Towards Scalable and Robust Overlay Networks Christian Scheideler Institut für Informatik Technische Universität München Baruch Awerbuch Dept. of Computer Science Johns Hopkins University
Motivation Peer-to-peer systems have attracted a lot of attention in recent years Many structured peer-to-peer systems use overlay networks based on virtual space
Example Chord: Each peer assigned to (pseudo-)random point in [0,1) Each peer at point x connects to peers closest to x+1/2, x+1/4, x+1/8,…(mod 1) 01
Basic Goals Scalability: Network has (poly-)logarithmic diameter Peers have (poly-)logarithmic degree Join/leave require (poly-)logarithmic work Robustness: Network robust against insider and outsider attacks (minimal goal: honest peers form single connected component)
Join-Leave Attacks In open peer-to-peer systems Goal: make abuse of join and leave operations hard peers may frequently join and leave not all peers are honest/reliable
Join-Leave Model n honest peers n adversarial peers, <1 Operations: Join(v): peer v joins the system Leave(v): peer v leaves the system Goal: maintain scalability and robustness for any sequence of polynomially many rejoin (leave+join) requests
Join-Leave Model Goal: maintain scalability and robustness for any sequence of polynomially many rejoin (leave+join) requests Adversary can decide adaptively which peer (honest or adversarial) has to rejoin Rejoin(v 1 )Rejoin(v 2 )Rejoin(v 3 )Rejoin(v 4 ) time
More specific goal n honest peers, n adversarial peers every peer has point in [0,1) (Chord) For any interval I ½ [0,1) of size (c log n)/n: Balancing condition: (log n) peers in I Majority condition: honest peers in majority 01 I c log n / n
How to satisfy conditions? (1) use pseudo-random (cryptographic) hash function to map peers to points in [0,1) randomly distributes honest peers does not randomly distribute adversarial peers
How to satisfy conditions? (2) map peers to random points in [0,1)
How to satisfy conditions? (3) Group spreading [AS04]: Map peers to random points in [0,1) Limit lifetime of peers Too expensive!
Only adversarial peers rejoin Rule that works: k-cuckoo rule [AS06] evict k/n-region n honest n adversarial < 1-1/k Rejoin: leave and join via k-cuckoo rule
Limitation of k-cuckoo rule Only works for any sequence of rejoin requests of adversarial peers. Does not work for any sequence of rejoin requests.
Local Load Balancing Works quite effectively to maintain overlay network if all peers are honest [KSW05]
Random Filling/Flipping Fill position of leaving peer with random peer Flip k/n-region of leaving peer with random k/n-region
Random-Neighbor-Flipping Flip random among c log n neighboring k/n-regions with random k/n-region flip Analysis difficult!
k-cuckoo&flip rule Join: as before (k-cuckoo rule) Leave: random k/n-region among c log n neighboring k/n-regions, empty & flip it with random k/n-region n honest n adversarial flip Rejoin via k-cuckoo rule
Main Result Theorem: For any constants and k with <1/4-(2 log k+1)/k, the cuckoo&flip rule satisfies the balancing and majority conditions for a poly number of rejoin requests, w.h.p. Proof: via several worst-case high-concentration results for honest and adversarial peers
Conclusions Algorithmic solutions are possible to counter join-leave attacks with constant factor overhead Concurrent join-leave operations: fine with rate limit enforced by peers Massive departure of adversarial peers: not a problem due to balancing condition
Conclusions Problem: strategy is high-level and only covers legal attacks on overlay network (resp. DoS attacks on one honest node at a time) Low-level protocols: Most critical issue is random number gen. Low-level protocol for that in [AS06b] (works – unlike VSS - for public channels)
Conclusions Problem: strategy is high-level and only covers legal attacks on overlay network (resp. DoS attacks on one honest node at a time) Illegal attacks: Biggest problem low-level DoS attacks Only oblivious or relatively weak adaptive attackers can be handled so far
Questions?