Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | claud-higgins |
View: | 213 times |
Download: | 0 times |
Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs
The University of Michigan
Scott WolchokJ. Alex Halderman
The University of Texas at Austin
Owen S. HofmannChristopher J. Rossbach
Brent WatersEmmett Witchel
Princeton University
Nadia HeningerEdward W. Felten
What is a Sybil attack?
Generally target reputation systems The attacker creates a huge number of
pseudonyms Results in attacker controlling a huge
percentage of “entities” aka nodes in the system
Synonymous with “pseudospoofing” “Sybil attack” circa 2002, “pseudospoofing”
pre-2002
Review of the Vuze DHT
Nodes and keys each have a 160-bit Identifier. Each node stores keys which are “closest to it” To join, a node does a lookup for its own ID,
which eventually results in discovering the 20 peers closest to it in the DHT
When an existing node is contacted by a new peer that is within the 20 closest to itself, it identifies the keys which should be owned by that new node and immediately stores those keys to the new node
Nodes are forced to use nodeID = H(IP,Port)
Vanish: Author Assumptions
Sybil Attacks are difficult and expensive to execute against the 1M+ Node Vuze DHT
Vanish: Experimental Results
An experimental private Vuze DHT was used to attempt a Sybil attack
In an 8K node DHT, 600 Sybils were not able to recover even 1 in 1000 experimental VDO’s
In the same 8K node DHT, 710 Sybils were able to recover 25% of nodes with N=150, T=70%
Calculated that 820 Sybils are required to crack 25% of VDO’s with N=50, T=90%
Concluded that ≥87,000 Sybils required to crack 25% VDO’s on the real Vuze DHT
Vanish: Author Conclusion
Calculated that a single “small” Amazon EC2 instance could run 50 Sybils
Calculated that to run 87,000 simultaneous Sybils would cost $860K/year (in 2009)
What could happen?
If the analysis by the Vanish authors is correct, some people would be well assured they are safe May lead to irresponsible data handling
practices by vanish users
Theoretical Model
Image Credit: “Defeating Vanish”; Wolchok et al. (2010) pp5
UnVanish: How it works
Uses the native Vuze DHT client with minor modifications
One DHT client joins the Vuze DHT for only 150 seconds
While it is joined, any store request between 16-51 bytes is archived to permanent storage
After 150 seconds, the client is restarted and “hops” to a new UPD port – Therefore obtaining a new Node ID
UnVanish: What it runs on
10x “small” amazon EC2 instances
Each instance can support 50 concurrent Vuze DHT clients (due to 1.7Gb memory constraint)
UnVanish: Cost
To recover 92% of key shares, it would cost $23,500 to operate UnVanish continuously for 1 year using Amazon EC2
ClearView: How It Works
A new (incomplete) Vuze DHT client Written in 2036 lines of C Responds to all PING and STORE commands Responds selectively to FIND-NODE
commands Completely ignores all other DHT protocol
commands A single process manages “many” DHT
clients DHT clients are on the network for 3
minutes between hops
ClearView: What it runs on
10x “small” Amazon EC2 instances (320K effective Sybils)
A single EC2 instance can host “Thousands” of effective DHT clients
ClearView: Experiment 1
Tested the N=10 and T=70% “default” FireVanish configuration
320K Effective Sybils
99.4% of shares were found and archived
ClearView: Experiment 2
Tested N=10, T=70%
270K Effective Sybils
99.5% of shares were found and archived
ClearView: Experiment 3
Tested N=10, T=70
80K Effective Sybils
91.8% of shares found and archived Similar to the 92% of shares recovered by
UnVanish.
Recovery Model
Image Credit: “Defeating Vanish”; Wolchok et al. (2010) pp8
ClearView: Cost (2009)
For N=10, T=70% $1950/yr = 25% VDO Recovery $3750/yr = 90% VDO Recovery $5900/yr = 99% VDO Recovery
For N=10, T=90% $3150 /yr = 25% VDO Recovery $7350 /yr = 90% VDO Recovery $11950/yr = 99% VDO Recovery
For N=50, T=90% $4850/yr = 25% VDO Recovery $6900/yr = 90% VDO Recovery $9000/yr = 99% VDO Recovery
Storage Costs are not included, but the authors estimate storage costs would be about $80/year to store 510 GB of data that matches the fingerprint of a “share” for vanish.
ClearView: Cost
Image Credit: “Defeating Vanish”; Wolchok et al. (2010) pp9
Vanish Cost Analysis Wrong?
#1 Reason:
The Vanish authors assumed that nodes must remain online constantly to carry out the Sybil attack, when actually they only needed about 3 minutes of up time in the 8-hour period.
Vanish Cost Analysis Wrong?
#2 Reason The Vanish authors extrapolated
incorrectly
Image Credit: “Vanish”; Geambasu, Kohno, Levy, Levy (2009) pp14
Vanish Cost Analysis Wrong?
The “Defeating Vanish” Authors show that the difference between 25% of VDO’s vs. 90% of VDO only takes a 53% increase in effective Sybils
This is because they use a probabilistic model instead of extrapolating experimental data
Can Vanish Be Improved?
Raise the threshold Bad Idea – 99/100 shares required would
make VTO’s expire too early Attacker could be more vigilant in scraping the
DHT Switch Vanish to a Private DHT
Node membership is closed – Bad Idea – Fewer maintainers make fewer hands to grease
Would essentially be a trusted 3rd party Solutions already exist that are easier to implement
and faster
Can Vanish Be Improved?
Add Client Puzzles Would certainly raise the cost of Sybil attack
from EC2 Botnets would still easily solve this problem
Restrict Node ID’s Right now, a single IP can have 65535
simultaneous registered nodes. Limiting nodes per IP would increase the
number of IP addresses required to do the Sybil attack
Does not limit botnet attacks
Can Vanish Be Improved?
Detect Attackers Look for nodes that don’t act like other
nodes and penalize them Look for IP addresses with lots of nodes
Peruse – Can scan the entire Vuze network in less than 60 minutes Found that the vast majority of IP addresses host a
single node Identified all of their test systems Identified 10 systems at the University of
Washington used for Vanish demonstrations
Can Vanish Be Improved?
Social Networking Require that nodes certify that they
“know” other nodes Social networks have shown people will claim to
know other people when in fact they don’t Could affect viability of DHT – Less participation
with higher entry barrier