Peer-to-Peer Systems and Security

Size: px

Start display at page:

Download "Peer-to-Peer Systems and Security"

Alice Poole
5 years ago
Views:

1 Peer-to-Peer Systems and Security Attacks! Christian Grothoff Technische Universität München April 13, 2013

2 Salsa & AP3 Goal: eliminate trusted blender server Idea: Use DHT (AP3: Pastry, Salsa: custom DHT) to find peers Sybil defense with trusted authority (AP3) or IP-based hash (Salsa)

3 Attacks on Salsa & AP3 [2] Passive attack: detect lookup, then correlate with path construction later Active attack: return malicious peers during lookup

4 Defenses against Active Attack: Redundant lookups

5 Defenses against Passive Attack: Minimize lookup footprint

6 Defending against the Combined Attack r = 3 is optional for f < 0.1,then r = 6 becomes optimal.

7 An Attack on Tor [1] Result: All the Tor nodes involved in a circuit can be discovered, reducing Tor users level of anonymity and revealing a problem with Tor s protocol

8 An Attack on Tor [1] Result: All the Tor nodes involved in a circuit can be discovered, reducing Tor users level of anonymity and revealing a problem with Tor s protocol Note: this was fixed since the attack was published in 2009.

9 Key Tor Properties Data is forwarded through the network Each node knows only the previous hop and the next hop Only the originator knows all the hops Number of hops is hard coded (currently set to three) Key security goal: No node in the path can discover the full path

10 Our Basis for Deanonymization Target user is running Tor from 2009 with default settings Three design issues enable users to be deanonymized 1. No artificial delays induced on connections 2. Path length is set at a small finite number (3) 3. Paths of arbitrary length through the network can be constructed

11 Regular Path Example Client Tor Node 3 Tor Node 1 Tor Node 2 Server

12 Circular Path Example 1/5 Client Tor Node 3 Tor Node 1 Tor Node 2 Server

13 Circular Path Example 2/5 Client Tor Node 3 Tor Node 1 Tor Node 2 Server

14 Circular Path Example 3/5 Client Tor Node 3 Tor Node 1 Tor Node 2 Server

15 Circular Path Example 4/5 Client Tor Node 3 Tor Node 1 Tor Node 2 Server

16 Circular Path Example 5/5 Client Tor Node 3 Tor Node 1 Tor Node 2 Server

17 Attack Implementation Exit node injects JavaScript ping code into HTML response Client browses as usual, while JavaScript continues to phone home Exit node measures variance in latency While continuing to measure, attack strains possible first hop(s) If no significant variance observed, pick another node from candidates and start over Once sufficient change is observed in repeated measurements, initial node has been found

18 Attack Example Client Tor Node 1 - Unknown Node Malicious Client Tor Node 3 - Our Exit Node Tor Node 2 - Known High BW Tor Node 1 Server High BW Tor Node 2 Malicious Server

19 Queue example 1 (3 circuits) A B C B5 B4 B3 B2 B1 A0 B0 C1 Output Queue t = 0 C0

20 Queue example 2 (3 circuits) A B C B5 B4 B3 B2 B1 B0 C1 Output Queue t = 1 t = 0 A0 C0

21 Queue example 3 (3 circuits) A B C B5 B4 B3 B2 B1 C1 Output Queue t = 2 t = 1 t = 0 B0 A0 C0

22 Queue example 4 (3 circuits) A B C B5 B4 B3 B2 B1 Output Queue t = 3 t = 2 t = 1 t = 0 C1 B0 A0 C0

23 Queue example 5 (3 circuits) A B C B5 B4 B3 B2 Output Queue t = 4 t = 3 t = 2 t = 1 t = 0 B1 C1 B0 A0 C0

24 Queue example 6 (3 circuits) A B C B5 B4 B3 Output Queue t = 5 t = 4 t = 3 t = 2 t = 1 t = 0 B2 B1 C1 B0 A0 C0

25 Queue example 7 (3 circuits) A B C B5 B4 Output Queue t = 6 t = 5 t = 4 t = 3 t = 2 t = 1 t = 0 B3 B2 B1 C1 B0 A0 C0

26 Queue example 8 (3 circuits) A B C B5 Output Queue t = 7 t = 6 t = 5 t = 4 t = 3 t = 2 t = 1 t = 0 B4 B3 B2 B1 C1 B0 A0 C0

27 Queue example 1 (15 circuits) A A0 A1 A2 A3 B B0 B1 B2 B3 C C1 C2 C3 C4 D D0 D1 D2 D3 D4 D5 E E0 E1 E2 E3 E4 F G G0 G1 H H0 H1 I I0 I1 I2 I3 I4 J J0 J1 K K0 L L0 L1 L2 L3 M M0 M1 N N0 N1 N2 N3 N4 N5 N6 O O0 O1 O2 O3 O4 O5 C0 t = 0 Output Queue

28 Queue example 2 (15 circuits) A B C D E F G H I J K L M N O N6 N5 O5 D5 E4 I4 N4 O4 A3 B3 C4 D4 E3 I3 L3 N3 O3 A2 B2 C3 D3 E2 I2 L2 N2 O2 A1 B1 C2 D2 E1 G1 H1 I1 J1 L1 M1 N1 O1 A0 B0 C1 D1 E0 G0 H0 I0 J0 K0 L0 M0 N0 O0 Output Queue t = 1 t = 0 D0 C0

29 Queue example 3 (15 circuits) A B C D E F G H I J K L M N O N6 N5 O5 D5 I4 N4 O4 A3 B3 C4 D4 E4 I3 L3 N3 O3 A2 B2 C3 D3 E3 I2 L2 N2 O2 A1 B1 C2 D2 E2 G1 H1 I1 J1 L1 M1 N1 O1 A0 B0 C1 D1 E1 G0 H0 I0 J0 K0 L0 M0 N0 O0 Output Queue t = 2 t = 1 t = 0 E0 D0 C0

30 Queue example 4 (15 circuits) A B C D E F G H I J K L M N O N6 N5 O5 D5 I4 N4 O4 A3 B3 C4 D4 E4 I3 L3 N3 O3 A2 B2 C3 D3 E3 I2 L2 N2 O2 A1 B1 C2 D2 E2 H1 I1 J1 L1 M1 N1 O1 A0 B0 C1 D1 E1 G1 H0 I0 J0 K0 L0 M0 N0 O0 Output Queue t = 3 t = 2 t = 1 t = 0 G0 E0 D0 C0

31 Queue example 5 (15 circuits) A B C D E F G H I J K L M N O N6 N5 O5 D5 I4 N4 O4 A3 B3 C4 D4 E4 I3 L3 N3 O3 A2 B2 C3 D3 E3 I2 L2 N2 O2 A1 B1 C2 D2 E2 I1 J1 L1 M1 N1 O1 A0 B0 C1 D1 E1 G1 H1 I0 J0 K0 L0 M0 N0 O0 Output Queue t = 4 t = 3 t = 2 t = 1 t = 0 H0 G0 E0 D0 C0

32 Queue example 6 (15 circuits) A B C D E F G H I J K L M N O N6 N5 O5 D5 N4 O4 A3 B3 C4 D4 E4 I4 L3 N3 O3 A2 B2 C3 D3 E3 I3 L2 N2 O2 A1 B1 C2 D2 E2 I2 J1 L1 M1 N1 O1 A0 B0 C1 D1 E1 G1 H1 I1 J0 K0 L0 M0 N0 O0 Output Queue t = 5 t = 4 t = 3 t = 2 t = 1 t = 0 I0 H0 G0 E0 D0 C0

