manipulate this

Existing Defenses

Page 7: Eclipse Attacks on Overlay Networks: Threats and Defenses

Degree Bounds› Eclipse attackers will have a high in-degree

in the overlay› Every other node has an average in-degree

Enforcing Degree Bounds› Use centralized membership service› Distributed auditing of neighboring nodes

by checking backpointer lists

New Defenses

Page 8: Eclipse Attacks on Overlay Networks: Threats and Defenses

Checking backpointer lists› Periodically, a node x challenges each of

its neighbors for its backpointer list› If the list is too large or does not contain x,

the auidt fails and the node is removed› Periodically, a node x also checks its

backpointer list to make sure each node on the list has a correct neighbor set/routing table size

New Defenses (cont.)

Page 9: Eclipse Attacks on Overlay Networks: Threats and Defenses

Checking backpointer lists (cont.)› Node x includes a random nonce in the

challenge to ensure replies are fresh and authentic

› The auditee node sends back the nonce and digitally signs the response

› Node x checks the signature and the nonce before accepting the reply

New Defenses (cont.)

Page 10: Eclipse Attacks on Overlay Networks: Threats and Defenses

Anonymous Auditing› Use an anonymizer node to perform the

audit via

› Ex: Node x picks a random node y, called anonymizer, to relay the challenge to node z Case 1: z is malicious, y is correct Case 2: z is malicious, y is malicious Case 3: z is correct, y is correct Case 4: z is correct, y is malicious

New Defenses (cont.)

Page 11: Eclipse Attacks on Overlay Networks: Threats and Defenses

Anonymization Analysis› Assume node y is malicious with

probability f› Probability of a correct node be detected

as malicious

› Probability of a malicious node passing the audit

New Defenses (cont.)

Page 12: Eclipse Attacks on Overlay Networks: Threats and Defenses

Marking Malicious/Correct Suspicious

› More malicious nodes make it harder to detect them

› Correct nodes may also be marked as suspicious

New Defenses (cont.)

Page 13: Eclipse Attacks on Overlay Networks: Threats and Defenses

Discovery of Anonymizer Nodes› a) randomly› b) Node closest to H(x)› c) Random node among the L closest to

H(x)

New Defenses (cont.)

Page 14: Eclipse Attacks on Overlay Networks: Threats and Defenses

Effectiveness Evaluation Questions› How serious are Eclipse attacks on structured

overlays?› How effective is the existing defense based

on PNS against Eclipse attacks?› Is degree bounding a more effective defense?› What is the impact on degree bounding on

the performance of PNS?› Is distributed auditing effective and efficient

at bounding node degrees?

Effectiveness Evaluation

Page 15: Eclipse Attacks on Overlay Networks: Threats and Defenses

Experimental Setup› MSPastry (b = 4 and l = 16)› GT-ITM trans-stub topolgy of 5050 routers› Measure pair-wised latency values from the

King tool› Set f = 0.2

Malicious Nodes› Misroute join messages to malicious nodes› Supply only malicious nodes as references› Have only good nodes in routing table (16

per row)

Effectiveness Evaluation

Page 16: Eclipse Attacks on Overlay Networks: Threats and Defenses

With PSN turned off (GT-ITM)› 70% on 1000 node-overlay, 80% on 5000› 90% for top-row on 1000, 100% on 5000

Effectiveness Evaluation

Page 17: Eclipse Attacks on Overlay Networks: Threats and Defenses

With PSN turned on (King)› As overlay size increases, PSN becomes less effective› In real Internet, large fraction of nodes lie in small

latency band› Easier to hijack top row of routing table (less restrictive)› Also the most dangerous because it tends to be the first

hop for sending its own message

Effectiveness Evaluation

Page 18: Eclipse Attacks on Overlay Networks: Threats and Defenses

Effectiveness of Degree Bounding

Used oracle to maintain idealized degree-bounding Effective decreases with larger overlays and looser in-

bound restrictions Increase of 25% average delay with degree-bounding

(8% with bound increased to 32) due to tighter constraints on neighbor selection

Effectiveness Evaluation

f = 0.2, t=1: ft/(1-f) = 0.25

Page 19: Eclipse Attacks on Overlay Networks: Threats and Defenses

Effectiveness of Auditing› Neighbor nodes randomly audited every 2

minutes › It takes 24 challenges to audit a node› 2000 node simulation› Churn rate: 0%, 5%, 10%, 15% per hour› Target environment is low to moderately

high churn› When malicious nodes reply, they reply with

a random subset that follow bounding limits

Effectiveness Evaluation

Page 20: Eclipse Attacks on Overlay Networks: Threats and Defenses

In-Degree Distribution› Before auditing has started, malicious

nodes are able to obtain high in-degrees› After 10 hours of operating (assuming

static) all nodes had in-degree <= 16

Effectiveness Evaluation

Page 21: Eclipse Attacks on Overlay Networks: Threats and Defenses

Reducing Fraction of Malicious Nodes› Auditing starts 1.5 hours into simulation› Correct nodes always enforce in-degree bound

of 16 per row› Top Row Analysis shows that high churn

requires more auditing

Effectiveness Evaluation

Entire Routing Table Top Row

Page 22: Eclipse Attacks on Overlay Networks: Threats and Defenses

Communication Overhead of Auditing› Overhead includes everything (Pastry overlay w/

PSN, Secured routing, and Auditing) and is (4.2 msg/node/sec)

› Overhead of Auditing rate of once per 2 mins is (2 msg/node/sec)

› Spike is due to every node searching for anonymizer nodes it will use

Effectiveness Evaluation

Page 23: Eclipse Attacks on Overlay Networks: Threats and Defenses

Effectiveness Evaluation Questions› How serious are Eclipse attacks on structured

overlays?› How effective is the existing defense based

on PNS against Eclipse attacks?› Is degree bounding a more effective defense?› What is the impact on degree bounding on

the performance of PNS?› Is distributed auditing effective and efficient

at bounding node degrees?

Effectiveness Evaluation

Page 24: Eclipse Attacks on Overlay Networks: Threats and Defenses

Eclipse attack are a real threat› Possible even in structured overlays or PSN-aware

networks› Doesn’t require Sybil attack to be effective

Bounding degree of nodes in network is a simple and effective measure› Distributive enforcement using anonymous auditing› Lightweight and allows PSN optimization

Limitations› Sensitive to high churn rates› High overhead for low application traffic› Doesn’t work in all cases› Requires secure routing (CRT) for locating anonymizer

set

Conclusion

Page 25: Eclipse Attacks on Overlay Networks: Threats and Defenses

Questions

Page 26: Eclipse Attacks on Overlay Networks: Threats and Defenses

Atul Singh, et. al. Eclipse Attacks on Overlay Networks: Threats and Defenses

http://cs.unc.edu/~fabian/courses/CS600.624/slides/Eclipse.pdf

http://www.cs.uiuc.edu/class/sp06/cs591ig/Eclipse.ppt

Baptiste Pretre. Attacks on Peer-to-Peer Networks.

John R. Douceur. The Sybil Attack.

Resources