Lapsy Garg

P2P NetworksGnutella ProtocolTopological Scan WormsPassive Scan WormsSolutions

Resource SharingP2P Nodes act both as servers and clientsResilient to single node failureAlmost Infinite Storage CapacityExamples

GnutellaKazzaBit Torrent

Do not waste time probing unused IP addresses.Do not generate high rate of failed connectionsAbility to merge malicious traffic into P2P trafficDetection systems based on analysis of worm

scans cannot differentiate between the normal p2p activity of a client from a worm. Hence, difficult to detect

Distributed p2p protocolDefines the way in which peers communicate

over the networkHighly fault tolerantSome popular Gnutella Clients

LimeWireBearShareGtk-Gnutella

Each Servant has a self selected servant_idA Gnutella Node is typically connected to 2-12

nodesTime to Live(TTL)

Further limits the horizon of NodesWhen a message is passed through a node its TTL

is reduced by 1 If TTL=0, then the message is not forwarded

furtherFile exchange involved two phases

SearchDownload

SearchTo search for a file a node, say n, sends a search

Query message to its neighbor nodes.On receiving a search Query, nodes look for a

match in their local data set If a match is found a Hit message is generated

which is sent back over the same path through which Query message came to the node

Query message is forwarded further if TTL is not zero

DownloadOn receiving Hit messages node n selects a node to

download the fileThe Downloads happen via a HTTP connection

(1)Q

uery

(2)Query(3)Q

uery

(4) Hit

(5) Hit

(6) H

it

(7) Download

Peer A Peer D

Peer BPeer C

Do not waste time probing unavailable IP address

Can use information available with infected p2p node to search for vulnerable nodes

Most of the worm detection systems based on analysis of worm scans rendered useless

Vulnerability in the ApplicationNo case of such worms has been reported yet

Gnutella assumes nodes are trustworthy, which is not always the case

There is no way to determine the authenticity of the files being advertised by a peer

The decision to download a file is more or less based on filename or file size

Vulnerability in the protocol Wait for the vulnerable targets to contact them Case 1

Worm can create infected copies of itself with attractive filenames and place them in the share folder of the p2p client or will replace the files present in the shared folder with itself

e.g. VBS.Gnutella, Benjamin Worm etc. Case 2

Answers positively to a proportion of search queries by changing the name of the corrupted file to match the search query

e.g. Gnuman Case 3 – Middle Man Attack

The infected node can forward the search query and collect good responses to the given query and reply with same to gain better trust of the user

No case of this kind of worm has been reported

Most of the solutions proposed to solve the problem of Passive Worms are based on building trust between the peers

Some of the popular approaches are:EigenTrustCredenceXRep

These approaches do slow down the worm propagation but they do not do anything to detect the worms

Generates the global reputation of the peers without the presence of any central authority

Files from the highly reputed peers are given higher preference

Assumes that files downloaded from the highly reputed peers are much less likely to be infected or junk

This approach would not work if a highly reputed peer starts sharing an infected file

Each peer generates a trust graph i.e. how much it trusts other peers based on its experience with other nodes

Before a file download, it will collect the votes from other peers about the file

The weight of each vote will depend on the reputation of the voter

The files will then get sorted in decreasing order of reputation, which is calculated based on the votes for the file

[1] Worm List, http://www.viruslist.com/en/virusesdescribed?chapter=153311928.

[2] Gnutella, http://www9.limewire.com/developer/gnutella_protocol_0.4.pdf.

[3] LimeWire, http://www.limewire.com.

[4] N. Curtis, R. Safavi-Naini, and W. Susilo. X2rep: Enhanced trust semantics for the xrep protocol. In Applied Cryptography and Network Security, Yellow Mountain, China, June, 2004.

[5] E. Damiani, S. D. C. di Vimercati, S. Paraboschi, P. Samarati, and F. Violante. A reputationbased approach for choosing reliable resources in peer-to-peer networks. In ACM Conference on Computers and Communications Security, Washington, DC, October 2002.

[6] E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati. Managing and sharing servents’ reputations in p2p systems. IEEE Transactions on Knowledge and Data Engineering, vol. 15, n.4, pp. 840-854, July/August 2003.

[7] M Engle and JI Khan. Vulnerabilities of p2p systems and a critical look at their solutions. Medianet Lab Technical Report, Department of Computer Science, Kent State University, 2006.

[8] S. D. Kamvar, M. T. Schlosser, and H. Garcia-Molina. The eigentrust algorithm for reputation management in p2p networks. , In Proceedings of the Twelfth International World Wide Web Conference, 2003.

[9] Nassima Khiat, Yannick Carlinet, and Nazim Agoulmine. The emerging threat of peer-topeer worms. MonAM 2006 Workshop, 2006.

[10] Kevin Walsh and Emin Gün Sirer. Experience with a distributed object reputation system for peer-to-peer filesharing. In Proceedings of the Symposium on Networked System Design and Implementation (NSDI), San Jose, California, May 2006.

[11] Lidong Zhou., Lintao Zhang., Frank McSherry., Nicole Immorlica, Manuel Costa, and Steve Chien. A first look at peer-to-peer worms: Threats and defenses. In Proceedings of the IPTPS, 2005.