33 Queue example 7 (15 circuits) A B C D E F G H I J K L M N O N6 N5 O5 D5 N4 O4 A3 B3 C4 D4 E4 I4 L3 N3 O3 A2 B2 C3 D3 E3 I3 L2 N2 O2 A1 B1 C2 D2 E2 I2 L1 M1 N1 O1 A0 B0 C1 D1 E1 G1 H1 I1 J1 K0 L0 M0 N0 O0 Output Queue t = 6 t = 5 t = 4 t = 3 t = 2 t = 1 t = 0 J0 I0 H0 G0 E0 D0 C0

34 Queue example 8 (15 circuits) A B C D E F G H I J K L M N O N6 N5 O5 D5 N4 O4 A3 B3 C4 D4 E4 I4 L3 N3 O3 A2 B2 C3 D3 E3 I3 L2 N2 O2 A1 B1 C2 D2 E2 I2 L1 M1 N1 O1 A0 B0 C1 D1 E1 G1 H1 I1 J1 L0 M0 N0 O0 Output Queue t = 7 t = 6 t = 5 t = 4 t = 3 t = 2 t = 1 t = 0 K0 J0 I0 H0 G0 E0 D0 C0

35 Queue example 9 (15 circuits) A B C D E F G H I J K L M N O N6 N5 O5 D5 N4 O4 A3 B3 C4 D4 E4 I4 N3 O3 A2 B2 C3 D3 E3 I3 L3 N2 O2 A1 B1 C2 D2 E2 I2 L2 M1 N1 O1 A0 B0 C1 D1 E1 G1 H1 I1 J1 L1 M0 N0 O0 Output Queue t = 8 t = 7 L0 K0 t = 6 J0 t = 5 I0 t = 4 t = 3 t = 2 t = 1 H0 G0 E0 D0 t = 0 C0

36 Queue example 10 (15 circuits) A B C D E F G H I J K L M N O N6 N5 O5 D5 N4 O4 A3 B3 C4 D4 E4 I4 N3 O3 A2 B2 C3 D3 E3 I3 L3 N2 O2 A1 B1 C2 D2 E2 I2 L2 N1 O1 A0 B0 C1 D1 E1 G1 H1 I1 J1 L1 M1 N0 O0 Output Queue t = 9 t = 8 t = 7 t = 6 t = 5 t = 4 t = 3 t = 2 t = 1 t = 0 M0 L0 K0 J0 I0 H0 G0 E0 D0 C0

37 Attack Example Client Tor Node 1 - Unknown Node Malicious Client Tor Node 3 - Our Exit Node Tor Node 2 - Known High BW Tor Node 1 Server High BW Tor Node 2 Malicious Server

38 Attack Implementation Modified exit node Modified malicious client node Lightweight malicious web server running on GNU libmicrohttpd Client side JavaScript for latency measurements Instrumentation client to receive data

39 Gathered Data Example (1/8) Latency measurement graph freedomsurfers Latency variance (in seconds) Control Run Attack Run Downloaded Data Bytes expended by attacker (in kb) Sample number

40 Gathered Data Example (2/8) Latency variance (in seconds) Control Run Attack Run Downloaded Data Latency measurement graph bloxortsipt Bytes expended by attacker (in kb) Sample number

41 Gathered Data Example (3/8) Latency variance (in seconds) Control Run Attack Run Downloaded Data Latency measurement graph carini Bytes expended by attacker (in kb) Sample number

42 Gathered Data Example (4/8) Latency measurement graph carini Latency variance (in seconds) Control Run Attack Run Downloaded Data Bytes expended by attacker (in kb) Sample number

43 Gathered Data Example (5/8) Histogram of latency measurements for freedomsurfers Control Run Attack Run Control Run Regression Line Attack Run Regression Line Number of measurements in range Range of measurements (in seconds)

44 Gathered Data Example (6/8) Histogram of latency measurements for bloxortsipt Control Run Attack Run Control Run Regression Line Attack Run Regression Line Number of measurements in range Range of measurements (in seconds)

