Wednesday, July 29, 2009

Randomization

A last interesting observation is randomization (for example in the routing protocol
or in the nodes’ location). Indeed, studies show that randomization has a
big impact on attacks as an attacker cannot deterministically attack the network
any longer. Unfortunately, it also considerably slows the network down. P2P
networks often have scalability problems and anything which slows performance
down is generally avoided. This is probably the main reason why randomization
is avoided in P2P networks.

based Systems


This condemnation of all hierarchical structures also makes us reject reputationbased
systems. Nodes in such systems have a “reputation” determined by all
other nodes [17]. Typically, each node will publish a list of the nodes it trusts,
making it impossible for a node to change its own reputation by itself. Before
initiating a download, a node will first check the reputation of the node it wants
to download from and then decide whether to pursue or not. In a sense, the
higher the reputation, the more importance a node has.
While this might seem like a good direction, we will argue that, as it introduces a notion of hierarchy, this approach constitutes a weakness. The problem is
that nodes with a bigger reputation have more powers than other nodes. Other
nodes will tend to trust them more and they are able to influence other nodes’
reputation more effectively. An attacker simply needs a little patience and wait
for one of his nodes to gain sufficient trust in order to launch his attack. If
the attacker deploys many malicious nodes as it is often the case, they can give
each other a high reputation making them all trustworthy. Finally, other famous
nodes constitute strategic targets as they will be able to spread the attack for
efficiently.

First conclusions 4.1 Only Pure P2P!

We have now been introduced to P2P networks and have observed most possible
attacks. So what are the first conclusions we can make at this point?
First of all, when designing a P2P network, it is of utmost importance not to
use a mixed P2P model. As soon as we enter any kind of notion of hierarchy,
we automatically present a target. If a node is more important, more trusted
or better connected than other nodes, then an attacker can use this to his advantage.
This permits malicious users to attack the the network strategically,
which is far more dangerous. If there is absolutely no hierarchical structure,
then the network presents no strategic targets because of it’s uniformity.
Paper [4] studies for example the effects of super-nodes have on worm propagation
in Gnutella. In Gnutella, normal nodes connect to supernodes which are
in turn connected to each other, acting as a kind of “highway”. It is shown [19]
they play a significant role in the worm propagation in the network, even without
being specifically targeted at the beginning. What better target to launch
a Sybil attack then such supernodes? Of course, pure P2P is much harder to
implement and also slower than the hierarchical approach: the implementation
of node querying is easy if all nodes sign in on a central server.

Middle attacks

As against man-in-the-middle attacks, very carefully chosen cryptographic protocols
may be a good attempt to stop such an attack. Pricing could also help
against the Sybil attack version. The problem with such solutions is that they
constitute a serious slow-down and harm the scalability of the network.
The main defense against Eclipse attacks is simply to use a pure P2P network
model. An even better solution would be to additionally use a randomization
algorithm to determine the nodes’ location (as for example in Freenet). If
the nodes in a pure P2P network are randomly distributed, than there are no
strategic positions and an attacker can’t control his nodes’ positions. It would
be nearly impossible to separate two subnetworks from one another in such
conditions.

3.4 Eclipse Attack

Before an attacker can launch an eclipse attack, he must gain control over a
certain amount of nodes along strategic routing paths.Once he has achieved
this, he can then separate the network in different subnetworks. Thus, if a node
wants to communicate with a node from the other subnetwork, his message must
at a certain point be routed through one of the attacker’s nodes. The attacker
thus “eclipses” each subnetwork from the other. In a way, eclipse attacks are
high-scale man-in-the-middle attacks.
An Eclipse attack can be the continuation of a Sybil attack. In this case,
the attacker will try to place his nodes on the strategic routing paths. We
argued before, that man-in-the-middle attacks don’t pose a great threat to P2P
networks. However, such a high scale attack involving strategic targeting is
very serious. The attacker can completely control a subnetwork from the other
subnetwork’s point of view.
If an attacker manages an Eclipse attack (it is not an easy attack), can attack
the network in a much more efficient manner.
• He can attack the control plane by inefficiently rerouting each message.
• He can decide to drop all messages he receives, thus completely separating
both subnetworks.
• He can attack the data plane by injecting polluted files or requesting
polluted files on behalf of a innocent nodes and hoping, these files are
cached or copied along the way.

