P2PInfrastructure Hybrids Paarijaat Aditya MingChen Zhao Yin Lin Andreas Haeberlen Peter Druschel Bruce Maggs Bill Wishon Max ID: 344048
Download Presentation The PPT/PDF document "Reliable Client Accounting for" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Reliable Client Accounting for P2P-Infrastructure Hybrids
Paarijaat Aditya†, Ming-Chen Zhao‡, Yin Lin*,Andreas Haeberlen‡ , Peter Druschel†, Bruce Maggs*◊, Bill Wishon◊†Max Planck Institute for Software Systems (MPI-SWS)‡ University of Pennsylvania*Duke University◊ Akamai Technologies
NSDI 2012, San Jose, April 25, 2012Slide2
Trends in Content Distribution Networks
Centralized CDNClients download from CDN servers, customers pay CDN providerNew trend: hybrid or peer assisted distributionClients download from peers and CDN serversScalability of P2P + reliability & manageability of a centralized systemE.g. Akamai NetSession, Velocix P2P Assisted delivery, …2source: velocix.com (TODO)
CDN Servers
(Infrastructure)
Clients
Customers – Content providers
Paarijaat
Aditya
, MPI-SWSSlide3
Hybrid Systems - Challenges
Untrusted clients + Infrastructure can’t observe P2P communicationWhat could go wrong? In principle clients mayMishandle content: modify, inject or censor contentAffect service quality: delay or abort transfersMisreport P2P transfers 3Paarijaat Aditya, MPI-SWSSlide4
What Do CDNs Currently DoInfrastructure provides signed metadata
Clients can verify content integrityInfrastructure as fallbackMaintain service quality in case of failed transfers4Paarijaat Aditya, MPI-SWSSlide5
What Could Still Go Wrong?
Inherent problem: infrastructure can’t observe P2P communicationClients could still misreportCDN may end up reporting downloads that did not happenClients could still affect service quality5
I
downloaded
1 TB
from
A & B!
?!
A
B
File X was downloaded
1 billion times!
Carried out on
Akamai
NetSession
!
CDN Servers
(Infrastructure)
Clients
Customers – Content providers
Paarijaat
Aditya
, MPI-SWS
I
uploaded
0.1 TB
to
C
C
I
did
not
upload
anything
CDNs need a mechanism to
reliably account for client activity!Slide6
Periodic progress reportswhile downloading
Akamai NetSessionPeer assisted CDN operated by Akamai
Used for
distributing large
files
–
software installers and videos
Client software is bundled with customer specific installer
Request
file
List
of clients
&
signed metadata
Download
from clients & edge servers
Verify
with metadata
Controller
Edge servers
Clients running
NetSession
software
Akamai
Download completion
6
Accounting logs for customers
Paarijaat
Aditya
, MPI-SWS
A
B
C
Expect to hear
from CSlide7
Inflation Attack on
NetSessionHave an unmodified NetSession client report fake downloadsPerformed with Akamai’s permissionTargeted a dummy customer 7Day in December 2010Data downloaded(GB/hr)Load spikeCould have been much worse
with modified client software!
(Obtained from actual accounting logs)
Single client can cause significant accounting inaccuracies!
Paarijaat
Aditya
, MPI-SWSSlide8
OutlineIntroduction
Hybrid CDNs: clients can misreportNeed a way to reliably account for client activitiesReliable Client Accounting (RCA)Reliably capture client activitiesIdentify misbehaving/suspicious clientsHandle misbehavior without affecting service qualityEvaluationRelated work & Conclusion8Paarijaat Aditya, MPI-SWSSlide9
Types of AttacksMisbehaving client software
Unilateral – deviations from the correct protocolMisreport interactions with honest clientsServe bad content to disrupt quality of serviceCollusion – multiple clients collude to misreport activitiesDifficult in practice because infrastructure assigns peersSuspicious user behaviorRepeatedly downloading content to drive up demandCan be amplified by a Sybil attackNot unique to hybrid systems9RCA can detect deterministicallyRequire statistical checksPaarijaat Aditya, MPI-SWSSlide10
Reliable Client Accounting – Overview10
CDN Servers
(Infrastructure)
Clients maintain a
tamper evident log
of their network activity
Logs periodically uploaded to infrastructure and
verified
Quarantine
clients if suspicious
A's log
A
B
B's
log
M
M
M
M
Verify client’s actions
Paarijaat
Aditya
, MPI-SWSSlide11
Reliably Capturing Client Activity11
Tamper evident logging & log consistency checks [PeerReview, SOSP 2007]Log entries form a hash chainSigned hash (authenticator) is included with every message sentClient commits to its entire event historyLog hash chains + authenticators are sufficient toVerify whether all clients report a consistent sequence of message exchangeClients cannot unilaterally report fake downloads M
473: RECV(B, W)
472: RECV(B, Y)
471: SEND(B, X)
...
