Sybil Attacks Against Large DHTs Scott Wolchok 1 Owen S Hofmann 2 Nadia Heninger 3 Edward W Felten 3 J Alex Halderman 1 Christopher J Rossbach 2 Brent Waters ID: 217067
Download Presentation The PPT/PDF document "Defeating Vanish with Low-Cost" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Defeating Vanish with Low-Cost
Sybil Attacks Against Large DHTs
Scott
Wolchok
1
Owen S.
Hofmann
2
Nadia Heninger
3
Edward W. Felten
3
J. Alex Halderman
1
Christopher J. Rossbach
2
Brent Waters
2
Emmett Witchel
2
1
The
University
of
Michigan
2
The University of Texas at Austin
3
Princeton UniversitySlide2
Road Map
What is Vanish?
Attacking Vanish
Costs and performance
Countermeasures
What went wrong?Slide3
Why Self-Destructing Data?
“Transient” messages tend to persist
Stored copies enable
retroactive attacks
Attacker subpoenas data months or years laterSlide4
DHT
Vanish
Alice
Bob
Geambasu, Kohno, Levy, Levy — USENIX Security ’09
M
M
MallorySlide5
Vanish and Vuze
Vanish uses the
Vuze
DHT
(Distributed Hash Table)
Over 1 million nodes, mostly
BitTorrent
Nodes delete values after 8 hours
Vuze DHTSlide6
Vanish and Vuze
Vuze DHT
Shares placed at random locations in the DHT
Replicated to 20 “closest” nodes
MSlide7
Is Vanish Secure?
Vanish 0.1 prototype released at publicationIncluded user-friendly Firefox pluginFocused wide attention on its practical securitySlide8
Road Map
What is Vanish?
Attacking Vanish
Costs and performance
Countermeasures
What went wrong?Slide9
DHT Crawling Threat
Threat: attacker might continuously archive all data in the DHTLater, query archive to decrypt messages
Don’t need specific targets when recordingSlide10
Crawling with a Sybil AttackSlide11
A Practical Threat?
Vanish authors anticipated this attack and estimated would need 87,000 Sybils at a cost of $860,000/year……… Can we do better?Slide12
Making the Attack Practical
Insight: have 8 hours to observe fragments Vuze replicates to 20 nearest nodesEvery 30 minutes
On join!Slide13Slide14
“Hopping” Strategy
Sybils “hop” to new IDs every 3 minutes160x resource amplification over 8 hoursPractical attack needs only ~2000
concurrent
Sybils
with hoppingSlide15
Making the Attack Practical
Insight: Vuze client is a notorious resource hogOnly 50 instances fit in 2 GB of RAM!Can we more efficiently support 2000 Sybils
?Slide16
Optimized Sybil Client
C, lightweight, event-based implementationListen-only (no Vuze routing table!)Thousands of Sybils in one processSlide17
Road Map
What is Vanish?
Attacking Vanish
Costs and performance
Countermeasures
What went wrong?Slide18
Attack Costs?
Vanish paper estimate (for 25% recovery at k=45, n=50):87,000 Sybils$860,000/year
What does attacking Vanish
really
cost?Slide19
Experiments
Insert key shares into the DHTRun attack from 10 Amazon EC2 instancesMeasure:
DHT coverage = % key shares recovered
Key coverage = % messages decrypted
Attack cost = EC2 charges (Sep. 2009)Slide20
Experimental Results
Cost for >99% Vanish key recovery?
Attack
Concurrent
Sybils
Key Shares Recovered
Annual Attack Cost
*
Hopping50092%$23,500Hopping + Optimized Client200099.5%$9,000Slide21
DHT Coverage vs. Attack Size
Hopping plus Optimized ClientSlide22
Key Recovery vs. Attack Size
25% @ 70k
Sybils
99% @ 136k
Sybils
Hopping plus Optimized Client
Key-sharing
parameters
(k
/n)Slide23
Annual Cost vs. Key Recovery
25% @ $5000
90% @ $7000
99% @ $9000
Hopping plus Optimized Client
Key-sharing
parameters
(k
/
n)Slide24
Storage
$1400/yr for all observed data$80/yr for potential key sharesSlide25
Road Map
What is Vanish?
Attacking Vanish
Costs and performance
Countermeasures
What went wrong?Slide26
Increase Key Recovery Threshold?
Required coverage increases in n and k/nWhy not raise them? (99/100?)
Reliability
: some shares lost due to churn
Performance
: pushing shares is slow!Slide27
Limit Replication?
Attack exploits aggressive replicationLess replication might make the attack harder, but how much?More in a few slides…Slide28
Sybil Defenses from the Literature?
Client puzzlesLimit ports/IP, IPs/subnet, etc.Social networkingSlide29
Detecting Attackers
Find and target IPs with too many clientsUse node enumerator, PeruzeCan detect attack IPs hours after the attack
Detected the
Vanish demoSlide30
Road Map
What is Vanish?
Attacking Vanish
Costs and performance
Countermeasures
What went wrong?Slide31
Recall Vanish Authors’ Analysis
Cost estimates for 25% recovery at 45/50:87,000 Sybils$860,000/yearExtrapolated from 8000-node DHT
Actual cost:
70,000
Sybils
$5000/yearSlide32
Cost Estimation Issues
Vanish paper extrapolated from 8000-node DHTAssumed Sybils must run continuouslyAssumed attacker uses inefficient Vuze
clientSlide33
Cost Not Linear in Recovery
Key Recovery Fraction
Key-sharing
parameters
(k
/
n)
Coverage FractionSlide34
Response to Our Work
Second report and prototype by Vanish team1New defenses Use both Vuze DHT and OpenDHTDisable replicate-on-join in
Vuze
Use less aggressive “threshold replication”
Will these defenses stop real attackers?
1
Geambasu
, Falkner, Gardner, Kohno, Krishnamurthy, Levy. “Experiences building security applications on DHTs”. Technical report, UW-CSE-09-09-01.Slide35
Conclusion
Showed attacks that defeat Vanish 0.1 in practice for $9000/yearVanish team has proposed new defensesFuture work: are new defenses effective?Our take: building Vanish with DHTs seems risky.Slide36
Defeating Vanish with Low-Cost
Sybil Attacks Against Large DHTs
Scott
Wolchok
1
Owen S.
Hofmann
2
Nadia Heninger3 Edward W. Felten3 J. Alex Halderman1 Christopher J. Rossbach2 Brent Waters2 Emmett Witchel21 The University of
Michigan 2
The University of Texas at Austin
3 Princeton University
http://z.cs.utexas.edu/users/osa/unvanish/Slide37
ReferencesJ.R. Douceur. The Sybil attack. IPTPS 2001.
R. Geambasu, J. Falkner, P. Gardner, T. Kohno, A. Krishnamurthy, H. Levy. Experiences building security applications on DHTs. Technical report, UW-CSE-09-09-01.R. Geambasu, T. Kohno, A. Levy, H. Levy. Vanish: Increasing data privacy with self-destructing data. USENIX Security 2009.G. Memon, R.
Rejaie
, Y.
Guo
, D.
Stutzbach
. Large-scale monitoring of DHT traffic. IPTPS 2009.
M. Steiner, T. En-
Najjary, E. Biersack. A global view of Kad. IMC 2007.M. Steiner, W. Effelsberg, T. En-Najjary, E. Biersack. Load reduction in the KAD peer-to-peer system. DBISP2P 2007.D. Stutzbach and R. Rejaie. Improving lookup performance over a widely-deployed DHT. INFOCOM 2006.D. Stutzbach and R. Rejaie. Understanding churn in peer-to-peer networks. IMC 2006.Slide38
Vanish Attack ModelNeed to recover
k of n fragmentsp = Pr{recover key fragment}Pr{recover VDO} = Pr{recover
k
or more fragments}
Binomial distribution
Pr{recover VDO} =Slide39
Coverage Modelm
Sybils see c of N objectsBalls-in-bins problemExpected fraction = 1 –
e
-cm/N
= 1 –
e
-
sm
s = c/N is the (overlapping) fraction of the network observed by each SybilSlide40
Prior WorkEnumerating DHT nodes
Cruiser [Stutzbach 2006a,b] Blizzard [Steiner 2007a]Measuring DHT trafficMistral [Steiner 2007b]Montra [
Memon
2009]Slide41
Hopping plus Optimized Client
Concurrent Sybils
Hours
# VDO Fragments
Fragments Found
2000
8
1650
1640
(99.4%)20007.517001692 (99.5%)500816501561 (91.8%)