The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.10 - October (2009 vol.20)
pp: 1487-1498
Haitao Zheng , UC Santa Barbara, Santa Barbara
Krishna P.N. Puttaswamy , UC Santa Barbara, Santa Barbara
ABSTRACT
Structured overlay networks can greatly simplify data storage and management for a variety of distributed applications. Despite their attractive features, these overlays remain vulnerable to the Identity attack, where malicious nodes assume control of application components by intercepting and hijacking key-based routing requests. Attackers can assume arbitrary application roles such as storage node for a given file, or return falsified contents of an online shopper's shopping cart. In this paper, we define a generalized form of the Identity attack, and propose a lightweight detection and tracking system that protects applications by redirecting traffic away from attackers. We describe how this attack can be amplified by a Sybil or Eclipse attack, and analyze the costs of performing such an attack. Finally, we present measurements of a deployed overlay that show our techniques to be significantly more lightweight than prior techniques, and highly effective at detecting and avoiding both single node and colluding attacks under a variety of conditions.
INDEX TERMS
Security, routing protocols, distributed systems, overlay networks.
CITATION
Haitao Zheng, Krishna P.N. Puttaswamy, "Securing Structured Overlays against Identity Attacks", IEEE Transactions on Parallel & Distributed Systems, vol.20, no. 10, pp. 1487-1498, October 2009, doi:10.1109/TPDS.2008.241
REFERENCES
[1] R. Alebouyeh, M.S. Allen, K.P.N. Puttaswamy, and B.Y. Zhao, Chimera Software Distribution, http://current.cs.ucsb.edu/ projectschimera , 2008.
[2] H. Ballani, P. Francis, and X. Zhang, “A Study of Prex Hijacking and Interception in the Internet,” Proc. ACM SIGCOMM '07, Sept. 2007.
[3] D. Boneh and M. Franklin, “Identity Based Encryption from the Weil Pairing,” SIAM J. Computing, vol. 32, no. 3, pp. 586-615, 2003.
[4] M. Castro et al., “Security for Structured Peer-to-Peer Overlay Networks,” Proc. Fifth Symp. Operating Systems Design and Implementation (OSDI '02), Dec. 2002.
[5] M. Castro et al., “Splitstream: High-Bandwidth Multicast in a Cooperative Environment,” Proc. 19th ACM Symp. Operating Systems Principles (SOSP '03), Oct. 2003.
[6] T. Condie et al., “Induced Churn as Shelter from Routing-Table Poisoning,” Proc. 13th Ann. Network and Distributed System Security Symp. (NDSS '06), Feb. 2006.
[7] F. Dabek, M.F. Kaashoek, D. Karger, R. Morris, and I. Stoica, “Wide-Area Cooperative Storage with CFS,” Proc. 18th ACM Symp. Operating Systems Principles (SOSP '01), Oct. 2001.
[8] F. Dabek, B. Zhao, P. Druschel, J. Kubiatowicz, and I. Stoica, “Towards a Common API for Structured P2P Overlays,” Proc. Second Int'l Workshop Peer-to-Peer Systems (IPTPS '03), Feb. 2003.
[9] E. Damiani et al., “A Reputation-Based Approach for Choosing Reliable Resources in Peer-to-Peer Networks,” Proc. Ninth ACM Conf. Computer and Comm. Security (CCS '02), Nov. 2002.
[10] G. DeCandia et al., “Dynamo: Amazon's Highly Available Key-Value Store,” Proc. 21st ACM Symp. Operating Systems Principles (SOSP '07), Oct. 2007.
[11] D. Deeths and G. Brunette, “Using NTP to Control and Synchronize System Clocks,” Technical Report 816-1475-10, Sun Microsystems Inc., July 2001.
[12] J.R. Douceur, “The Sybil Attack,” Proc. First Int'l Workshop Peer-to-Peer Systems (IPTPS '02), Mar. 2002.
[13] J. Falkner, M. Piatek, J.P. John, A. Krishnamurthy, and T. Anderson, “Profiling a Million User DHT,” Proc. Internet Measurement Conf. (IMC '07), Oct. 2007.
[14] M.J. Freedman, E. Freudenthal, and D. Mazires, “Democratizing Content Publication with Coral,” Proc. First Symp. Networked Systems Design and Implementation (NSDI '04), Dec. 2004.
[15] L. Ganesh and B.Y. Zhao, “Identity Theft Protection in Structured Overlays,” Proc. First Workshop Secure Network Protocols (NPSec '05), June 2005.
[16] S. Guha, N. Daswani, and R. Jain, “An Experimental Study of the Skype Peer-to-Peer Voip System,” Proc. Fifth Int'l Workshop Peer-to-Peer Systems (IPTPS), 2006.
[17] K. Gummadi et al., “The Impact of DHT Routing Geometry on Resilience and Proximity,” Proc. ACM SIGCOMM '03, Sept. 2003.
[18] A. Haeberlen, P. Kouznetsov, and P. Druschel, “PeerReview: Practical Accountability for Distributed Systems,” Proc. 21st ACM Symp. Operating Systems Principles (SOSP '07), Oct. 2007.