45 Gathered Data Example (7/8) Histogram of latency measurements for carini Control Run Attack Run Control Run Regression Line Attack Run Regression Line Number of measurements in range Range of measurements (in seconds)

46 Gathered Data Example (8/8) Histogram of latency measurements for carini Control Run Attack Run Control Run Regression Line Attack Run Regression Line Number of measurements in range Range of measurements (in seconds)

47 Statistical Analysis Use modified χ 2 test Compare baseline distribution to attack distribution High χ 2 value indicates distribution changed in the right direction Product of χ 2 confidence values over multiple runs Iterate over suspect routers until single node stands out

48 Cumulative Product of χ 2 p-values Product of Confidence Values 1-1x x10-10 Rattensalat SEC wie6ud6b hamakor yavs auk dontmesswithme cthor Raccoon eponymousraga BlueStar88a wranglerrutgersedu conf555nick mf62525 miskatonic WeAreAHedge anon1984n2 c bond server3 Product of Confidence Values 1-1x Privacyhosting c DieYouRebelScum1 ArikaYumemiya auk mrkoolltor TorSchleim myrnaloy judas Doodles123 tin0 baphomet kallio diora aquatorius Einlauf dontmesswithme askatasuna century Number of Runs Number of Runs

49 What We Actually Achieve We do identify the entire path through the Tor network We do achieve this on the 2009 Tor network Attack works on routers with differing bandwidths This means that if someone were performing this attack from an exit node, Tor becomes as effective as a network of one-hop proxies

50 Why Our Attack is Effective Since we run the exit router, only a single node needs to be found Our multiplication of bandwidth technique allows low bandwidth connections to DoS high bandwidth connections (solves common DoS limitation)

51 Fixes Don t use a fixed path length (or at least make it longer) Don t allow infinite path lengths (this is fixed in Tor now!) Induce delays into connections (probably not going to happen) Monitor exit nodes for strange behavior (been done somewhat) Disable JavaScript in clients Use end-to-end encryption

52 Attack Improvements/Variants Use meta refresh tags for measurements instead of JavaScript Parallelize testing (rule out multiple possible first nodes at once) Improved latency measures for first hop to further narrow possible first hops

53 Conclusion Initial Tor implementation allowed arbitrary length paths Arbitrary path lengths allow latency altering attack Latency altering attack allows detection of significant changes in latency Significant changes in latency reveal paths used

54 Motivation Efficient fully decentralized routing in restricted-route topologies is important: Friend-to-friend (F2F) networks ( darknets ) WiFi ad-hoc and sensor networks Unstructured networks Clarke & Sandberg claim to achieve O(log n) routing in the dark (Freenet 0.7) Is this new routing protocol reasonably resistant against attacks?

55 Freenet 101 Freenet is a anonymous peer-to-peer network Overlay based on cyclic address space of size 2 32 Nodes have a constant set of connections (F2F) All data identified by a key (modulo 2 32 ) Data assumed to be stored at closest node Routing uses depth-first traversal in order of proximity to key

56 Routing in the Dark Small world network assumption Sparsely connected graph There exists a short path (O(log N)) between any pair of nodes Common real world phenomenon (Milgram, Watts & Strogatz) Freenet s routing algorithm attempts to find short paths Uses locations of nodes to determine proximity to target Uses swapping of locations to structure topology

57 Swap Example Swap?

58 Result of Swap

59 Location Swapping Nodes swap locations to improve routing performance Each connected pair of nodes (a, b) computes: L a L o L b L p P a,b := (a,o) E L b L o (b,p) E (a,o) E (b,p) E L a L p (1) If P a,b 1 the nodes swap locations Otherwise they swap with probability P a,b

60 Routing of GET Requests GET requests are routed based on peer locations and key: 1. Client initiates GET request 2. Request routed to neighbor with closest location to key 3. If data not found, request is forwarded to neighbors in order of proximity to the key 4. Forwarding stops when data found, hops-to-live reaches zero or identical request was recently forwarded (to avoid circular routing) Depth-first routing in order of proximity to key.

