Evaluation of the p2p Structured Systems Resistance against the Starvation Attack

Transcription

1 Evaluation of the p2p Structured Systems Resistance against the Starvation Attack Rubén Cuevas, Ángel Cuevas, Manuel Urueña, Albert Banchs and Carmen Guerrero Departament of Telematic Engineering, Universidad Carlos III de Madrid, Spain Abstract The Starvation Attack consists on making a resource fully or partially inaccessible. This is a significant and harmful attack on structured p2p networks. This paper provides an analytical tool which permits the evaluation of the resistance offered by the most popular structured p2p systems, the one-dimensional DHT-based p2p systems such as Chord or Kademlia, against this attack. In addition, the Starvation Attack is closely related to the Peer-ID assignment mechanism. This paper demonstrates that the Peer-ID assignment mechanisms defined so far are useless against the Starvation Attack. I. INTRODUCTION The Peer-to-Peer (p2p) technology is currently the one with the highest impact in the Internet mainly supported by content distribution and file-sharing applications. This technology has been intensely investigated in many aspects so far. However, in the case of security there is still much work to do. This paper provides a rigorous analysis of the problem of the Starvation Attack on structured DHT-based p2p networks [] (e.g. Chord [2], Kademlia [3] or Pastry [4]). This work has direct application to networks such as KAD with.5 million simultaneous users [5] or Azureus with hundreds of thousands users (both of them are based on Kademlia). In the DHT-based p2p networks the resources have an associated resource-key. This key is a k-bits identifier and is the result of computing a hash operation (thus, k can be 64, 28, 6,... depending on the hash operation employed). The nodes forming the DHT have an identifier as well. This is named Peer-ID and belongs to the same idspace as the resource-keys. This paper focuses on the onedimensional DHT networks (e.g. Chord, Kademlia, Pastry or Tapestry). In these DHTs the id-space can be mapped into a ring where the Peer-IDs and the resource-keys are located. It must be highlighted that the one-dimensional DHT networks have been thoroughly analyzed and are the most popular among the structured p2p networks. In these overlays a given resource-key is stored by the node with the closest Peer-ID. We name this node Responsible Node. However, the concept of the closest node varies among the different DHT schemes. In Kademlia, Pastry and Tapestry the closest node to a resource-key is the one with the closest Peer-ID. Whereas, in Chord the closest node is the one with the subsequent Peer-ID (the higher and closest) to the resource-key in the ring. In addition, it must be considered that due to the dynamic nature of p2p networks there is not only one but several nodes storing a given resource-key. These are the nodes with the closest Peer-IDs to the resource-key and they are called Replica Nodes. This minimizes the risk of losing the resource-keys stored by a node in case it leaves the p2p network. The Starvation Attack is defined as the attack which makes a resource fully or partially inaccessible. In the case of the structured p2p networks this attack can be performed by obtaining a Peer-ID closer to the resourcekey than the current Responsible Node(s). After that, the attacker does not answer (or provides wrong answers) to the queries related to the affected resource-key. In case of replication the attacker can starve all the R replicas (by obtaining the R closest Peer-IDs to the resource-key) or just a subset of the total R replicas. The former is named Full Starvation Attack (FSA) and the latter Partial Starvation Attack (PSA). The FSA is more harmful than the PSA since the attacker controls all the replicas and makes the resource fully inaccessible. Whereas, in the PSA some users can access the resource because the attack only affects the queries arriving to the subset of Replica Nodes controlled by the attacker. In order to facilitate our study, the concept of Attack Zone is introduced in this paper. The Attack Zone is the interval of identifiers which is valid in order to succeed in the Starvation Attack. The number of identifiers in the Attack Zone is called Attack Zone Size (AZS). The Starvation Attack is closely related to the ID assignment method used in the structured p2p network. Replica Node and Responsible Node will be used indistinguishable during the rest of the paper.