P2P attacks

Unfortunately, without a central trusted authority, it is not possible to convincingly
stop Sybil attacks [10]. Maybe carefully configured reputation-based
systems might be able to slow the attack down, but it will not do much more.
Indeed, once the attacker has legally validated a certain amount of identities,
he can validate the rest.
A good defense is to render a Sybil attack unattractive by making it impossible
to place malicious identities in strategic positions. We have already seen that
structured P2P networks are more resilient to worm propagation. For the same
reasons it is a good defense mechanism here, as an attacker will not be able to
place his identities where he wishes. Randomly dispersed malicious identities
are far less dangerous than strategically placed ones, especially if the P2P network
is of considerable size.
Another proposition could be to include the node’s IP in it’s identifier. A malicious
node would thus not be able to spoof fake identities as he would be bound
to a limited number of IPs and could be noticed and denounced if he created
more identities. Yet this solution is far from simple as other attacks are rendered
possible, such as generating fake identities for other nodes and then accusing
them of being malicious. This is why we will not consider this defense as it adds
a layer of complexity to the existing protocol whilst generating other potential
weaknesses.
Several papers propose a central trusted authority as a solution, as well as a
complicated public-private key based protocol [11]. Each node should sign his
messages, and respond to a challenge by the authority every now and then. It
is clear that an attacker simulating many identities would need enormous resources
in order to be able to answer all the challenges periodically submitted
to each of his identities. While this certainly tries to solve the problem, it is unsatisfactory:
this solution breaks the P2P model by reintroducing a centralized
point of failure, which can easily be attacked.

3.3 Sybil Attack

Sybil attacks are part of the control plane category. The idea behind this attack
is that a single malicious identity can present multiple identities, and thus gain
control over part of the network.[10]
Once this has been accomplished, the attacker can abuse the protocol in any
way possible. For instance he might gain responsibility for certain files and
choose to pollute them. If the attacker can position his identities in a strategic
way, the damage can be considerable. He might choose to continue in an eclipse
attack, or slow down the network by rerouting all queries in a wrong direction.

3.2.1 Defenses

Although file poisoning attacks sound pretty dangerous, we will argue they
do not pose a threat to P2P networks [6]. The main problem is that P2P
applications are often set in the background. When a polluted file is downloaded
by a user, it stays available for a while before being inspected and cleansed. After
a period of time, all polluted files are eventually removed and the authentic
files become more available then the corrupted ones. The reason file-poisoning
attacks are still successful today are due to 3 factors:
• clients are unwilling to share (rational attack).
• corrupted files are not removed from users machines fast enough.
• users give up downloading if the download seemingly stalls.
These 3 factors each give advantage in different ways to the most available file,
which probably is the polluted file at the beginning. Simulations show these
factors tend to greatly slow down the removal of polluted files on the network.

3.2 File Poisoning

File poisoning attacks operate on the data plane and have become extremely
commonplace in P2P networks. The goal of this attack is to replace a file in the
network by a false one. This polluted file is of course of no use.
It has been reported [7][8][9], that the music industry have massively released
false content on P2P networks. Moreover, companies such as Overpeer1 or Retsnap
2 publicly offer their pollution-based services to the entertainment industry
as a way for protecting copyrighted materials.
In order to attack by file poisoning, malicious nodes will falsely claim owning a
file, and upon a request will answer with a corrupt file. For a certain amount
of money, Overpeer or Retsnap will release huge amounts of fake copies of a file
on their servers. Moreover, all messages passing through malicious node can be
poisoned (similar to a man-in-the-middle attack). These factors may give the
poisoned file a high availability, making it more attractive to download the true
file.

