This Article 
 Bibliographic References 
 Add to: 
Securing Structured Overlays against Identity Attacks
October 2009 (vol. 20 no. 10)
pp. 1487-1498
Krishna P.N. Puttaswamy, UC Santa Barbara, Santa Barbara
Haitao Zheng, UC Santa Barbara, Santa Barbara
Ben Y. Zhao, UC Santa Barbara, Santa Barbara
Structured overlay networks can greatly simplify data storage and management for a variety of distributed applications. Despite their attractive features, these overlays remain vulnerable to the Identity attack, where malicious nodes assume control of application components by intercepting and hijacking key-based routing requests. Attackers can assume arbitrary application roles such as storage node for a given file, or return falsified contents of an online shopper's shopping cart. In this paper, we define a generalized form of the Identity attack, and propose a lightweight detection and tracking system that protects applications by redirecting traffic away from attackers. We describe how this attack can be amplified by a Sybil or Eclipse attack, and analyze the costs of performing such an attack. Finally, we present measurements of a deployed overlay that show our techniques to be significantly more lightweight than prior techniques, and highly effective at detecting and avoiding both single node and colluding attacks under a variety of conditions.

[1] R. Alebouyeh, M.S. Allen, K.P.N. Puttaswamy, and B.Y. Zhao, Chimera Software Distribution, projectschimera , 2008.
[2] H. Ballani, P. Francis, and X. Zhang, “A Study of Prex Hijacking and Interception in the Internet,” Proc. ACM SIGCOMM '07, Sept. 2007.
[3] D. Boneh and M. Franklin, “Identity Based Encryption from the Weil Pairing,” SIAM J. Computing, vol. 32, no. 3, pp. 586-615, 2003.
[4] M. Castro et al., “Security for Structured Peer-to-Peer Overlay Networks,” Proc. Fifth Symp. Operating Systems Design and Implementation (OSDI '02), Dec. 2002.
[5] M. Castro et al., “Splitstream: High-Bandwidth Multicast in a Cooperative Environment,” Proc. 19th ACM Symp. Operating Systems Principles (SOSP '03), Oct. 2003.
[6] T. Condie et al., “Induced Churn as Shelter from Routing-Table Poisoning,” Proc. 13th Ann. Network and Distributed System Security Symp. (NDSS '06), Feb. 2006.
[7] F. Dabek, M.F. Kaashoek, D. Karger, R. Morris, and I. Stoica, “Wide-Area Cooperative Storage with CFS,” Proc. 18th ACM Symp. Operating Systems Principles (SOSP '01), Oct. 2001.
[8] F. Dabek, B. Zhao, P. Druschel, J. Kubiatowicz, and I. Stoica, “Towards a Common API for Structured P2P Overlays,” Proc. Second Int'l Workshop Peer-to-Peer Systems (IPTPS '03), Feb. 2003.
[9] E. Damiani et al., “A Reputation-Based Approach for Choosing Reliable Resources in Peer-to-Peer Networks,” Proc. Ninth ACM Conf. Computer and Comm. Security (CCS '02), Nov. 2002.
[10] G. DeCandia et al., “Dynamo: Amazon's Highly Available Key-Value Store,” Proc. 21st ACM Symp. Operating Systems Principles (SOSP '07), Oct. 2007.
[11] D. Deeths and G. Brunette, “Using NTP to Control and Synchronize System Clocks,” Technical Report 816-1475-10, Sun Microsystems Inc., July 2001.
[12] J.R. Douceur, “The Sybil Attack,” Proc. First Int'l Workshop Peer-to-Peer Systems (IPTPS '02), Mar. 2002.
[13] J. Falkner, M. Piatek, J.P. John, A. Krishnamurthy, and T. Anderson, “Profiling a Million User DHT,” Proc. Internet Measurement Conf. (IMC '07), Oct. 2007.
[14] M.J. Freedman, E. Freudenthal, and D. Mazires, “Democratizing Content Publication with Coral,” Proc. First Symp. Networked Systems Design and Implementation (NSDI '04), Dec. 2004.
[15] L. Ganesh and B.Y. Zhao, “Identity Theft Protection in Structured Overlays,” Proc. First Workshop Secure Network Protocols (NPSec '05), June 2005.
[16] S. Guha, N. Daswani, and R. Jain, “An Experimental Study of the Skype Peer-to-Peer Voip System,” Proc. Fifth Int'l Workshop Peer-to-Peer Systems (IPTPS), 2006.
[17] K. Gummadi et al., “The Impact of DHT Routing Geometry on Resilience and Proximity,” Proc. ACM SIGCOMM '03, Sept. 2003.
[18] A. Haeberlen, P. Kouznetsov, and P. Druschel, “PeerReview: Practical Accountability for Distributed Systems,” Proc. 21st ACM Symp. Operating Systems Principles (SOSP '07), Oct. 2007.
[19] A. Haeberlen, A. Mislove, and P. Druschel, “Glacier: Highly Durable, Decentralized Storage Despite Massive Correlated Failures,” Proc. Second Symp. Networked Systems Design and Implementation (NSDI '05), May 2005.