2 2 Two types of assignments have been used so far. The first one allows a node to select its own Peer-ID. Then, the Starvation Attack becomes trivial; the attacker only has to choose the necessary number of Peer-IDs in the Attack Zone and the attack would be successful. The other approach provides IDs of random nature. This prevents that a malicious node can choose its location in the network, thus forcing the attacker to acquire multiple Peer- IDs until one (or more in case of replication) is located inside the Attack Zone, therefore reducing the probability of succeeding in the attack. This paper focuses on the approach of IDs of random nature, since it is the useful one to evaluate. The main goal of this paper is to provide closed formulas for the average number of random required IDs in order to succeed in the Starvation Attack - n-, and the Probability of Success of the Starvation Attack as function of the number of random obtained IDs -P s (n)-. In particular, this is the Cumulative Distribution Function (CDF) as function of the number of random obtained IDs. The key contribution of this paper is the proposed analytical tool for evaluating the Starvation Attack, that will be compared with previously proposed models and shown to produce correct results. In addition, the model will be applied to demonstrate that the Peer-ID assignment mechanisms defined so far are vulnerable to the Starvation Attack. II. THE ANALYTICAL MODEL OF THE STARVATION ATTACK This section presents the analytical model for the Starvation Attack on structured p2p networks. The goal is to find the closed formulas for n and P s (n). These two formulas will be the basic tools used to evaluate the resistance of the different ID assignment mechanisms against the Starvation Attack. The following parameters will be used during the analysis: N, the number of nodes in the network; n, the number of obtained/required Peer- IDs; R, the total number of replicas; I, the number of desired replicas to starve; M, the number of IDs in the the id-space. It must be taken into consideration that the size of the id-space -M- is equal to 2 k >>N (k is equal to 28, 6 or 256 depending on the hash operation). Hence, without loss of generality, our model considers that the obtained Peer-IDs are randomly distributed in the continuous idspace [,]. This is a very accurate approximation to the real scenario on which the Peer-IDs are randomly distributed in the discrete id-space [,M). Since M is large enough the assumption that the id-space is continuous instead of discrete yields also accurate results. The conversion of the space [,M) to [,] introduces only a scalar factor whose solely purpose is to simplify the notation. II-A. Starvation of a Single Resource A single resource has an associated Attack Zone of size X. Then, in order to perform the Starvation Attack, the malicious node should obtain multiple random Peer-IDs until it gets I of them within X. Then, the probability that a single obtained ID belongs to X is X itself whereas -X is the probability that the obtained ID is outside of X. We would like to model P r (n, X) 2. This is the probability of success in the starvation of a single resource with an associated Attack Zone of size X as function of the number of obtained Peer-IDs (n) and the number of replicas to be starved (I). Thus, P r (n, X) can be modeled as the Probability of obtaining at least I Peer-IDs within X. If we suppose that an attacker has obtained n randomly distributed IDs on the id-space, then the probability of obtaining at least I of them belonging to an Attack Zone of size X is equal to minus the probability of obtaining at least I- in this zone. This is presented on Equation. P r (n, X) = CDF (n, X) = P (at least I- nodes in X); P r (n, X) = [P ( IDs in X and n outside) + P ( ID in X and n- outside) P ((I- nodes in X and n-(i-) outside)]; I X n P r(n, X) = X i ( X) n i i i= Moreover, n r (X) is also modeled. This is the average number of required IDs in order to succeed in the Starvation Attack. This is mathematically expressed as the mean associated to the introduced distribution and is shown on Equation 2. II-B. n r(x) = I X Attack Zone Size Distribution The objective of this section is to define the probability density function pdf(x), where x is the random variable modeling the size of an Attack Zone in a one-dimensional DHT. Firstly, we should identify the Attack Zone in these overlays. Indeed, this can be mathematically defined on each system. Equation 3 presents the formal definition of the Attack Zone in Chord, whereas Equation 4 does the same in the case of Kademlia (also valid for Pastry and Tapestry). RK and RN are the abbreviations of resourcekey and Replica Node respectively. Figure includes an example of these Attack Zones. Chord Attack Zone = [RK, (R I + ) th RN ID) (3) 2 This is the Cumulative Distribution Function, CDF(n,X). () (2)

