The Case for DDoS Resistant Membership Management in P2P Systems

Slides:

Advertisements

Similar presentations

Voice over IP Skype.

Advertisements

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

BotTorrent: Misusing BitTorrent to Launch DDoS Attacks Karim El Defrawy, Minas Gjoka, Athina Markopoulou UC Irvine.

Denial-of-Service Resilience in Peer-to-Peer Systems D. Dumitriu, E. Knightly, A. Kuzmanovic, I. Stoica and W. Zwaenepoel Presenter: Yan Gao.

Gnutella 2 GNUTELLA A Summary Of The Protocol and it’s Purpose By

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

FRIENDS: File Retrieval In a dEcentralized Network Distribution System Steven Huang, Kevin Li Computer Science and Engineering University of California,

1 Denial-of-Service Resilience in P2P File Sharing Systems Dan Dumitriu (EPFL) Ed Knightly (Rice) Aleksandar Kuzmanovic (Northwestern) Ion Stoica (Berkeley)

EMule behind the scenes. Overview Extends the eDonkey protocol File sharing network Several hundreds of eMule servers Millions of eMule clients Each server.

Responder Anonymity and Anonymous Peer-to-Peer File Sharing. by Vincent Scarlata, Brian Levine and Clay Shields Presentation by Saravanan.

Kyushu University Graduate School of Information Science and Electrical Engineering Department of Advanced Information Technology Supervisor: Professor.

Secure routing for structured peer-to-peer overlay networks (by Castro et al.) Shariq Rizvi CS 294-4: Peer-to-Peer Systems.

Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

Winter Retreat Connecting the Dots: Using Runtime Paths for Macro Analysis Mike Chen, Emre Kıcıman, Anthony Accardi, Armando Fox, Eric Brewer

Focus on Distributed Hash Tables Distributed hash tables (DHT) provide resource locating and routing in peer-to-peer networks –But, more than object locating.

 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.

Hashing it Out in Public Common Failure Modes of DHT-based Anonymity Schemes Andrew Tran, Nicholas Hopper, Yongdae Kim Presenter: Josh Colvin, Fall 2011.

Introduction to Peer-to-Peer Networks. What is a P2P network Uses the vast resource of the machines at the edge of the Internet to build a network that.

KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University

Privacy in P2P based Data Sharing Muhammad Nazmus Sakib CSCE 824 April 17, 2013.

Network Layer (3). Node lookup in p2p networks Section in the textbook. In a p2p network, each node may provide some kind of service for other.

BitTorrent Presentation by: NANO Surmi Chatterjee Nagakalyani Padakanti Sajitha Iqbal Reetu Sinha Fatemeh Marashi.

SIGMETRICS'09 1 Inferring Undesirable Behavior from P2P Traffic Analysis Ruben Torres *, Mohammad Hajjat *, Sanjay Rao *, Marco Mellia †, Maurizio Munafo.

BitTorrent How it applies to networking. What is BitTorrent P2P file sharing protocol Allows users to distribute large amounts of data without placing.

Professor OKAMURA Laboratory. Othman Othman M.M. 1.

Introduction to Peer-to-Peer Networks. What is a P2P network A P2P network is a large distributed system. It uses the vast resource of PCs distributed.

Thesis Proposal Data Consistency in DHTs. Background Peer-to-peer systems have become increasingly popular Lots of P2P applications around us –File sharing,

Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,

Skype P2P Kedar Kulkarni 04/02/09.

Peer-to-Peer Networks University of Jordan. Server/Client Model What?

Scalability Don McGregor Research Associate MOVES Institute

Hongil Kim E. Chan-Tin, P. Wang, J. Tyra, T. Malchow, D. Foo Kune, N. Hopper, Y. Kim, "Attacking the Kad Network - Real World Evaluation and High.

Structuring P2P networks for efficient searching Rishi Kant and Abderrahim Laabid Abderrahim Laabid.

Peer-to-Peer Name Service (P2PNS) Ingmar Baumgart Institute of Telematics, Universität Karlsruhe IETF 70, Vancouver.

Node Lookup in P2P Networks. Node lookup in p2p networks In a p2p network, each node may provide some kind of service for other nodes and also will ask.

An IP Address Based Caching Scheme for Peer-to-Peer Networks Ronaldo Alves Ferreira Joint work with Ananth Grama and Suresh Jagannathan Department of Computer.

An analysis of Skype protocol Presented by: Abdul Haleem.

1. Outline  Introduction  Different Mechanisms Broadcasting Multicasting Forward Pointers Home-based approach Distributed Hash Tables Hierarchical approaches.

Protocol Requirements draft-bryan-p2psip-requirements-00.txt D. Bryan/SIPeerior-editor S. Baset/Columbia University M. Matuszewski/Nokia H. Sinnreich/Adobe.

Peer to Peer Network Design Discovery and Routing algorithms

SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.

Peer-to-Peer Systems: An Overview Hongyu Li. Outline  Introduction  Characteristics of P2P  Algorithms  P2P Applications  Conclusion.

Social Networks and Peer to Peer As Presented by Jeremy Robinson 3/22/2007.

P2P Search COP P2P Search Techniques Centralized P2P systems  e.g. Napster, Decentralized & unstructured P2P systems  e.g. Gnutella.