[19] A. Haeberlen, A. Mislove, and P. Druschel, “Glacier: Highly Durable, Decentralized Storage Despite Massive Correlated Failures,” Proc. Second Symp. Networked Systems Design and Implementation (NSDI '05), May 2005.
[20] K. Hildrum and J. Kubiatowicz, “Asymptotically Efficient Approaches to Fault-Tolerance in Peer-to-Peer Networks,” Proc. 17th Int'l Symp. Distributed Computing (DISC '03), Oct. 2003.
[21] S.D. Kamvar, M.T. Schlosser, and H. Garcia-Molina, “The Eigentrust Algorithm for Reputation Management in P2P Networks,” Proc. 12th Int'l Conf. World Wide Web (WWW '03), May 2003.
[22] S. Rhea et al., “Pond: The OceanStore Prototype,” Proc. Second USENIX Conf. File and Storage Technologies (FAST '03), Apr. 2003.
[23] H. Rowaihy, W. Enck, P. McDaniel, and T.L. Porta, “Limiting Sybil Attacks in Structured P2P Networks,” Proc. IEEE INFOCOM, 2007.
[24] A. Rowstron and P. Druschel, “Pastry: Scalable, Distributed Object Location and Routing for Large-Scale Peer-to-Peer Systems,” Proc. 18th IFIP/ACM Int'l Conf. Distributed Systems Platforms (Middleware '01), Nov. 2001.
[25] A. Rowstron and P. Druschel, “Storage Management and Caching in PAST, a Large-Scale, Persistent Peer-to-Peer Storage Utility,” Proc. 18th ACM Symp. Operating Systems Principles (SOSP '01), Oct. 2001.
[26] A. Rowstron et al., “SCRIBE: The Design of a Large-Scale Event Notification Infrastructure,” Proc. Third Int'l Workshop Networked Group Comm. (NGC '01), Nov. 2001.
[27] S. Saroiu, P.K. Gummadi, and S. Gribble, “A Measurement Study of Peer-to-Peer File Sharing Systems,” Proc. Multimedia Computing and Networking (MMCN '02), Jan. 2002.
[28] A. Singh, T.-W. Ngan, P. Druschel, and D. Wallach, “Eclipse Attacks on Overlay Networks: Threats and Defenses,” Proc. IEEE INFOCOM, Apr. 2006.
[29] E. Sit and R. Morris, “Security Considerations for Peer-to-Peer Distributed Hash Tables,” Proc. First Int'l Workshop Peer-to-Peer Systems (IPTPS '02), Mar. 2002.
[30] I. Stoica, R. Morris, D. Karger, M.F. Kaashoek, and H. Balakrishnan, “Chord: A Scalable Peer-to-Peer Lookup Service for Internet Applications,” Proc. ACM SIGCOMM, 2001.
[31] G. Swamynathan, B.Y. Zhao, and K.C. Almeroth, “Exploring the Feasibility of Proactive Reputations,” Proc. Fifth Int'l Workshop Peer-to-Peer Systems (IPTPS '06), Feb. 2006.
[32] H. von Schelling, “Coupon Collecting for Unequal Probabilities,” Am. Math. Monthly, vol. 61, pp. 306-311, 1954.
[33] K. Walsh and E.G. Sirer, “Evaluation of a Deployed, Distributed Object Reputation System for Peer-to-Peer Filesharing,” Proc. ThirdSymp. Networked Systems Design and Implementation (NSDI'06), May 2006.
[34] E.W. Weisstein, Coupon Collector's Problem, http:/mathworld. wolfram.com, 2008.
[35] H. Yu, P.B. Gibbons, M. Kaminsky, and F. Xiao, “A Near-Optimal Social Network Defense against Sybil Attacks,” Proc. IEEE Symp. Security and Privacy (S&P '08), May 2008.
[36] H. Yu, M. Kaminsky, P.B. Gibbons, and A.D. Flaxman, “Sybilguard: Defending against Sybil Attacks via Social Networks,” IEEE/ACM Trans. Networking, vol. 16, no. 3, pp. 576-589, June 2008.
[37] B.Y. Zhao, L. Huang, J. Stribling, S.C. Rhea, A.D. Joseph, and J. Kubiatowicz, “Tapestry: A Global-Scale Overlay for Rapid Service Deployment,” IEEE J. Selected Areas in Comm., vol. 22, no. 1, Jan. 2004.
[38] B.Y. Zhao, J.D. Kubiatowicz, and A.D. Joseph, “Tapestry: An Infrastructure for Fault-Tolerant Wide-Area Location and Routing,” Technical Report CSD-01-1141, U.C. Berkeley, 2001.
[39] L. Zhuang, F. Zhou, B.Y. Zhao, and A. Rowstron, “Cashmere: Resilient Anonymous Routing,” Proc. Second Symp. Networked Systems Design and Implementation (NSDI '05), May 2005.
25 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool