Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Case for DDoS Resistant Membership Management in P2P Systems

Published byHana Procházková Modified over 5 years ago

Similar presentations

Presentation on theme: "The Case for DDoS Resistant Membership Management in P2P Systems"— Presentation transcript:

1 The Case for DDoS Resistant Membership Management in P2P Systems
Xin Sun, Ruben Torres and Sanjay Rao Internet Systems Lab Purdue University Hello, I’m Ruben Torres from Purdue University. This work is targeted to control DDoS attacks created with clients of popular peer-to-peer systems to external hosts, which are not even part of the peer to peer network.

2 DDoS Attack Exploiting P2P Systems
Index for F M <REQ F> <RESP Sources> REQ F RESP victim A A victim <REQ F> <F> REQ F C This is an example of an attack that we have done in KAD, very popular DHT based file sharing application. In this example, A is looking for file F. In the normal search process A contacts I who provides the information of C, which is the source the file. In the attack scenario, the malicious user provides the victim’s information. A sends a message to the victim who is not even part of the peer to peer system. We can imagine millions of users sending unnecessary traffic to the victim and filling up its access bandwidth. Normal search process Attack Done in KAD (part of Emule) - DHT based file sharing application 4/14/2019 Internet Systems Lab - Purdue University

3 Interplay Between P2P Systems Design and System Exploitability
Some awareness about vulnerabilities with P2P systems, [Paxson ’01, Naumov ’06, Defrawy ’07, Sun ‘07] Our Focus: Interplay between membership management mechanisms and the seriousness of the attacks possible We identified design constructs in P2P systems exploitable to greatly amplify attack magnitudes: Use of push-based mechanisms Multiple logical IDs for one physical ID (e.g. IP address) Poorly design mechanisms for validation based on active-probing Attack magnitude of 700 Mbps on real KAD network. Recently, there have been some works showing the problem, but we focus on the interplay between membership management mechanisms and the exploitability of the system. In particular, we have identified three mechanisms, some intrinsically exploitable, to greatly amplify the attack magnitude: Use of push-based mechanisms. In KAD, this allow new users and users behind NAT be learnt by others. At the same time, malicious nodes use the same mechanism to push themselves into others routing tables, so they become popular and attract many queries. Multiple logical IDs to one physical ID. In KAD, this allow several nodes behind the same NAT to connect to the P2P network. At the same time, malicious nodes include in a response many IDs to the victim’s IP address, causing multiple queries sent to the victim. And poorly design mechanisms for validation. In KAD clients will verify every new membership information learnt. 4/14/2019 Internet Systems Lab - Purdue University

4 Solution: DDoS Resistant Membership Management
Main idea: self-validation of membership information Active probing Bound validation failures to prevent this being source of DDoS attack No reliance on central authority Resistant to benign validation (NATs, churn, packet loss) To solve this problem, we propose a framework for self-validation of membership information. It is based on active probing but bounding the number of validation failures to the same IP or prefix to prevent DDoS attacks. No central authority that provides the good nodes; and that is resistant to benign validation failures. 4/14/2019 Internet Systems Lab - Purdue University

5 Internet Systems Lab - Purdue University
Current Status Design and built initial prototype Integrated with mature P2P systems: KAD – File sharing ESM - Video Broadcasting Preliminary results are promising For more information Details on attack: “DDoS Attacks by Subverting Membership Management in P2P Systems”, NPSec in conjunction with ICNP 2007 Technical report in preparation 4/14/2019 Internet Systems Lab - Purdue University

6 Internet Systems Lab - Purdue University
Thanks! Contact: More information on this project: 4/14/2019 Internet Systems Lab - Purdue University

7 Internet Systems Lab - Purdue University
Real Attack with KAD By exploiting the mechanisms described before, we performed an attack on the real KAD system. Peak attack magnitude of 700 Mbps observed at the victim (a PC in our lab). More than 1 million concurrent users 200 attackers 15 hours period 4/14/2019 Internet Systems Lab - Purdue University

Download ppt "The Case for DDoS Resistant Membership Management in P2P Systems"

Similar presentations

Voice over IP Skype.

Voice over IP Skype.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
BotTorrent: Misusing BitTorrent to Launch DDoS Attacks Karim El Defrawy, Minas Gjoka, Athina Markopoulou UC Irvine.

