The Index Poisoning. Sharing Systems Mehmet Aslan Hacettepe Üniversitesi

Transcription

1 The Index Poisoning Attack in P2P File Sharing Systems Mehmet Aslan Hacettepe Üniversitesi

2 Introduction Pollution attack corrupt target content, make unusable, share 50%-80% of copies of popular titles in FastTrack (Spring 2004) high-bandwidth, respond to requests, expensive upload Index poisoning attack structured/unstructured systems vulnerable, under attack Index: allows user to discover locations (IP-port) of content inserting massive numbers of bogus (fake) records into index Record: randomly chosen file identifier if succeeds, user tries tens of identifiers, but nothing located less bandwidth and server resources

3 Introduction (cont.) Poisoning attack in two file sharing systems Overnet DHT-based (Distributed Hash Table) FastTrack two-tier unstructured P2P file-sharing systems vulnerable to index poisoning attack Methodology for estimate index poisoning and pollution levels Index poisoning is pervasive (widespread) in both systems Distributed blacklisting schema Distributed denial-of-service (DDoS) attack based on DHT

4 P2P Terminology Title specific song or video Version different versions of a title presence of large number of rippers/encoders including metadata (ID3 tags in MP3 files) thousands for a popular title Identifier hash of the version Copy copies of identical version thousands for a version

5 P2P Terminology (cont.) Advertised information version identifier location of file (IP& port) keywords Query keyword search responses include metadata Two port numbers in a P2P node messaging port number: queries & replies service port number: uploading files

6 Index Poisoning Attack Falsely advertising copies of targeted titles random version identifier not correspond to any version IP addresses not correspond to any node unavailable service port numbers System fails to locate the copy more sources needed looking Large number of copies with distinct random identifiers Mixing in polluted versions allowing to download, but corrupted Decoy attack (index poisoning, pollution, both)

7 Poisoning & Pollution Levels version poison level / version pollution level / version clean level poison level / pollution level / clean level (copy)

8 FastTrack Ordinary Nodes (ON) SuperNodes (SN) ON provides to SN version identifier, metadata SN maintains local index identifiers, metadata, locations ON sends query with keywords SN forwards the query Reply contains version identifier, location, metadata GUI displays one result per line To attack, send to SN bogus identifier, IP or port Connection with hundreds of SNs, advertise thousands

9 Overnet Nodes are equal, no hierarchy Nodes join with a 128-bit ID Node sends to DHT file location, version identifier (hash of file) Other nodes update local index key: version identifier, value: node s identifier, IP, port Node extract keywords from file s metadata and hashes advertises key: hash of keyword, value: version identifier Query with a hashed keyword as key node sends all version identifiers, client filters using keywords Query with a version identifier as key node sends locations of copies, client dowload

10 Overnet (cont.) To attack, determine keywords from title and hash them Generate random identifier publish key: hash of keyword, value: random identifier search indefinetely for identifier, displaying looking Publish key: hash of keyword, value: version identifier publish key: version identifier, value: bogus location First approach is simpler, attackers currently using it Attacker can advertise hundreds/thousands of identifiers for each keyword in title

11 Methodology To estimate poisoning & pollution levels query & download & determine clean / polluted automated detection more difficult manually listen (or watch)? time/bandwidth/storage/downloading time/failed download Without downloading track copies, record version identifier with node (harvesting) create list of versions create list of distinct copies for each version determine from harvested data (poisoned/polluted/clean) determine poison & pollution levels, for both versions & copies

12 Harvesting in FastTrack Previous work is used for harvesting Obtain information for each title set of version identifiers list of copies for each identifier source IP address and service port number for each copy Distinguish distinct copies tuple: (IP address, service port number) 10 songs from itunes top-100 list are selected (April 2005) harvesting 10 titles for 1-hour period

13 Harvesting in Overnet Extract a keyword and hash it for each title Insert node into DHT for each hashed keyword with ID is hash Collect advertisements name of title & identifier (content hash) source IP address & source (messaging) port number Distinguish distinct copies source IP address & source port number 10 songs from itunes top-100 list are selected (June 2005) harvesting 10 titles for 1.5-hour period

14 Classifying the Versions Most users advertise few version, few users advertise most tuple: (IP address, service port number) in FastTrack tuple: (IP address, messaging port number) in Overnet

15 Classifying the Versions (cont.) Heavy user vs Light user

16 Poisoning & Pollution Levels

17 Data Set

18 Decoyer Detection

19 Decoyer Detection (cont.)

20 Decoyer Detection (cont.)

21 Decoyer Detection (cont.)

22 Rating Versions & Advertisements Authenticate versions & advertisements Content rating websites & forums verified file hashes or download links subject to legal attack: forced to shut down Authenticate advertisements are difficult verifying source has a version corresponds to advertised hash attackers have hashes authenticated, but not upload files

23 Rating Sources Assign reputations to narrow ranges of IP addresses /n subnets Local reputation Exchange lists with SNs and combine for global reputation Send global list to ONs for blacklisting ON chooses threshold for blacklisting In Overnet, number of versions for every keyword

24 Rating Sources (cont.)

25 Node Insertion Attack Inserted nodes become SNs, manipulate indexes not observed in FastTrack Observed in Overnet

26 DDoS Attack with DHT Sources advertise content, IP address and port number Numerous poisoned records inserted with targeted host users repeatedly send requests to host Overnet can be made the source of a DDoS Inserted nodes are advertised so heavily responses cause university network down

27 Conclusion Index allows users to discover and locate content Poison the index by advertising to it bogus records Advertisement authentication is difficult verify content is not only present but will also be uploaded When designing P2P system, bear poisoning attack in mind Content and advertisement authentication is unsuccessful User authentication, distributed reputations and blacklisting DHTs are vulnerable to poisoning attacks relatively small number of nodes is sufficient to poison attacker can insert its own node DHT can be turned into an engine for a massive DDoS attack

28 The Index Poisoning Attack in P2P File Sharing Systems