61 GET 1/ Figure: A GET request from node 0.90 searching for data with identifier 0.22 (which is stored at node identified by 0.25)

62 GET 2/ Figure: A GET request from node 0.90 searching for data with identifier 0.22 (which is stored at node identified by 0.25)

63 GET 3/ Figure: A GET request from node 0.90 searching for data with identifier 0.22 (which is stored at node identified by 0.25)

64 GET 4/ Figure: A GET request from node 0.90 searching for data with identifier 0.22 (which is stored at node identified by 0.25)

65 GET 5/ Found! 0.10 Figure: A GET request from node 0.90 searching for data with identifier 0.22 (which is stored at node identified by 0.25)

66 GET 6/ Figure: A GET request from node 0.90 searching for data with identifier 0.22 (which is stored at node identified by 0.25)

67 GET 7/ Figure: A GET request from node 0.90 searching for data with identifier 0.22 (which is stored at node identified by 0.25)

68 PUT Requests PUT requests are routed the same as GET requests: 1. Client initiates PUT requests 2. Request routed to neighbor closest to the key 3. If receiver has any peer whose location is closer to the key, request is forwarded 4. If not, the node resets the hops-to-live to the maximum and sends the put request to all of its neighbors 5. Routing continues until hops-to-live reaches zero (or node has seen request already)

69 Put Example Figure: Put example from node with ID 0.25 inserting data identified by the ID 0.93

70 Put Example 1/ Figure: Put example from node with ID 0.25 inserting data identified by the ID 0.93

71 Put Example 2/ Figure: Put example from node with ID 0.25 inserting data identified by the ID 0.93

72 Put Example 3/ Figure: Put example from node with ID 0.25 inserting data identified by the ID 0.93

73 Basic Idea for the Attack Freenet relies on a balanced distribution of node locations for data storage Reducing the spread of locations causes imbalance in storage responsibilities Peers cannot verify locations in swap protocol, including location(s) they may receive use swap protocol to reduce spread of locations!

74 Attack Details Initialize malicious nodes with a specific location If a node swaps with the malicious node, the malicious node resets to the initial location (or one very close to it) This removes the good node location and replaces it with one of the malicious nodes choosing Each time any node swaps with the malicious node, another location is removed and replaced with a bad location Bad location(s) spread to other nodes through normal swapping behavior Over time, the attacker creates large clusters of nodes around a few locations

75 Attack Example 1/ Figure: Node 0.90 is sent a signal to become malicious

76 Attack Example 2/ Figure: Malicious node resets its location to malicious location (0.500)

77 Attack Example 3/ Figure: Malicious node forces a swap with 0.85

78 Attack Example 4/ Figure: Malicious node resets its location to malicious location (0.501) removing good location 0.85

79 Attack Example 5/ Figure: Malicious node forces a swap with 0.10

80 Attack Example 6/ Figure: Malicious node resets its location to malicious location (0.502) removing good location 0.10

81 Attack Example 7/ Figure: Malicious node forces a swap with 0.60

82 Attack Example 8/ Figure: Malicious node resets its location to malicious location (0.503) removing good location 0.60

83 Attack Example 9/ Figure: Even with low probability, a swap can occur between and 0.45

84 Attack Example 10/ Figure: Malicious node forces a swap with 0.45

85 Attack Example 11/ Figure: Malicious node resets its location to malicious location (0.504) removing good location 0.45

86 Attack Implementation Malicious node uses Freenet s codebase with minor modifications Attacker does not violate the protocol in a detectable manner Malicious nodes behave as if they had a large group of friends Given enough time, a single malicous node can spread bad locations to most nodes Using multiple locations for clustering increases the speed of penetration

87 Experimental Setup Created testbed with 800 Freenet nodes Topology corresponds to Watts & Strogatz small world networks Instrumentation captures path lengths and node locations Content is always placed at node with closest location Nodes have bounded storage space

88 Dispersion Example with 800 Nodes Figure: Plot of node locations before attack. Figure: Plot of node locations after attack.

89 Data Loss Example (2 attack nodes) 100 Average Loss over time with Std. Dev. 80 % data loss Time (in iterations of 90 seconds) Figure: Graph showing average data loss over 5 runs with 800 nodes and 2 attack nodes using 8 bad locations with the attack starting after about 2h.

90 Data Loss Example (4 Attack nodes) 100 Average Loss over time with Std. Dev. 80 % data loss Time (in iterations of 90 seconds) Figure: Graph showing average data loss over 5 runs with 800 nodes and 4 attack nodes using 8 bad locations with the attack starting after about 2h.

91 Data Loss Example (8 Attack nodes) 100 Average Loss over time with Std. Dev. 80 % data loss Time (in iterations of 90 seconds) Figure: Graph showing average data loss over 5 runs with 800 nodes and 8 attack nodes using 8 bad locations with the attack starting after about 2h.

92 How to protect against this? Check how frequently a node swaps similar locations? Limit number of swaps with a particular peer? Determine a node is malicious because its location is too close? Periodically reset all node locations? Secure multiparty computation for swaps? In F2F networks, you can never be sure about the friends of your friends!

93 Churn Leave join churn Nodes are not constantly in the network They leave for some period of time and then come back into the network Join leave churn Nodes join the network for a time, then disconnect permanently This also causes load imbalance similar to our attack

94 Churn Example 1/ Figure: Example stable core network Figure: Node location plot

95 Churn Example 2/ Swap? Figure: Node 0.95 joins the network Figure: Node location plot

96 Churn Example 3/ Yes Figure: Node 0.95 swaps with 0.60 Figure: Node location plot

97 Churn Example 4/ Figure: Node (now 0.60) leaves the network Figure: Node location plot

98 Churn Example 5/ Swap? 0.30 Figure: Node 0.30 joins the network Figure: Node location plot

99 Churn Example 6/ No 0.30 Figure: Node 0.30 does not swap Figure: Node location plot

100 Churn Example 7/ Figure: Node 0.30 leaves the network Figure: Node location plot

101 Churn Example 8/ Swap? 0.90 Figure: Nodes 0.70 and 0.90 consider a swap Figure: Node location plot

102 Churn Example 9/ Yes 0.70 Figure: 0.70 and 0.90 swap Figure: Node location plot

103 Churn Example 10/ Figure: Result after the swap Figure: Node location plot

104 Churn Example 11/ Swap? 0.05 Figure: Node 0.05 joins the network Figure: Node location plot

105 Churn Example 12/ Yes 0.70 Figure: Node 0.05 swaps location with 0.70 Figure: Node location plot

106 Churn Example 13/ Figure: Node (now 0.70) leaves the network Figure: Node location plot

107 Churn Simulation Created stable core of nodes Simulated join-leave churn, let network stabilize Ran exactly the native swap code Repeat n number of times Revealed drastic convergence to single location

108 Conclusion Freenet s routing algorithm is not robust Adversaries can easily remove most of the content Attack exploits location swap, where nodes trust each other Swap is fundamental to the routing algorithm Natural churn causes similar results

109 References Nathan S. Evans, Roger Dingledine, and Christian Grothoff. A practical congestion attack on tor using long paths. In 18th USENIX Security Symposium, pages USENIX, Prateek Mittal and Nikita Borisov. Information leaks in structured peer-to-peer anonymous communication systems. In Proceedings of the 15th ACM conference on Computer and communications security, CCS 08, pages , New York, NY, USA, ACM.

A Modern Congestion Attack on Tor Using Long Paths

A Modern Congestion Attack on Tor Using Long Paths Towards Nathan S. Evans 1 Christian Grothoff 1 Roger Dingledine 2 1 University of Denver, Denver CO 2 The Tor Project June, 22 2009 Why attack Tor? Tor