3 3 Probability of Success Geometric (R=) Chord Simualtion (R=).4 Kademlia Simulation (R=) Model (R=).3 Chord Simualtion (R=2) Kademlia Simulation (R=2).2 Model (R=2) Chord Simualtion (R=5). Kademlia Simulation (R=5) Model (R=5) Number of Obtained Peer IDs x 5 Fig. 2. P s model validation for the FSA: M= 32, N= 4 Fig.. Attack Zones in Kademlia and Chord: R=5, I=3. AZS = E[x] = Z x pdf(x)δx = R I + N + (7) Kademlia Attack Zone = (RK RK (R I + ) th RN ID, RK+ RK (R I + ) th RN ID ) The AZS is defined as the number of IDs included in the Attack Zones presented on Equations 3 and 4. Despite the Attack Zones being different in Chord than in the other overlays, the model representing the size of both of them is the same because the Attack Zone is always modeled by the zone where at least R-I+ replicas are placed. Thus, the size will be the same if only the subsequent IDs to the resource-key are considered (as occurs in Chord) than if IDs at both side of the resourcekey are considered (as occurs in Kademlia, Pastry or Tapestry). Therefore, the CDF(x) is defined as the probability of finding a zone where at least R-I+ replicas are placed. This is the same as minus the probability of finding a zone with at least R-I replicas which is mathematically expressed on Equation 5. CDF (x) = P (at least R-I nodes in x); CDF (x) = [P ( node in x and N outside) CDF (x) = + P ( node in x and N- outside) P ((R-I) nodes in x and N-(R-I) outside)]; R I X r= N r x r ( x) N r Now, we can calculate the pdf(x) which is simply the derivative of the CDF(x), as shown on Equation 6. δcdf (x, I, R) pdf(x) = δx R I X N = [(N r)x r ( x) N r rx r ( x) N r ] r r= Finally, Equation 7 shows AZS. (4) (5) (6) AZS. This is the average II-C. Starvation Attack General Model In Section II-A the Probability of Success in the Starvation Attack and the average number of needed IDs in order to succeed in the attack for the case of a single resource were obtained. These are, P r (X, n) and n r (X) respectively. Moreover, in Section II-B the distribution of the size of the Attack Zones was obtained. This is pdf(x). Then, if we weight by an integration process P r (X, n) and n r (X) by pdf(x) the desired results, P s (n) and n are obtained. These are respectively, the global Probability of Success in the Starvation Attack and the average number of required IDs in order to succeed in the attack and are shown on Equation 8 and Equation 9 respectively. Z P s (n) = P r (n, x) pdf(x)δx R I X «N r!(n + n r )! = [n r= r (N + n)! (8) Q IX i 2 (n k) k= (r + (i 2))!(N + n r i)! + (rn (i )N) ] i=2 (i )! (N + n)! Z N n = n r (x) pdf(x)δx = I R I It must be noted that the equations presented in Sections II-A, II-B and II-C define the Partial Starvation Attack. In order to obtain the formulas for the Full Starvation Attack it is necessary to consider I equal to R (the total number of replicas) in the equations. III. MODEL VALIDATION The proposed model was validated by simulation for both types of one-dimensional DHTs (On one side Chord, and on the other side Kademlia, Pastry and Tapestry). Indeed, Chord and Kademlia were simulated. The closed (9)

4 4.9.8 I= I=2 I=3 I=4 I=5 I=6 Chord Simulation Kademlia Simulation Model 9 x n model n model D.Cerri et al. n Chord Simulation n Kademlia Simulation I=7 I=8 Number of obtained ids I= Number of Obtained Peer IDs x Number of Starved Replicas Fig. 3. P s model validation for the PSA: M= 32, N= 4, R= Fig. 4. n model validation: M= 32, N= 4, R=, I= 9 formulas for P s (n) and n were validated. Each experiment was simulated E times. On each experiment a onedimensional DHT system with N randomly generated nodes on an id-space of M identifiers (M>>N as occurs in real p2p systems) was created. Then, S Starvation Attacks were reproduced using randomly generated resourcekeys. On each simulated attack several random Peer-IDs were generated until I of them belonging to the Attack Zone were obtained. The number of the required IDs to perform each attack was then stored in order to compute P s (n) and n from the simulation experiments. The validation process used the following set of parameters: E=2, N= 4, M= 32, S= 4. The validation of P s (n) in the case of the FSA was developed for R=, R=2 and R=5 replicas. The average of each sample from the 2 repetitions was computed and presented along with the analytical curve 3. This is shown on Figure 2. For the validation of P s (n) in the case of the PSA the experiments were developed with R= and I ranging from to 9. The average of each sample from the 2 repetitions was computed and presented along with the analytical curve for each value of I. Figure 3 shows the results. Finally, Figure 4 shows the simulation and the analytical result for n. In all the experiments described above the maximum absolute error was inferior to 3,5 3 and the average error was around 5. Therefore, we can conclude that the model follows closely the simulation results. IV. DISCUSSION OF THE RESULTS In this section the Full and the Partial Starvation Attacks will be separately analyzed using the proposed model 3 The confidence intervals were also calculated, however they are indistinguishable because they are very close to the average value. as basis. P s =,3 P s =,5 P s =,7 P s =,9 R= 429 N N N 9 N R= N N N N R= 7 85 N N N N R=2 6 6 N N N N TABLE I NUMBER OF REQUIRED IDS ON THE FSA In the case of the FSA (I=R), it must be highlighted that the average number of required IDs - n- is infinite. This occurs because there is one case that needs infinite IDs in order to succeed in the