3.1 Rational Attacks

For P2P services to be effective, participating nodes must cooperate, but in most
scenarios a node represents a self-interested party and cooperation can neither
be expected nor enforced. A reasonable assumption is that a large fraction
of P2P nodes are rational and will attempt to maximize their consumption of
system resources while minimizing the use of their own.
For example nodes might realize that by not sharing, they save precious upload
bandwidth. In the case of copyrighted material, file sharing can have worst
outcomes. As it is illegal and quite easy for authorities to find out who is sharing
specific files, it can lead to a very big fine. These are good enough reasons to
motivate nodes in becoming “self-interested”. If a large number of nodes are
self-interested and refuse to contribute, the system may destabilize. Successful
P2P systems must be designed to be robust against this class of failure.

3.0 Specific P2P Attacks and Defenses

We will consider two different planes of attack in this section: the data plane
and the control plane. Attacking the data plane means attacking the data used
by the P2P application itself, for example by poisoning it or rendering it in any
way unavailable. On the other hand, attacking the control plane means directly
attacking the functionality of the P2P application, trying to render it slower
or as inefficient as possible. This is generally done by using weaknesses in the
routing protocol. Depending on the attacker’s goal, he will choose to attack in
one plane or the other, or both.
These two planes are not completely independent. For instance by attacking
on the data plane and corrupting many files, users will tend to download more
instances of a file thus slowing down the traffic which is typically the aim of a
control plane attack. Vice versa, eclipse attacks which are in the control plane
can render data unaccessible, which is the primary objective of a data plane
attack.
The possibilities of attacks are enormous in P2P networks. Now follows an
analysis of the most common attacks as well as some appropriate defense mechanisms.

2.4 The Human Factor

The human factor should always be a consideration when security is at issue.
We previously saw that the upswing P2P applications have experienced is also
due to ease of installation and use, the low cost (most of the time free) and its
great rewards. Even novice users have little difficulty using such applications
to download files that other users shared intentionally or accidentally shared on
the P2P network.
This is yet another security problem P2P applications are posing. Empowering
a user, especially a novice, to make choices regarding the accessibility of their
files is a significant risk. Because of it’s convenient and familiar look, applications
such as Kazaa can cause a user to unwittingly share the contents of his
documents or even worst, his whole hard disk.
Unfortunately, novice users do not understand the implications of their inaction
with regard to security. Simply closing the application for instance isn’t enough
as most of them continue running in the background. Remarkably, millions
of P2P peers are left running unattended and vulnerable for large periods of

2.3.1 Defenses

Before considering any technical defense, there must be a sensitization of P2P
users. Leaving a personal computer unattended without a complete firewall and
anti-virus on a broadband internet connection is begging for trouble. Blaster,
for example, exploited a vulnerability 5 days after it was made public by Microsoft
with a “Security Update” that fixed it.
A solution would be for P2P software developers not to write any bugged software!
Perhaps that is a far fetched goal, but it would be better to favor strongly
typed languages such as Java or C# instead of C or C++, where buffer overflows
are much easier to compute.
Another interesting observation is that hybrid P2P systems have a vulnerability
pure P2P systems do not. By making some nodes more special then others
(for example better connectivity for Gnutella’s supernodes) the attacker has the
possibility to target these strategic nodes first in order to spread the worm more
efficiently later on. Pure P2P does not offer such targets as all nodes have the
same “importance”.
Finally, it is interesting to note the operating system developers are also offering
some solutions. OpenBSD’s 3.8 release now returns pseudo-random memory
addresses. This makes buffer overflows close to impossible as an attacker cannot
know what data segment he should overwrite [15].

