Veracity: Practical Secure Network Coordinates via Vote-Based Agreements

Similar documents
Secure and Accurate Network Coordinate Systems

The Frog-Boiling Attack: Limitations of Secure Network Coordinate Systems

The Frog-Boiling Attack: Limitations of Anomaly Detection for Secure Network Coordinate Systems

The Design and Implementation of a Next Generation Name Service for the Internet (CoDoNS) Presented By: Kamalakar Kambhatla

KoNKS: Konsensus-style Network Koordinate System

Lecture 6: Overlay Networks. CS 598: Advanced Internetworking Matthew Caesar February 15, 2011

Sybil defenses via social networks

Vivaldi Practical, Distributed Internet Coordinates

Vivaldi Practical, Distributed Internet Coordinates

Network Coordinates in the Wild

Vivaldi: A Decentralized Network Coordinate System. Authors: Frank Dabek, Russ Cox, Frans Kaashoek, Robert Morris MIT. Published at SIGCOMM 04

Peer-to-Peer Systems and Security

March 10, Distributed Hash-based Lookup. for Peer-to-Peer Systems. Sandeep Shelke Shrirang Shirodkar MTech I CSE

Introduction to Peer-to-Peer Systems

NOWADAYS the Internet plays a key role in people s dailylife.

Scalable Link-Based Relay Selection for Anonymous Routing

Peer-to-Peer Systems. Network Science: Introduction. P2P History: P2P History: 1999 today

A Cost-Space Approach to Distributed Query Optimization in Stream Based Overlays

Detecting and Recovering from Overlay Routing Attacks in Peer-to-Peer Distributed Hash Tables

CERIAS Tech Report A Platform for Creating Efficient, Robust, and Resilient Peer-to-Peer Systems by David Zage Center for Education and

Path Optimization in Stream-Based Overlay Networks

Coordinate-based Routing:

Peer-to-peer systems and overlay networks

08 Distributed Hash Tables

A Survey on Research on the Application-Layer Traffic Optimization (ALTO) Problem

Security for Structured Peer-to-peer Overlay Networks. Acknowledgement. Outline. By Miguel Castro et al. OSDI 02 Presented by Shiping Chen in IT818

Improving Prediction Accuracy of Matrix Factorization Based Network Coordinate Systems

Experimental Study on Neighbor Selection Policy for Phoenix Network Coordinate System

CS555: Distributed Systems [Fall 2017] Dept. Of Computer Science, Colorado State University

MITIGATING ATTACKS AGAINST ADAPTATION MECHANISMS IN OVERLAY NETWORKS. A Thesis. Submitted to the Faculty. Purdue University. AAron R.

Virtual Multi-homing: On the Feasibility of Combining Overlay Routing with BGP Routing

Detecting and Recovering from Overlay Routing. Distributed Hash Tables. MS Thesis Defense Keith Needels March 20, 2009

GNUnet Distributed Data Storage

R/Kademlia: Recursive and Topology-aware Overlay Routing

P2PNS: A Secure Distributed Name Service for P2PSIP

Building Large-scale Distributed Systems with Network Coordinates

Overview Computer Networking Lecture 16: Delivering Content: Peer to Peer and CDNs Peter Steenkiste

Sybil Attack Detection with Reduced Bandwidth overhead in Urban Vehicular Networks

Towards Application-Aware Anonymous Routing Micah Sherr Boon Thau Loo Matt Blaze University of Pennsylvania

Fixing the Embarrassing Slowness of OpenDHT on PlanetLab

Peer-to-peer computing research a fad?

Secure Routing in Peer-to-Peer Distributed Hash Tables

Problems in Reputation based Methods in P2P Networks

A Traceback Attack on Freenet

Drafting Behind Akamai (Travelocity-Based Detouring)

Securing Structured Overlays Against Identity Attacks

S/Kademlia: A Practicable Approach Towards Secure Key Based Routing

CS514: Intermediate Course in Computer Systems

Handling Churn in a DHT

A Scalable Content- Addressable Network

Vivaldi: : A Decentralized Network Coordinate System

Attacks on Phoenix: A Virtual Coordinate System

SEAR: SECURED ENERGY-AWARE ROUTING WITH TRUSTED PAYMENT MODEL FOR WIRELESS NETWORKS

Eclipse Attacks on Overlay Networks: Threats and Defenses

Securing Application-Level Topology Estimation Networks: Facing the Frog-Boiling Attack