[20] K. Hildrum and J. Kubiatowicz, “Asymptotically Efficient Approaches to Fault-Tolerance in Peer-to-Peer Networks,” Proc. 17th Int'l Symp. Distributed Computing (DISC '03), Oct. 2003.
[21] S.D. Kamvar, M.T. Schlosser, and H. Garcia-Molina, “The Eigentrust Algorithm for Reputation Management in P2P Networks,” Proc. 12th Int'l Conf. World Wide Web (WWW '03), May 2003.
[22] S. Rhea et al., “Pond: The OceanStore Prototype,” Proc. Second USENIX Conf. File and Storage Technologies (FAST '03), Apr. 2003.
[23] H. Rowaihy, W. Enck, P. McDaniel, and T.L. Porta, “Limiting Sybil Attacks in Structured P2P Networks,” Proc. IEEE INFOCOM, 2007.
[24] A. Rowstron and P. Druschel, “Pastry: Scalable, Distributed Object Location and Routing for Large-Scale Peer-to-Peer Systems,” Proc. 18th IFIP/ACM Int'l Conf. Distributed Systems Platforms (Middleware '01), Nov. 2001.
[25] A. Rowstron and P. Druschel, “Storage Management and Caching in PAST, a Large-Scale, Persistent Peer-to-Peer Storage Utility,” Proc. 18th ACM Symp. Operating Systems Principles (SOSP '01), Oct. 2001.
[26] A. Rowstron et al., “SCRIBE: The Design of a Large-Scale Event Notification Infrastructure,” Proc. Third Int'l Workshop Networked Group Comm. (NGC '01), Nov. 2001.
[27] S. Saroiu, P.K. Gummadi, and S. Gribble, “A Measurement Study of Peer-to-Peer File Sharing Systems,” Proc. Multimedia Computing and Networking (MMCN '02), Jan. 2002.
[28] A. Singh, T.-W. Ngan, P. Druschel, and D. Wallach, “Eclipse Attacks on Overlay Networks: Threats and Defenses,” Proc. IEEE INFOCOM, Apr. 2006.
[29] E. Sit and R. Morris, “Security Considerations for Peer-to-Peer Distributed Hash Tables,” Proc. First Int'l Workshop Peer-to-Peer Systems (IPTPS '02), Mar. 2002.
[30] I. Stoica, R. Morris, D. Karger, M.F. Kaashoek, and H. Balakrishnan, “Chord: A Scalable Peer-to-Peer Lookup Service for Internet Applications,” Proc. ACM SIGCOMM, 2001.
[31] G. Swamynathan, B.Y. Zhao, and K.C. Almeroth, “Exploring the Feasibility of Proactive Reputations,” Proc. Fifth Int'l Workshop Peer-to-Peer Systems (IPTPS '06), Feb. 2006.
[32] H. von Schelling, “Coupon Collecting for Unequal Probabilities,” Am. Math. Monthly, vol. 61, pp. 306-311, 1954.
[33] K. Walsh and E.G. Sirer, “Evaluation of a Deployed, Distributed Object Reputation System for Peer-to-Peer Filesharing,” Proc. ThirdSymp. Networked Systems Design and Implementation (NSDI'06), May 2006.
[34] E.W. Weisstein, Coupon Collector's Problem, http:/mathworld., 2008.
[35] H. Yu, P.B. Gibbons, M. Kaminsky, and F. Xiao, “A Near-Optimal Social Network Defense against Sybil Attacks,” Proc. IEEE Symp. Security and Privacy (S&P '08), May 2008.
[36] H. Yu, M. Kaminsky, P.B. Gibbons, and A.D. Flaxman, “Sybilguard: Defending against Sybil Attacks via Social Networks,” IEEE/ACM Trans. Networking, vol. 16, no. 3, pp. 576-589, June 2008.
[37] B.Y. Zhao, L. Huang, J. Stribling, S.C. Rhea, A.D. Joseph, and J. Kubiatowicz, “Tapestry: A Global-Scale Overlay for Rapid Service Deployment,” IEEE J. Selected Areas in Comm., vol. 22, no. 1, Jan. 2004.
[38] B.Y. Zhao, J.D. Kubiatowicz, and A.D. Joseph, “Tapestry: An Infrastructure for Fault-Tolerant Wide-Area Location and Routing,” Technical Report CSD-01-1141, U.C. Berkeley, 2001.
[39] L. Zhuang, F. Zhou, B.Y. Zhao, and A. Rowstron, “Cashmere: Resilient Anonymous Routing,” Proc. Second Symp. Networked Systems Design and Implementation (NSDI '05), May 2005.

Index Terms:
Security, routing protocols, distributed systems, overlay networks.
Krishna P.N. Puttaswamy, Haitao Zheng, Ben Y. Zhao, "Securing Structured Overlays against Identity Attacks," IEEE Transactions on Parallel and Distributed Systems, vol. 20, no. 10, pp. 1487-1498, Oct. 2009, doi:10.1109/TPDS.2008.241
Usage of this product signifies your acceptance of the Terms of Use.