2.3 Worm Propagation

Worms already pose one of the biggest threats to the internet. Currently, worms
such as Code Red or Nimda are capable of infecting hundreds of thousands of
hosts within hours and no doubt that better engineered worms would be able
to infect to reach the same result in a matter of seconds. Worms propagating
through P2P applications would be disastrous: it is probably the most serious
threat.
There are several factors which make P2P networks attractive for worms [13]:
• P2P networks are composed by computers all running the same software.
An attacker can thus compromise the entire network by finding only one
exploitable security hole.
• P2P nodes tend to interconnect with many different nodes. Indeed a
worm running on the P2P application would no longer loose precious time
scanning for other victims. It would simply have to fetch the list of the
victim’s neighboring nodes and spread on.
• P2P applications are used to transfer large files. Some worms have to
limit their size in order to hold in one TCP packet. This problem would
not be encountered in P2P worms and they could thus implement more
complicated behaviors.
• The protocols are generally not viewed as mainstream and hence receive
less attention from intrusion detection systems.
• P2P programs often run on personal computers rather than servers. It is
thus more likely for an attacker to have access to sensitive files such as
credit card numbers, passwords or address books.
• P2P users often transfer illegal content (copyrighted music, pornography
...) and may be less inclined to report an unusual behavior of the system.
• The final and probably most juicy quality P2P networks possess is their
potentially immense size.
Once worms finish propagating, their goal is usually to launch massive DDOS
attacks (W32/Generic.worm!P2P, W32.SillyP2P, ...) against political or commercial
targets (whitehouse.gov, microsoft.com, ...).

2.2.1 Defenses

Without a central trusted authority, which generally do not exist in P2P networks,
it is not possible to detect a man-in-the-middle attack. Nodes have
no information about their neighbors and have no way of being able to identify
them later with certainty. Fortunately, as man-in-the-middle attacks are mostly
useless in P2P networks, this is not very alarming news.

2.2 Man-in-the-middle Attack

In a man-in-the-middle attack, the attacker inserts himself undetected between
two nodes. He can then choose to stay undetected and spy on the communication
or more actively manipulate the communication. He can achieve this
by inserting, dropping or retransmitting previous messages in the data stream.
Man-in-the-middle attacks can thus achieve a variety of goals, depending on the
protocol. In many cases it is identity spoofing or dispatching false information.
Man-in-the-middle attacks are a nightmare in most protocols (especially when
there is a form of authentication). Fortunately, they are less interesting in P2P networks. All the nodes have the same “clearance” and the traffic’s content is
shared anyway which makes identity spoofing useless. If the P2P application
supports different clearances between nodes, then the implications of man-in the-
middle attacks would depend on the protocol itself. Possible attacks could
be spreading polluted files on behalf of trusted entities or broadcasting on behalf
of a super node.

Tag

Assignment Lanka Tag Cloud
Computer Networks The History of Local Area Networks, LAN, The Topologies of a Networks, LANs describe different types of transmission Medias, Local Area Networks Access Methods, Carrier Sense Multiple Access with Collision Detect, Development of LAN Technologies. LAN -Token Ring, LAN Ethernet Digital, LAN - Ethernet Sun microsystems, LAN - Ethernet Mixed Environment, LAN - Token Ring was introduced by IBM LAN - IBM implementation of Token Ring, Token Ring Novell, LAN Token Ring - in a mixed environment, LAN - Fiber Distributed Data Interface, LAN - ATM, LAN Components, LAN Switching Methods, Virtual Local Area Network, Port based VLAN, Mac based VLAN, Protocol based VLAN, User Base VLAN, PC networks Components, PC networks Shared resources, PC Network operating systems, PC networks Novell Netware, PC networks Windows NT, PC networks IBM LAN Server Computer Programming Languages HTML Language, The Generations of Programming Languages, Different types of High Level Languages, Different types of High Level Languages Disadvantages
Computer Networks - IBM LAN Server, Windows NT Networks, Novell Netware, Network operating systems, Networks Shared, Networks Components, User Base, Protocol based, Mac based, Port based, VLAN, LAN Switching, LAN Components, ATM, Fiber Data, Token Ring, Token Ring Novell, IBM implementation, Ethernet, Sun microsystems, Ethernet Digital, Token passing, LAN Technologies, CSMA/CD, Access Methods, Transmission, Networks, The History of Local Area Networks, LAN