Elsevier

Computers & Security

Volume 65, March 2017, Pages 283-299
Computers & Security

P2P routing table poisoning: A quorum-based sanitizing approach

https://doi.org/10.1016/j.cose.2016.12.007Get rights and content

Abstract

Peer-to-Peer (P2P) protocols underlie multiple networked applications given that the P2P decentralized design inherently fosters scalability and robustness. While distributiveness and scalability are attractive features, these facets also increase exposure to malicious peers which can propagate malicious routing information. Accordingly, a diverse set of continuously evolving attacks can be mounted that can cause severe service impairments over the entire overlay network. Most proposed countermeasures focus on providing diversity or redundancy to overcome malicious routing information with their emphasis on periodic detection/removal mechanisms done locally within a peer as continuous monitoring or global sharing of peer status entails high costs. However, a local approach naturally also limits the global effectiveness prompting the need for distributed solutions.

In this work, we build upon contemporary distributed solutions (that developed specific attack detection and mitigation techniques for specific overlay types and specific attacks), to propose a generalized attack detection and mitigation approach applicable to varied overlay and attack models.

Consequently, we propose a novel and efficient routing table sanitizing approach that (a) is independent of a specific attack variant, lookup approach or a specific victim set, (b) continuously detects and subsequently removes malicious routing information based on distributed quorum decisions, and (c) efficiently forwards malicious information findings to other peers which allows for progressive global sanitizing. The generalized mechanism shows a high sanitizing accuracy of up to 90% when evaluated against a generalized attack scenario with various adversarial behaviors.

Introduction

The P2P paradigm utilizes decentralized coordination to provide scalability and fault tolerance, which naturally leads to its wide applicability in diverse data dissemination and data discovery applications such as file sharing, multimedia streaming, machine-to-machine communication, IoT and many others (Steinheimer et al, 2013, Wu et al, 2011). In order to support scalability and low overheads in P2P networks, the design practices typically result in partitioned groups where a peer has only a partial view of the network as obtained from its neighboring peers.

However, the aforementioned design practices render P2P networks susceptible to various attacks, e.g., routing table poisoning, which is an inherent part of composite attacks such as Eclipse (EA), Sybil, flooding and publishing attacks (Douceur, 2002, Germanus et al, 2014, Kohnen et al, 2009, Li et al, 2014, Locher et al, 2010, Singh et al, 2006). While the fault tolerance aspect ensures correct operation even for high rates of random peer failures, the disruptions inserted into the peers routing tables (RT) as a form of Routing Table Poisoning (RTP) result in significant degradation of the network services. Notably, using a detailed simulation study, we demonstrate the significant RTP impact of up to 65% message loss. Moreover, we illustrate how the propagation of malicious RT information about the victim peers of RTP attacks further facilitates launching Eclipse, Sybil and other aforementioned attacks.

The existence of RTP attacks and the resulting degradation have received attention (Cholez et al, 2013, Lin et al, 2010, Urdaneta et al, 2011). A considerable variety of proposed countermeasures (Castro et al, 2002, Koo et al, 2012, Lee et al, 2012, Li, Chen, 2008, Rottondi et al, 2015, Stoica et al, 2001) exists, yet these techniques entail one or more of the following inefficiency drawbacks: (i) They are only applicable for a specific P2P protocol, i.e., the countermeasure mechanisms are specifically tailored according to a single P2P protocol specifications. (ii) They are effective against a single form of RTP attack. Hence, countermeasures show no resiliency once the attack is modified. (iii) They typically require a central entity that coordinates the detection, monitoring, and decisions about malicious peers. However, in practice, the system's services are degraded as the overlay's fully distributed architecture is compromised. (iv) They often rely on cryptographic schemes, which can then constrain communication between lightweight peers to necessitate enhanced computing.