474: SEND(B, M)
A
B
A’s log
Paarijaat
Aditya
, MPI-SWSSlide12
Reducing Processing Overhead on the CDNSignature verification overhead
α number of authenticatorsPrevious implementationsRecords one authenticator for each messageOverhead: O(number of messages sent or received)RCA: cumulative authenticatorsRecords only two authenticators for each remote clientOverhead: O(number of communicating client pairs) << O(number of messages)12Paarijaat Aditya, MPI-SWSSlide13
Verifying Client Activity
A consistent log might still be implausibleContact clients not assigned by infrastructureServe bad contentPlausibility checkingVerify whether the log is consistent with a valid execution of softwareNetSession protocol can be modeled as a simple state machineManually identified rules a correct client must obeyVerify logs against these rules13=?Input
Output
if ≠
Paarijaat
Aditya
, MPI-SWS
Client is provably incorrectSlide14
Types of AttacksMisbehaving client software
Unilateral – deviations from the correct protocolMisreport interactions with honest clientsServe bad content to disrupt quality of serviceCollusion – multiple clients collude to misreport activitiesDifficult in practice because infrastructure assigns peersSuspicious user behaviorRepeatedly downloading content to drive up demandCan be amplified by a Sybil attackNot unique to hybrid systems14RCA can detect deterministicallyRequire statistical checksPaarijaat Aditya, MPI-SWSSlide15
Statistical ChecksLook for anomalous client behavior
Large amount of prior workAssume the availability of correct informationRCA provides a sound basis for anomaly detection15Flag clients who download more than a thresholdAnalyze communication patterns to identify colluding clientsPaarijaat Aditya, MPI-SWSSlide16
Handling Malicious/Suspicious Clients
Blacklist clientsFalse positives – blacklist an innocent client?Quarantine clientsNot allowed to upload contentCan still download from the infrastructureQuarantining an innocent client is safeDoes not affect service quality of clientSlight increase in resource cost to infrastructureEnables aggressive anomaly detectorsTamper evident logging: provides accurate informationQuarantining: safe way to handle false positives16Paarijaat Aditya, MPI-SWSSlide17
OutlineIntroduction
Hybrid CDNs: clients can misreportNeed a way to reliably account for client activitiesReliable Client Accounting (RCA)Reliably capture client activitiesIdentify misbehaving/suspicious clientsHandling misbehavior without affect service qualityEvaluationRelated work & Conclusion17Paarijaat Aditya, MPI-SWSSlide18
EvaluationImplemented a clone of NetSession
client & Infrastructure softwareExperiments performed in a network emulation environmentDriven by actual client activity traces of Akamai NetSession for Dec 2010Experiment: Reproduce clients’ download activity over a month500 randomly selected clients1 edge server and 1 control plane server18Paarijaat Aditya, MPI-SWSSlide19
Evaluation - QuestionsClient’s Perspective
Network overheadCPU overheadLog storageCDN’s PerspectiveLog processing overheadStatistical checksEffectiveness19Paarijaat Aditya, MPI-SWSSlide20
Client’s Perspective
Network overhead (in terms of % of actual content downloaded)CPU overheadMaximum additional client CPU usage = 0.5%Log Storage (with daily log uploads)On average: 100 KB/day20Avg extra client B/W: 192 KB/day(signatures + log upload)Paarijaat Aditya, MPI-SWSSlide21
CDN’s Perspective
Projections for a large deployment:100 million clients, downloading 100 PB content/monthLog Uploads & Log Processing0.05 PB/month of logs uploads (0.05% of transferred content)35 machines required to process these logsFor comparison, NetSession as of Dec 2011has 25 million clients, downloading 0.85 PB/monthuses about 10 machines for log processingEffectivenessTried out various attacks. RCA caught them as expected21Paarijaat Aditya, MPI-SWSSlide22
Related WorkMisbehavior in P2P systems
Maze [Q. Lian et al., 2007] Empirically study client misbehavior in p2p file sharing systemsDandelion [M. Sirivianos et al., 2007], Antfarm [Peterson et al., 2009] Use cryptographic virtual currency to handle selfish peersRCA doesn’t aim for fairness and considers more general Byzantine behaviorAnomaly detectionAn intrusion detection model [D. Denning, 1987]BotGrep [S. Nagaraja et al., 2010] Detect BotNets by studying client interactionsRCA enables building complex statistical checks22Paarijaat Aditya, MPI-SWSSlide23
Conclusion
Fundamental challenge for P2P-Infrastructure hybridsInfrastructure cannot observe P2P communicationDemonstrated an inflation attack on the live Akamai NetSession systemReliable Client Accounting (RCA)Reliably capture client activity Sound basis for anomaly detectionQuarantine: safely handle suspicious clientsApplied RCA to Akamai NetSessionComprehensive evaluation using actual client tracesRCA overhead is reasonable23Paarijaat Aditya, MPI-SWS