Secure and Robust Overlay Content Distribution

Securing Virtual Coordinates by Enforcing Physical Laws

Building a low-latency, proximity-aware DHT-based P2P network

Halo: High-Assurance Locate for Distributed Hash Tables

CompSci 356: Computer Network Architectures Lecture 21: Overlay Networks Chap 9.4. Xiaowei Yang

Sleep/Wake Aware Local Monitoring (SLAM)

AS the demand for Internet and Web-based services

Low-cost Enhancement of the Intra-domain Internet Robustness Against Intelligent Node Attacks

Lecture 6: Securing Distributed and Networked Systems. CS 598: Network Security Matthew Caesar March 12, 2013

Practical Large-Scale Latency Estimation

Anonymity in Structured Peer-to-Peer Networks. Nikita Borisov and Jason Waddle

Re-imagining Vivaldi with HTML5/WebGL. PhD Candidate: Djuro Mirkovic Supervisors: Prof. Grenville Armitage and Dr. Philip Branch

Feasibility, Effectiveness, Performance and Potential Solutions on Distributed Content Sharing System

Accurate and Provably Secure Latency Estimation with Treeple

A Collaborative P2P Scheme for NAT Traversal Server Discovery based on Topological Information

Kademlia: A P2P Informa2on System Based on the XOR Metric

Interdomain Routing Design for MobilityFirst

Thwarting Traceback Attack on Freenet

A Collaborative P2P Scheme for NAT Traversal Server Discovery based on Topological Information

Distributed Web Crawling over DHTs. Boon Thau Loo, Owen Cooper, Sailesh Krishnamurthy CS294-4

Venugopal Ramasubramanian Emin Gün Sirer SIGCOMM 04

On the State of the Inter-domain and Intra-domain Routing Security

Implications of Neighbor Selection on DHT Overlays

Certified Internet Coordinates

SELF-ORGANIZING TRUST MODEL FOR PEER TO PEER SYSTEMS

Oriented Overlays For Clustering Client Requests. To Data-Centric Network Services

Distributed Systems. 17. Distributed Lookup. Paul Krzyzanowski. Rutgers University. Fall 2016

Proceedings of the First Symposium on Networked Systems Design and Implementation

CE Advanced Network Security Anonymity II

Evaluating DHT-Based Service Placement for Stream-Based Overlays

Network Positioning from the Edge

Challenges in the Wide-area. Tapestry: Decentralized Routing and Location. Global Computation Model. Cluster-based Applications

Secure Algorithms and Data Structures for Massive Networks

Efficient DHT attack mitigation through peers ID distribution

Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks

Adaptive In-Network Query Deployment for Shared Stream Processing Environments

Debunking some myths about structured and unstructured overlays

Saarland University Faculty of Natural Sciences and Technology I Department of Computer Science. Masters Thesis

NodeId Verification Method against Routing Table Poisoning Attack in Chord DHT

CIS 700/005 Networking Meets Databases

Security Considerations for Peer-to-Peer Distributed Hash Tables

A 3 : An Extensible Platform for Application-Aware Anonymity

Comet: An Active Distributed Key-Value Store. Roxana Geambasu Amit Levy Yoshi Kohno Arvind Krishnamurthy Hank Levy University of Washington

Internet Coordinate Systems Tutorial

Tuning Vivaldi: Achieving Increased Accuracy and Stability

Transcription:

Veracity: Practical Secure Network Coordinates via Vote-Based Agreements Micah Sherr, Matt Blaze, and Boon Thau Loo University of Pennsylvania USENIX Technical June 18th, 2009 1

Network Coordinate Systems Network coordinate systems enable efficient network distance estimations without requiring pairwise measurements Coordinate system maps nodes to n-dimensional coordinates Distance between two peers' coordinates represents actual network distance (e.g., RTT) between them 2

Applications Support wide range of network services: Proximity-based routing Neighbor selection in overlays Network-aware overlays Replica placement Anonymous path selection Detour routing E.g., Vuze BitTorrent client maintains million+ node coordinate system for efficient DHT traversal 3