Aiming toward finding a general solution to overcome the aforementioned deficiencies, we explored a detection and sanitizing scheme in Ismail et al. as a countermeasure against a single attack variant of Localized Attacks (LAs). We build upon the basic notions of providing anonymous detection from our proposed mechanism in Ismail et al. to develop a generalized attack handling approach applicable to multiple attack models and overlays.

In the course of our previous work, we develop an adaptable RTP attack mitigation approach that overcomes the aforementioned deficiencies. We propose a protocol-independent, fully distributed, simple and effective detection and overlay-sanitizing mechanism.

As a mean of an adaptable mitigation, we make use of a majority voting based detection in order to detect inconsistencies in RTs. The detection mechanism shows high accuracy with detection rates of up to 90% even for 20% malicious peers attacking. The sanitizing mechanism is triggered by initiating a quorum of peers in order to unveil the inconsistencies stemming from RTP attacks. Once the quorum investigates and accordingly declares finding malicious RT entries, the sanitizing mechanism informs other peers in order to let them reliably remove the RT information inserted by the suspected malicious peer.

Overall, our contributions span (i) demonstrating the high impact of RTP attacks on benign peers RTs and the overall network's service provision, and (ii) proposing a novel quorum based sanitizing mechanism that efficiently removes malicious peers and propagates information about their identity while providing anonymity and scalability.

The rest of the paper is organized as follows: Section 2 presents the technical background along with related work. Section 3 provides the system model and defines the concepts underlying the attacker model (Section 4), the detection mechanism (Section 5) and the proposed sanitizing mechanism (Section 6). The attack severity, mitigation efficiency, and detection rates are evaluated in Section 7.

Section snippets

Related work: typical attacks & mitigation approaches

Given the diverse set of applications that utilize the P2P functionality, a corresponding variety of attack types exists threatening the operations and reliability of P2P services. However, as routing constitutes a core P2P functionality, naturally most threats stem from deliberate attempts to compromise the peers routing tables with malicious information. Consequently, the launching of RT attacks on P2P networks has attracted considerable research interest.

While a variety of countermeasures

System model

This section presents the system model used for the evaluation of our approach. Utilizing the established models from Ismail et al, 2016, Ismail et al, 2015, it consists of an overlay model along with a P2P protocol abstraction that includes descriptions of the lookup mechanism.

Routing table poisoning (RTP)

In this section, we present the fundamentals of launching an RTP attack that targets inserting and propagating malicious entries in benign peers RT. The proposed attack model constitutes the basis for evaluating the proposed sanitizing mechanism.

In order to validate the effectiveness and applicability of the sanitizing mechanism in various RTP attack scenarios, we consider a sophisticated general attack model that (i) is not only applicable for a specific P2P protocol and topology, (ii) does

Detection mechanism

We now introduce the detection mechanisms used locally by each peer to suspect other peers based on the received lookup replies. In order to detect lookup inconsistencies, we propose a modified lookup mechanism in Ismail et al. (2015) where peers are able to gather more than a single reply.

The lookup initiator can detect inconsistencies through comparing the set of received replies according to (i) the consent of the replying peers' location with the lookup protocol specifications, (ii) the

Sanitizing mechanism (SM)

In this section we present the sanitizing mechanism. Prior to the operation of SM, the detector proposes a set of suspected peers according to their lookup replies as discussed in Section 5. Afterwards, the SM is invoked to investigate and thus, reach a decision about the suspected peers. Consequently, the SM executes a removal procedure for suspected peers identified malicious to sanitize the benign peers RT.

Unlike the detector which is operated locally by each peer, the SM is executed as a

Evaluation

This section assesses the effectiveness of SM as a countermeasure for RTP attacks launched with the set of the proposed adversarial behaviors. The target is to evaluate the severity of RTP attacks on the overlay's reliability and the imposed perturbations resulting from poisoning RT entries. Consequently, SM is evaluated in terms of reliability enhancements, imposed overhead on the network and malicious removal ratio from benign peers RT.

In order to do so, two experiments are conducted. The

Conclusions & future work

RTP attacks pose a significant threat to P2P networks as reliability is severely degraded to cause service impairments. As a countermeasure, we have proposed a distributed sanitizing mechanism based on reaching a consensus once a peer is suspected over the lookup process by the DMV based detector. The proposed sanitizing mechanism eliminates more than 90% of the malicious entries from the peers RTs, and successfully restores the benign state of the overlay as the lookup success rate increases

Hatem Ismail is currently a PhD student at DEEDS group in the Department of Computer Science at Technische Universitt of Darmstadt, Germany. His research interest includes P2P attacks evaluation, mitigation and performance enhancement techniques.

References (49)

  • J. Augustine et al.

    Distributed agreement in dynamic peer-to-peer networks

    J Comput Syst Sci

    (2015)
  • J. Kos et al.

    U-Sphere: strengthening scalable flat-name routing for decentralized networks

    Comput Netw

    (2015)
  • I. Baumgart et al.

    OverSim: a flexible overlay network simulation framework

    (2007)
  • F. Belli et al.

    Comparative analysis of concurrent fault-tolerance techniques for real-time applications

    (1991)
  • J. Bernstein

    Curve25519: new Diffie–Hellman speed records

    (2006)
  • M. Castro et al.

    Practical Byzantine fault tolerance

    (1999)
  • M. Castro et al.

    Practical Byzantine fault tolerance and proactive recovery

    ACM Trans Comput Syst (TOCS)

    (2002)
  • M. Castro et al.

    Secure routing for structured peer-to-peer overlay networks

    (2002)
  • T. Cholez et al.

    Detection and mitigation of localized attacks in a widely deployed P2P network

    Peer-to-Peer Netw Appl

    (2013)
  • G. Danezis et al.

    SybilInfer: detecting Sybil nodes using social networks

    (2009)
  • J. Douceur

    The Sybil attack

    (2002)
  • F. Eichert et al.

    The impact of routing attacks on pastry-based P2P online social networks

    (2014)
  • M. Fischer

    The consensus problem in unreliable distributed systems

    (1983)
  • D. Germanus et al.

    Susceptibility analysis of structured P2P systems to localized eclipse attacks

    (2012)
  • D. Germanus et al.

    Mitigating eclipse attacks in peer-to-peer networks

    (2014)
  • D. Germanus et al.

    PASS: an address space slicing framework for P2P eclipse attack mitigation

    (2015)
  • H. Hsieh et al.

    New approach to improve the generalized byzantine agreement problem

    Int J Comput Theory Eng

    (2015)
  • H. Ismail et al.

    Malicious peers eviction for P2P overlays

  • H. Ismail et al.

    Detecting and mitigating P2P eclipse attacks

    (2015)
  • P. Kamat et al.

    A critical analysis of P2P communication, security concerns and solutions

    Int J Appl Eng Res

    (2014)
  • A. Kapadia et al.

    HALO: high-assurance locate for distributed hash tables

    (2008)
  • M. Kohnen et al.

    Conducting and optimizing eclipse attacks in the Kad peer-to-peer network

    (2009)
  • H. Koo et al.

    A DDoS attack by flooding normal control messages in Kad P2P networks

    (2012)
  • Y. Lee et al.

    Advanced node insertion attack with availability falsification in Kademlia-based P2P networks

    (2012)
  • Cited by (0)

    Hatem Ismail is currently a PhD student at DEEDS group in the Department of Computer Science at Technische Universitt of Darmstadt, Germany. His research interest includes P2P attacks evaluation, mitigation and performance enhancement techniques.

    Daniel Germanus obtained his PhD from TU Darmstadt, Germany. His research interests include P2P network resiliency and critical information infrastructures. Currently, he is a researcher at ENX Association.

    Neeraj Suri received his PhD from the University of Massachusetts at Amherst and is a Chair Professor at the Technische Universitt of Darmstadt, Germany. His research addresses the design, analysis, and assessment of trustworthy cloud services.

    View full text