BotTorrent: Misusing BitTorrent to Launch DDoS Attacks Karim El Defrawy, Minas Gjoka, Athina Markopoulou UC Irvine.
Denial-of-Service Resilience in Peer-to-Peer Systems D. Dumitriu, E. Knightly, A. Kuzmanovic, I. Stoica and W. Zwaenepoel Presenter: Yan Gao.

Denial-of-Service Resilience in Peer-to-Peer Systems D. Dumitriu, E. Knightly, A. Kuzmanovic, I. Stoica and W. Zwaenepoel Presenter: Yan Gao.
Gnutella 2 GNUTELLA A Summary Of The Protocol and it’s Purpose By

Gnutella 2 GNUTELLA A Summary Of The Protocol and it’s Purpose By
1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson
FRIENDS: File Retrieval In a dEcentralized Network Distribution System Steven Huang, Kevin Li Computer Science and Engineering University of California,

FRIENDS: File Retrieval In a dEcentralized Network Distribution System Steven Huang, Kevin Li Computer Science and Engineering University of California,
1 Denial-of-Service Resilience in P2P File Sharing Systems Dan Dumitriu (EPFL) Ed Knightly (Rice) Aleksandar Kuzmanovic (Northwestern) Ion Stoica (Berkeley)

1 Denial-of-Service Resilience in P2P File Sharing Systems Dan Dumitriu (EPFL) Ed Knightly (Rice) Aleksandar Kuzmanovic (Northwestern) Ion Stoica (Berkeley)
EMule behind the scenes. Overview Extends the eDonkey protocol File sharing network Several hundreds of eMule servers Millions of eMule clients Each server.

EMule behind the scenes. Overview Extends the eDonkey protocol File sharing network Several hundreds of eMule servers Millions of eMule clients Each server.
Responder Anonymity and Anonymous Peer-to-Peer File Sharing. by Vincent Scarlata, Brian Levine and Clay Shields Presentation by Saravanan.

Responder Anonymity and Anonymous Peer-to-Peer File Sharing. by Vincent Scarlata, Brian Levine and Clay Shields Presentation by Saravanan.
Kyushu University Graduate School of Information Science and Electrical Engineering Department of Advanced Information Technology Supervisor: Professor.

Kyushu University Graduate School of Information Science and Electrical Engineering Department of Advanced Information Technology Supervisor: Professor.
Secure routing for structured peer-to-peer overlay networks (by Castro et al.) Shariq Rizvi CS 294-4: Peer-to-Peer Systems.

Secure routing for structured peer-to-peer overlay networks (by Castro et al.) Shariq Rizvi CS 294-4: Peer-to-Peer Systems.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
Winter Retreat - 2003 Connecting the Dots: Using Runtime Paths for Macro Analysis Mike Chen, Emre Kıcıman, Anthony Accardi, Armando Fox, Eric Brewer

Winter Retreat Connecting the Dots: Using Runtime Paths for Macro Analysis Mike Chen, Emre Kıcıman, Anthony Accardi, Armando Fox, Eric Brewer
Focus on Distributed Hash Tables Distributed hash tables (DHT) provide resource locating and routing in peer-to-peer networks –But, more than object locating.

Focus on Distributed Hash Tables Distributed hash tables (DHT) provide resource locating and routing in peer-to-peer networks –But, more than object locating.
 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.

 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.
Hashing it Out in Public Common Failure Modes of DHT-based Anonymity Schemes Andrew Tran, Nicholas Hopper, Yongdae Kim Presenter: Josh Colvin, Fall 2011.

Hashing it Out in Public Common Failure Modes of DHT-based Anonymity Schemes Andrew Tran, Nicholas Hopper, Yongdae Kim Presenter: Josh Colvin, Fall 2011.
Introduction to Peer-to-Peer Networks. What is a P2P network Uses the vast resource of the machines at the edge of the Internet to build a network that.

Introduction to Peer-to-Peer Networks. What is a P2P network Uses the vast resource of the machines at the edge of the Internet to build a network that.
KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University

KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University
Privacy in P2P based Data Sharing Muhammad Nazmus Sakib CSCE 824 April 17, 2013.

Privacy in P2P based Data Sharing Muhammad Nazmus Sakib CSCE 824 April 17, 2013.

Similar presentations

Ads by Google