Vulnerability to Attack 0% malicious 30% malicious Distributed coordinate systems easy to manipulate 10% malicious nodes 4.9X decrease in accuracy 30% malicious nodes 11X decrease in accuracy 4

Veracity Security protection layer for coordinate systems Lightweight No a priori trust required Amenable to realistic network conditions Fully distributed Intuition: Truthfulness of coordinates can be accurately assessed by independent peers with different vantage points 5

Related Work Assumes no TIVs Fully distributed (no a priori trusted nodes or PKI) Supports dynamic neighborsets Does not depend on temporal or spatial locality heuristics PIC Secure coordinates [Kaafar et al.] RVivaldi Zage et al. CCS07 Veracity 6

Coordinate Systems 101 Many flavors: Vivaldi, PIC, etc. Iterative update mechanism: Node retrieves coordinate of random neighbor Node measures metric between itself and neighbor Updates local coordinate to minimize error function Embedding errors due to network triangle-inequality violations (TIVs) (-6,2) 13ms latency (-5,2) (6,2) 7

Coordinate Systems 101 Embedding errors due to network triangleinequality violations (TIVs) Median error ratio: median of percentage difference between virtual and real distances between a node and all other nodes 8

Attacking Virtual Coordinate Systems Disorder attacks: decrease accuracy (and utility) of coordinate system Attack techniques: When queried, provide false coordinate When probed, delay measurement response Possible attack implications: Malicious hosts selected for routes, neighbors, or replicas Requests misrouted; false data returned in CDNs Partitioned DHTs 9

Veracity: A security layer that protects the accuracy of coordinate systems 10

Veracity Participants Publisher Investigator Advertises coordinate. May or may not be truthful Wants to use Publisher's coordinate to update local coordinate 11

Node Discovery Fully-distributed directory service used to locate peers Distributed directory server (e.g., DHT) must support: DELIVER(g,m) : deliver message m to node whose globally unique identifier (GUID) is closest to g Each node calculates GUID as HASH(ip port) 12

Veracity's Two Protection Phases Phase I: Publisher coordinate verification Rejects inconsistent or inaccurate coordinates Phase II: Candidate coordinate verification Prevents delayed measurements after coordinate passes publisher coordinate verification 13

Publisher Coordinate Verification Investigator Publisher

Publisher Coordinate Verification: Publisher notifies VSet of coordinate Publisher updates his coordinate Step 1: Publisher computes his verification set (VSet), consisting of peers whose GUIDs are closest to h 1,...,h г using the recurrence:

Publisher Coordinate Verification: Publisher notifies VSet of coordinate Step 2: Publisher sends its GUID g and new coordinate C to each VSet member via

Publisher Coordinate Verification: VSet members assess Publisher's coordinate Each VSet member measures the RTT between itself and Publisher Each computes the error ratio: the % difference between the empirical (RTT) and coordinatebased distances: C,δ 1 e indicates VSet member's belief in the publisher's advertised coordinate VSet members store Publisher's advertised coordinate and its error ratio as evidence tuple C,δ 2 C,δ 3

Publisher Coordinate Verification: Investigator queries Publisher for coordinate Investigator queries Publisher for its coordinate Publisher returns its coordinate C? C

Publisher Coordinate Verification: Investigator computes Publisher's VSet, requests evidence Investigator uses the same recurrence to compute Publisher's VSet Investigator requests evidence tuple from each VSet member Evidence tuples with incorrect coordinate are discarded C,δ 1 C,δ 3 C,δ 2

If the number of evidence tuples having δ < maxδ Publisher Coordinate Verification: Investigator considers evidence is at least R, then coordinate is accepted.