attack (i.e. the attack is impossible). This happens if the resource-key and the responsible Peer-ID are exactly the same ID which has a small Probability but higher than. Therefore, in order to analyze the FSA we should focus on P s (n). For this purpose Table I includes the number of required IDs to fully starve a resource -n- as function of different values of P s and the number of replicas -R- in a one-dimensional DHT with N nodes. Both, Figure 2 and Table I demonstrate that the complexity of the FSA increases over the linear with R. Then, in order to avoid the FSA it is recommended to use a high number of Replica Nodes. On the other hand, in the case of the PSA n is not infinite anymore. If we consider I as a percentage of the total replicas, it can be expressed as I=cR where c varies from (no starvation) to (FSA) passing through out different situations of PSA. Then, Equation 2 can be reformulated as Equation. This shows the number of required IDs in order to starve the c percentage of the total replicas. n(c) = cr N R cr = N c c () Equation shows an important result: the complexity of the PSA is independent on the total number of replicas

5 5 pdf(x) Model Simulation Average AZS Average Number of Required Ids (nr) x Average Number of Attempts Average AZS Attack Zone Size (AZS) x Attack Zone Size (AZS) x 8 Fig. 5. Distribution of AZS -pdf(x)-: M= 2, N= 4 Fig. 6. n r to starve a single resource: M= 2, N= 4 -R- by itself, as it only depends on the number of nodes in the network -N- and the percentage of replicas to be starved -c-. For instance, the number of required IDs in order to starve 5 out of replicas is the same than in the case of starve out of 2. However, this is a misleading conclusion if we consider this value as representative result. Table II introduces some values to evaluate the complexity of performing the PSA. These represent the number of required Peer-IDs as function of P s, I, R and c. We can check in the Table that for the same value of c, the number of required IDs varies, then the complexity of the PSA is not independent on R. Hence, n should be carefully interpreted. It is a good tool to make rough estimations. However, in order to provide an accurate analysis the distribution expressed by P s must be also considered. P s =,3 P s =,5 P s =,7 P s =,9 R=5; I=, 74 N 48 N, 272 N 585 N c=.2 R=5; I=3 639 N N, 565 N 3 55 N c=.6 R=5; I=4 37 N 2 87 N N 7 9 N c=.8 R=; I=2 23 N 94 N 294 N 58 N c=.2 R=; I=6 878 N 24 N 684 N 2 74 N c=.6 R=; I=8 2 4 N N 4 92 N N c=.8 R=2; I=4 62 N 22 N 295 N 437 N c=.2 R=2; I=2 66 N 346 N 74 N 2 43 N c=.6 R=2; I= N N N N c=.8 TABLE II NUMBER OF REQUIRED IDS ON THE PSA From Table II and Figures 3 and 4 we can conclude that the difficulty of the PSA depends mainly on the parameter c defined above. If c is low, that is, I is much lower than R, the difficulty of the attack is low. On the other hand if c is high, that is, I is close to R, the difficulty of the attack increases drastically. Therefore, the difficulty of the attack increase exponentially with c. On the other hand, if c is low the damage caused by the attack is reduced since the number of affected replicas is low, thus the number of queries affected would be low as well. Whereas, with high values of c the attack becomes more harmful because a high number of replicas are impersonated. Then, mostly of the queries would reach one of the Replica Nodes controlled by the attacker obtaining a wrong answer. From the analysis on the previous paragraphs, we can conclude that the number of required IDs in order to perform the Starvation Attack is in the same order of magnitude than N (the number of nodes in the p2p network). Then, this is a particular version of the Sybil Attack [6]. However, in the traditional Sybil Attack the nodes are required to be actively participating on the network whereas in the Starvation Attack although the attacker needs O(N) Peer-IDs it could only participate in the network with those I Peer-IDs employed to perform the attack. Therefore, once the IDs have been obtained, the Starvation Attack requires less resources consumption from the attacker than the Sybil Attack. Due to these factors previous proposed solutions to develop Sybil-Proof systems [7]-[4] are mostly useless in the Starvation Attack. V. RELATED WORK Although only a few papers have analyzed the Starvation Attack in detail many others have considered it somehow. The most studied problem has been the simplest case where there is an unique Replica Node. Most papers, e.g. [5] [6], consider that this case can be modeled by a geometric distribution of mean N+. This assumption comes from a wrong simplification of the problem. This simplification assumes that the size of all the Attack Zones is equal to the average size instead of considering the real distribution introduced in this paper (pdf(x)). Figure 5 shows the distribution of the size of the Attack Zones where the vertical line represents the average AZS. Whereas, Figure 6 depicts the average number of required IDs to succeed on the Starvation Attack as function of the AZS focusing on the area around of the average AZS

6 6 represented by the vertical line. If the results shown in these Figures are compared, we can see that the most vulnerable zones (the large ones) are those which appear with less probability and the most probable zones are those which require a higher average number of IDs in order to perform a successful attack. Based on this result, it is easy to understand that the simplification of considering all the AZS equal to the average AZS is not valid. In addition, Figure 2 depicts a curve named geometric. This is the result of applying the Geometric Distribution of mean N+ in the case of only one Replica Node. Clearly, it does not match the curves of the simulation and the proposed model for one Replica Node presented in the same figure. To the best of our knowledge the most complete analysis developed so far is the one by D.Cerri et al. [6]. They analyzed the Id Mapping Attack (which is exactly the same as the Starvation Attack) in both cases the FSA and the PSA. However, as mentioned before, in the simplest case ( Replica Node) of the FSA, they used the erroneous simplification of modeling the problem as a Geometric Distribution of mean N+. Moreover, the authors of [6] also provide the analysis for the case of the FSA with multiples replicas concluding that the use of R replicas instead of only one multiplies the attack difficulty by a factor of R. This is again not valid as it can be checked on Figure 2 and Table I which show that the use of replicas produces an increment on the difficulty of the attack over the linear. Regarding the PSA, these authors developed an analytical model which only presented the average number of required IDs as a result. Additionally, they introduce simplifications which lead to an incorrect result. Figure 4 shows the average number of needed IDs in order to succeed on the PSA. In the graphic we can check that the obtained result on [6] differs from both, the simulation results and our model. In addition, it must be noted that to the best of our knowledge our paper is the first which analyzes the distribution P s (i.e. the CDF) as function of the number of obtained Peer-IDs. VI. ANALYSIS OF PEER-ID ASSIGNMENT MECHANISMS This section analyses the resistance offered by the ID assignment methods used so far against the Starvation Attack. The simplest method allows an user to select its own Peer-ID. This makes the Starvation Attack trivial. The attacker only has to pick R Peer-IDs in the Attack Zone and the Full Starvation Attack would be successful. Then, if we focus on those mechanisms providing an identifier of random nature the Starvation Attack becomes a Sybil Attack (with the peculiarities described in Section IV). In the first of these mechanisms the attacker forms the Peer-ID as the hash(ip address) or the hash(ip address port). Then, she can use a constrained number of IDs limited by the number of available IP addresses. If we consider the residential user as a potential attacker, she has one public IP address and 2 6 available ports. This represents a total number of 2 6 (65536) possible IDs. If we look on Tables I and II, this is not enough to attack the current popular p2p systems with millions of users. Hence, this assignment method is secure against the Starvation Attack only if the attacker has access to a quite limited range of IP addresses. However, if we suppose that the attacker has access to a class C IP prefix (this is 2 8 IP addresses and 2 6 ports available for the attack) the total number of possible combinations (2 24 ) are over 6 million. Then, the FSA is viable on out of the 6 cases on Table I and the PSA is viable on all the cases included in Table II. Therefore, this assignment method becomes vulnerable if the attacker can impersonate a high number of IPv4 addresses. Furthermore, this mechanism becomes meaningless if we consider IPv6 where each user has a potential access to 2 64 IP addresses in a typical LAN subnet. In addition, this mechanism can present problems on the presence of Network Address Translator (NATs). Some NATs would not permit the users to identify its own Peer-ID. This introduces high entry barriers to the system. On the other hand, the random Peer-IDs can be assigned by a central entity. In this case, a peer could obtain as many Peer-IDs as it desires. Therefore, the complexity of the attack should be evaluated in terms of time. If the process can be done automatically, the attack is simpler. As an example, if the process is composed by an exchange of a solicitation and a response messages which takes ms, the total time spent in order to perform a FSA by an unique attacker with P s equal to.7 in a system with 6 nodes and replicas per resource is approx. 2, 75 6 s (32 days). This is much more reduced in the case of the PSA. Furthermore, this time can be drastically reduced by paralleling the attack. However, the use of a Central Entity allows the application of Access Control Policies which can make the system harder to attack. On the other hand, this policies also incurs in high entry barriers for the honest users. In addition, the Central Entity is a single point of failure. In summary, all the mechanism used so far are vulnerable to the Starvation Attack. Additionally, those systems which could offer higher level of protection introduce also high entry barriers.

7 7 VII. SUMMARY AND FUTURE WORK The main contribution of this paper is the development of an analytical tool which allows the evaluation of the resistance of the one-dimensional DHT systems against the Starvation Attack. In addition, it is shown that the modeling of the problem by a Geometric Distribution is an incorrect assumption. Furthermore, the proposed model has been used to evaluate the resistance of the Peer-ID assignment mechanisms proposed so far against the Starvation Attack. The paper demonstrates that none of them is useful. As future work we will extend the analysis of the Starvation Attack considering churn situations and verify if the proposed model is also valid under those conditions. Furthermore, we will analyze the Starvation Attack in real DHTs as KAD or Azureus. [6] D. Cerri et al., ID Mapping Attacks in P2P Networks, in Proc. IEEE GLOBECOM 25. REFERENCES [] E.K. Lua, J. Crowcroft, M. Pias, R. Sharma, S. Lim, A survey and comparison of peer-to-peer overlay network schemes, IEEE Communications Surveys & Tutorials, 25, pp [2] I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, H. Balakrishnan. Chord: A scalable peer-to-peer lookup service for internet applications, in Proc. ACM SIGCOMM, 2. [3] P. Maymounkov and D. Mazieres, Kademlia: A peer-to-peer information system based on the xor metric, IPTPS 2, 22. [4] A.Rowstron and P.Druschel, Pastry: Scalable, distributed object location and routing for largescale peer-to-peer systems, in Proc. IFIP/ACM Middleware, 2. [5] M. Steiner and E.W. Biersack and T. En-Najjary, Actively monitoring peers in KAD, IPTPS [6] J. R. Douceur, The Sybil Attack, in Proc. of the st International Workshop on Peer-to-Peer Systems (IPTPS 2). 22. [7] D. S. Wallach, A survey of peer-to-peer security issues, in LNCS, 23. [8] J. Dinger and H. Hartenstein, Defending the Sybil Attack in P2P Networks: Taxonomy, Challenges, and a Proposal for Self- Registration, in Proc. of ARES 6, 26. [9] M. Castro, P. Drushel, A. Ganesh, A. Rowstron and D. Wallach, Secure routing for structured peer-to-peer overlay networks, In Proc. of OSDI 2, 22. [] Haifeng Yu, M. Kaminsky, P. H. Gibbons, and A. Flaxman, SybilGuard: Defending Against Sybil Attacks via Social Networks, In Proceedings of ACM SIGCOMM Computer Communication Review, ACM Press, 26, pp [] G. Danezis, C. Lesniewski-Laas, et al., Sybilresistant DHT routing, In Proceedings of th European Symposium On Research in Computer Security (ESORICS 25), Milan, Italy, 25, pp [2] C. Hota et al. Safeguarding Against Sybil Attacks via Social Networks and Multipath Routing, in Proc. of International Conference on Networking, Architecture, and Storage, 27 [3] A. Cheng, and E. Friedman, Sybilproof reputation mechanisms, In Proceedings of ACM SIGCOMM Workshop on Economics of Peer-to-Peer Systems, 25, ACM Press, pp [4] N. Borisov, Computational Puzzles as Sybil Defenses. In Proc. of IEEE International Conference on Peer to Peer Computing (P2P 6), 26. [5] L. Liu, M. Srivatsa, Vulnerabilities and Security Threats in Structured Overlay Networks: A Quantitative Analysis. in Proc. ACSAC 4, 24.