Large-Scale Monitoring of DHT Traffic Ghulam Memon – University of Oregon Reza Rejaie – University of Oregon Yang Guo – Corporate Research, Thomson Daniel.

Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.

KYUNG-HWA KIM HENNING SCHULZRINNE 12/09/2008 INTERNET REAL-TIME LAB, COLUMBIA UNIVERSITY DYSWIS.

P2P Networking: Freenet Adriane Lau November 9, 2004 MIE456F.

Instant Messaging. Magnitude of the Problem Radicati reports that 85% of enterprises today use IM. Furthermore, Radicati predicts IM usage increases will.

DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

Innovations in P2P Communications David A. Bryan College of William and Mary April 11, 2006 Advisor: Bruce B. Lowekamp.

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

Network security Vlasov Illia

MANAGEMENT AND METHODS OF MOBILE IP SECURITY

Internet Indirection Infrastructure (i3)

Copyright notice © 2008 Raul Jimenez - -

Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

Vocabulary Prototype: A preliminary sketch of an idea or model for something new. It’s the original drawing from which something real might be built or.

Outline Basics of network security Definitions Sample attacks

CHAPTER 3 Architectures for Distributed Systems

Early Measurements of a Cluster-based Architecture for P2P Systems

5.2 FLAT NAMING.

Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.

Deterministic and Semantically Organized Network Topology

ECE 544 Project3 Dheeraj Medikonda Ravi Chandra Godavarthi 1.

Outline Basics of network security Definitions Sample attacks

Attacking the Kad Network

Presentation transcript:

The Case for DDoS Resistant Membership Management in P2P Systems Xin Sun, Ruben Torres and Sanjay Rao Internet Systems Lab Purdue University Hello, I’m Ruben Torres from Purdue University. This work is targeted to control DDoS attacks created with clients of popular peer-to-peer systems to external hosts, which are not even part of the peer to peer network.

DDoS Attack Exploiting P2P Systems Index for F M <REQ F> <RESP Sources> REQ F RESP victim A A victim <REQ F> <F> REQ F C This is an example of an attack that we have done in KAD, very popular DHT based file sharing application. In this example, A is looking for file F. In the normal search process A contacts I who provides the information of C, which is the source the file. In the attack scenario, the malicious user provides the victim’s information. A sends a message to the victim who is not even part of the peer to peer system. We can imagine millions of users sending unnecessary traffic to the victim and filling up its access bandwidth. Normal search process Attack Done in KAD (part of Emule) - DHT based file sharing application 4/14/2019 Internet Systems Lab - Purdue University

Interplay Between P2P Systems Design and System Exploitability Some awareness about vulnerabilities with P2P systems, [Paxson ’01, Naumov ’06, Defrawy ’07, Sun ‘07] Our Focus: Interplay between membership management mechanisms and the seriousness of the attacks possible We identified design constructs in P2P systems exploitable to greatly amplify attack magnitudes: Use of push-based mechanisms Multiple logical IDs for one physical ID (e.g. IP address) Poorly design mechanisms for validation based on active-probing Attack magnitude of 700 Mbps on real KAD network. Recently, there have been some works showing the problem, but we focus on the interplay between membership management mechanisms and the exploitability of the system. In particular, we have identified three mechanisms, some intrinsically exploitable, to greatly amplify the attack magnitude: Use of push-based mechanisms. In KAD, this allow new users and users behind NAT be learnt by others. At the same time, malicious nodes use the same mechanism to push themselves into others routing tables, so they become popular and attract many queries. Multiple logical IDs to one physical ID. In KAD, this allow several nodes behind the same NAT to connect to the P2P network. At the same time, malicious nodes include in a response many IDs to the victim’s IP address, causing multiple queries sent to the victim. And poorly design mechanisms for validation. In KAD clients will verify every new membership information learnt. 4/14/2019 Internet Systems Lab - Purdue University

Solution: DDoS Resistant Membership Management Main idea: self-validation of membership information Active probing Bound validation failures to prevent this being source of DDoS attack No reliance on central authority Resistant to benign validation (NATs, churn, packet loss) To solve this problem, we propose a framework for self-validation of membership information. It is based on active probing but bounding the number of validation failures to the same IP or prefix to prevent DDoS attacks. No central authority that provides the good nodes; and that is resistant to benign validation failures. 4/14/2019 Internet Systems Lab - Purdue University

Internet Systems Lab - Purdue University Current Status Design and built initial prototype Integrated with mature P2P systems: KAD – File sharing ESM - Video Broadcasting Preliminary results are promising For more information Details on attack: “DDoS Attacks by Subverting Membership Management in P2P Systems”, NPSec 2007 - in conjunction with ICNP 2007 Technical report in preparation 4/14/2019 Internet Systems Lab - Purdue University

Internet Systems Lab - Purdue University Thanks! Contact: rtorresg@purdue.edu More information on this project: http://cobweb.ecn.purdue.edu/~isl/secp2p.htm 4/14/2019 Internet Systems Lab - Purdue University

Internet Systems Lab - Purdue University Real Attack with KAD By exploiting the mechanisms described before, we performed an attack on the real KAD system. Peak attack magnitude of 700 Mbps observed at the victim (a PC in our lab). More than 1 million concurrent users 200 attackers 15 hours period 4/14/2019 Internet Systems Lab - Purdue University