Publisher Coordinate Verification ensures that: Publisher must advertise consistent coordinate to VSet members and Investigator Publisher's coordinate must match VSet members' empirically measured RTTs (-934,2) True latency: 13ms Delay latency: 2000ms (-7,2) (6,2) But this is insufficient to protect a virtual coordinate system... Publisher behaves honestly, allowing coordinate to pass Publisher Coordinate Verification After verifying coordinate, Investigator measures RTT to Publisher Publisher delays Investigator's RTT probe 21

Candidate Coordinate Verification Investigator queries coordinates of random nodes (RSet) Conducts RTT measurement to each RSet member Computes new candidate coordinate C' using Publisher's verified coordinate Using current (C) and candidate coordinate (C'), computes error ratios E and E' If, Investigator replaces C with C' 22

Evaluation 23

Accuracy in Absence of Attack Veracity functionality added to Bamboo DHT Median error ratios of 500 nodes from the King (pairwise latency) dataset Veracity increases median of median error ratios by just 4.6% (0.79ms) Median error ratios after stabilization 24

Resilience to Naïve Attack Malicious nodes report inconsistent and random coordinates and delay RTT probes by up to 2000ms Worst case for Vivaldi Inconsistent coordinates easily detected by VSet 25

Resilience to Coordinated Attack Malicious nodes (30% of network) randomly delay RTT probes and advertise false coordinates Malicious nodes offer supporting evidence (low error ratios) for other malicious nodes, no evidence for honest nodes 26

PlanetLab Deployment Installed on ~100 geographically diverse PlanetLab nodes 27

Communication Cost Publisher Coordinate Verification and Candidate Coordinate Verification both impose linear communication overheads Cost of each request is O(log N) Measured BW on PlanetLab Predicted BW using Log Regression (R 2 =0.99) 28

Summary Veracity effectively mitigates disorder attacks Reduces Vivaldi's median error ratio by 88% when 30% of nodes are malicious and uncoordinated Even against coordinated attacks, Veracity reduces Vivaldi's error ratio by 70% when 30% are malicious Unlike existing approaches, Veracity Does not rely on TIV assumptions Requires no centralized infrastructure Does not require a priori trust Veracity incurs minimal communication overhead and can be practically deployed 29

Veracity: Practical Secure Network Coordinates via Vote-Based Agreements Micah Sherr, Matt Blaze, and Boon Thau Loo University of Pennsylvania USENIX Technical June 18th, 2009 30

Backup slides 31

Rejected: VSet-only and/or RSet-only Veracity 20% of nodes are malicious 32

Resilience to Repulsion and Isolation Attacks Malicious nodes partitioned into 3 coalitions Each coalition attempts to move victim node to far coordinate (-1000 in all dimensions) 33

DHT Security Veracity relies on reliability of requests DHT attacks: Sybil: register multiple identities to increase influence in network Eclipse: falsify routing update messages to corrupt DHT routing tables Routing: misroute or modify requests, or forge responses 34

DHT Security (2) Sybil attack countermeasures: Distributed registration in which nodes vote on whether IP is allowed to join [Dinger'06] Use bootstrap graphs to generate trust profiles [Danezis'05] Cryptopuzzles [Borisov'06] Eclipse and Routing attack countermeasures: Organize network into swarms; forward message only if lookup sent from majority of members of previous swarm [Fiat'05] Send via redundant routes [Castro'02] 35

Publisher Coordinate Verification: Publisher notifies VSet of coordinate Each publisher assigned a Verification Set (VSet) of peers whose GUIDs are closest to h 1,...,h г determined using the recurrence: Publisher VSet g,c,ip After updating his coordinate, publisher sends tuple to each VSet member via deliver 36

Publisher Coordinate Verification: VSet members assess coordinate Each VSet member measures the RTT between itself and the publisher VSet members compute the error ratio: Publisher VSet Error ratio reflects percentage difference between real and estimated distances Indicates VSet member's belief in the publisher's advertised coordinate VSet member stores evidence tuple δ RTT probes 37

Publisher Coordinate Verification: Investigator queries Publisher for coordinate Investigator queries Publisher for its coordinate. Publisher responds with claim tuple: Investigator Publisher (g,г,c,ip) 38

Publisher Coordinate Verification: Investigator probes VSet for evidence Investigator calculates Publisher's VSet and queries each member for its evidence tuple Investigator VSet 39

Publisher Coordinate Verification: Investigator considers VSet evidence VSet members return evidence tuples to Investigator Investigator (g,ip,δ 1...4 ) VSet If the number of evidence tuples having δ < max δ is at least R, then coordinate is accepted 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback