Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs

The University of Michigan

Scott WolchokJ. Alex Halderman

The University of Texas at Austin

Owen S. HofmannChristopher J. Rossbach

Brent WatersEmmett Witchel

Princeton University

Nadia HeningerEdward W. Felten

What is a Sybil attack?

Generally target reputation systems The attacker creates a huge number of

pseudonyms Results in attacker controlling a huge

percentage of “entities” aka nodes in the system

Synonymous with “pseudospoofing” “Sybil attack” circa 2002, “pseudospoofing”

pre-2002

Review of the Vuze DHT

Nodes and keys each have a 160-bit Identifier. Each node stores keys which are “closest to it” To join, a node does a lookup for its own ID,

which eventually results in discovering the 20 peers closest to it in the DHT

When an existing node is contacted by a new peer that is within the 20 closest to itself, it identifies the keys which should be owned by that new node and immediately stores those keys to the new node

Nodes are forced to use nodeID = H(IP,Port)

Vanish: Author Assumptions

Sybil Attacks are difficult and expensive to execute against the 1M+ Node Vuze DHT

Vanish: Experimental Results

An experimental private Vuze DHT was used to attempt a Sybil attack

In an 8K node DHT, 600 Sybils were not able to recover even 1 in 1000 experimental VDO’s

In the same 8K node DHT, 710 Sybils were able to recover 25% of nodes with N=150, T=70%

Calculated that 820 Sybils are required to crack 25% of VDO’s with N=50, T=90%

Concluded that ≥87,000 Sybils required to crack 25% VDO’s on the real Vuze DHT

Vanish: Author Conclusion

Calculated that a single “small” Amazon EC2 instance could run 50 Sybils

Calculated that to run 87,000 simultaneous Sybils would cost $860K/year (in 2009)

What could happen?

If the analysis by the Vanish authors is correct, some people would be well assured they are safe May lead to irresponsible data handling

practices by vanish users

Theoretical Model

Image Credit: “Defeating Vanish”; Wolchok et al. (2010) pp5

UnVanish: How it works

Uses the native Vuze DHT client with minor modifications

One DHT client joins the Vuze DHT for only 150 seconds

While it is joined, any store request between 16-51 bytes is archived to permanent storage

After 150 seconds, the client is restarted and “hops” to a new UPD port – Therefore obtaining a new Node ID

UnVanish: What it runs on

10x “small” amazon EC2 instances

Each instance can support 50 concurrent Vuze DHT clients (due to 1.7Gb memory constraint)

UnVanish: Cost

To recover 92% of key shares, it would cost $23,500 to operate UnVanish continuously for 1 year using Amazon EC2

ClearView: How It Works

A new (incomplete) Vuze DHT client Written in 2036 lines of C Responds to all PING and STORE commands Responds selectively to FIND-NODE

commands Completely ignores all other DHT protocol

commands A single process manages “many” DHT

clients DHT clients are on the network for 3

minutes between hops

ClearView: What it runs on

10x “small” Amazon EC2 instances (320K effective Sybils)

A single EC2 instance can host “Thousands” of effective DHT clients

ClearView: Experiment 1

Tested the N=10 and T=70% “default” FireVanish configuration

320K Effective Sybils

99.4% of shares were found and archived

ClearView: Experiment 2

Tested N=10, T=70%

270K Effective Sybils

99.5% of shares were found and archived

ClearView: Experiment 3

Tested N=10, T=70

80K Effective Sybils

91.8% of shares found and archived Similar to the 92% of shares recovered by

UnVanish.

Recovery Model

Image Credit: “Defeating Vanish”; Wolchok et al. (2010) pp8

ClearView: Cost (2009)

For N=10, T=70% $1950/yr = 25% VDO Recovery $3750/yr = 90% VDO Recovery $5900/yr = 99% VDO Recovery

For N=10, T=90% $3150 /yr = 25% VDO Recovery $7350 /yr = 90% VDO Recovery $11950/yr = 99% VDO Recovery

For N=50, T=90% $4850/yr = 25% VDO Recovery $6900/yr = 90% VDO Recovery $9000/yr = 99% VDO Recovery

Storage Costs are not included, but the authors estimate storage costs would be about $80/year to store 510 GB of data that matches the fingerprint of a “share” for vanish.

ClearView: Cost

Image Credit: “Defeating Vanish”; Wolchok et al. (2010) pp9

Vanish Cost Analysis Wrong?

#1 Reason:

The Vanish authors assumed that nodes must remain online constantly to carry out the Sybil attack, when actually they only needed about 3 minutes of up time in the 8-hour period.

Vanish Cost Analysis Wrong?

#2 Reason The Vanish authors extrapolated

incorrectly

Image Credit: “Vanish”; Geambasu, Kohno, Levy, Levy (2009) pp14

Vanish Cost Analysis Wrong?

The “Defeating Vanish” Authors show that the difference between 25% of VDO’s vs. 90% of VDO only takes a 53% increase in effective Sybils

This is because they use a probabilistic model instead of extrapolating experimental data

Can Vanish Be Improved?

Raise the threshold Bad Idea – 99/100 shares required would

make VTO’s expire too early Attacker could be more vigilant in scraping the

DHT Switch Vanish to a Private DHT

Node membership is closed – Bad Idea – Fewer maintainers make fewer hands to grease

Would essentially be a trusted 3rd party Solutions already exist that are easier to implement

and faster

Can Vanish Be Improved?

Add Client Puzzles Would certainly raise the cost of Sybil attack

from EC2 Botnets would still easily solve this problem

Restrict Node ID’s Right now, a single IP can have 65535

simultaneous registered nodes. Limiting nodes per IP would increase the

number of IP addresses required to do the Sybil attack

Does not limit botnet attacks

Can Vanish Be Improved?

Detect Attackers Look for nodes that don’t act like other

nodes and penalize them Look for IP addresses with lots of nodes

Peruse – Can scan the entire Vuze network in less than 60 minutes Found that the vast majority of IP addresses host a

single node Identified all of their test systems Identified 10 systems at the University of

Washington used for Vanish demonstrations

Can Vanish Be Improved?

Social Networking Require that nodes certify that they

“know” other nodes Social networks have shown people will claim to

know other people when in fact they don’t Could affect viability of DHT – Less participation

with higher entry barrier