skip to main content
10.1145/2414456.2414491acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

KoNKS: konsensus-style network koordinate system

Published: 02 May 2012 Publication History

Abstract

A network coordinate system [7, 14, 15] assigns virtual coordinates (network positions) to every node in the network. These coordinates are assigned so that the coordinate distance between two nodes reflects the real network distance between those two nodes. This allows any peer in the sytem to accurately estimate the network distance between any pair of nodes, without having the pair of nodes contact each other. Network coordinate systems' ability to predict the network latency between arbitrary pairs of nodes can be used in many applications: finding the closest node to download content from in a content distribution network or route to in a peer-to-peer system [18], reducing inter-ISP communication [5, 13], reducing the amount of state stored in routers [1], performing byzantine leader elections [6], and detecting Sybil attackers [3, 8].
Current network coordinate systems have been shown to have good accuracy in predicting network distances, low processing and communication overhead, and fast convergence to stable positions. More recent papers have improved on the earlier designs by providing coordinate stability under churn and convergence under measurement uncertainty [2, 7, 11, 12].
However, it has also been shown [10] that those network coordinate systems are not secure, in the sense that a malicious peer in the network can report randomly chosen coordinates or maliciously delay responses to disrupt the network coordinate system. The fake reported coordinates or round-trip time (RTT) causes the nodes in the system to incorrectly update their coordinates. This renders the network latency prediction useless because the coordinate distance between two nodes will not reflect the real network distance between the two nodes. Moreover, the adversary could "lie" about its coordinates so that the coordinate distance between itself and a targeted node is smaller than the real network distance. In some applications, the adversary will then be more likely to be contacted or picked as a peer to download content from.
Several schemes [9, 16, 17, 19, 20] have been developed to protect network coordinate systems against the attacks in [10], where malicious peers report randomly chosen coordinates, report random but consistent coordinates, or add random delay in their messages to other peers. These schemes can be categorized into anomaly/outlier detection [9, 20], reputation system [16], and distributed reputation systems [17, 19]; all of them were shown to effectively mitigate the known attacks. Recently, however, a new type of attack [4] -- the frog-boiling attack -- was introduced, and it was shown that some of these schemes fail to protect against this attack. The frog-boiling attacker reports small but consistent lies that are not detected by any of the security mechanisms, but which cumulatively introduce unacceptable errors; for example, it was shown that this technique can randomly partition an overlay using a secure network coordinate system [20]. One of the issues is that the current secure schemes aimed only to "patch" against the known attacks. This could lead to an arms race where new attacks which they did not consider, bypass existing security mechanisms, resulting in new improved schemes to defend against the new attack, and so on.
To avoid this arms race, we evaluate a network coordinate system in terms of an explicit security goal -- an invariant that should hold despite the presence and actions of an attacker -- under a concrete threat model that states what resources the attacker can marshall. The two goals are 1) an attacker's influence on either the network distance or coordinate distance between two honest nodes is limited, and 2) the coordinate distance between a malicious peer and an honest peer cannot be smaller than the true network distance between these two nodes. The first goal limits an attacker's influence on honest nodes' coordinates while the second goal prevents an attacker from appearing closer than it actually is.
Our main contribution is describing a completely decentralized network coordinate system, KoNKS, which is secure under our stated security model. KoNKS -- consensus-style network coordinate system -- modifies the objective function that each peer follows to update its coordinates. In current network coordinate systems, a peer's goal is to minimize the sum of the prediction errors for all of its neighbors. In contrast, using KoNKS, a peer's goal is to minimize the number of neighbors whose individual relative error is unacceptable -- KoNKS puts an upper bound on each neighbor's relative error. The relative error determines how accurate the coordinate system is, thus when there are no attackers, minimizing the sum of errors should lead to more accurate distance predictions. However, minimizing the sum of prediction errors allows each neighbor to have a significant influence on the position of its peers. This is one of the reasons why the frog-boiling attack works. For example, a malicious neighbor could craft a lie so that its coordinate distance to the peer is much smaller than the measured network distance. In response, the peer would make a significant change to its coordinate because that update seemed to give the minimum total prediction error, even though it adds significant prediction error to every other neighbor.
This example cannot happen in KoNKS because every neighbor of a peer has the same amount of influence on that peer. In a way, KoNKS peers achieve consensus among their neighbors: each neighbor "votes" for a region in which the peer should reside, and the network position with the most "votes" from the neighbors is the one that KoNKS chooses. A malicious neighbor can still choose its reported coordinates and add delay to its RTT, but the push that lie has on the peer is limited, as the latter will have to satisfy its other neighbors as well. At every update, the peer takes into consideration each of its neighbors' relative error. We argue that KoNKS is secure because 1) a malicious node's influence on the coordinate distance between two honest nodes is limited, and 2) a malicious node cannot appear closer than it actually is because its relative error will be higher than the imposed threshold.
We show that KoNKS is as accurate as Vivaldi [7], one of the most popular decentralized network coordinate system (Vivaldi is implemented in Vuze [18] and is the basis for previous "secure" network coordinate systems [9, 16, 17, 20]), and is secure against all the current attacks, including the network-partition frog-boiling attack. More specifically, KoNKS puts an upper bound on the amount of influence an adversary can have on the honest nodes. For example, 10% of attackers can partition a network using KoNKS only so much before their lies do not have any effect anymore because they are outside of the threshold, or the other honest neighbors' influence equals the malicious neighbors' influence. KoNKS with no attack can achieve a median relative error as low as 12%, which is comparable to Vivaldi's median relative error of 10%. Moreover, KoNKS incurs a very low overhead, similar to Vivaldi as coordinates can be piggybacked on top of application messages. The processing overhead of each node updating its coordinates is also very small.

References

[1]
I. Abraham and D. Malkhi. Compact routing on euclidian metrics. In PODC: ACM symposium on Principles of distributed computing, 2004.
[2]
S. Agarwal and J. R. Lorch. Matchmaking for online games and other latency-sensitive P2P systems. In SIGCOMM '09: Proceedings of the ACM SIGCOMM 2009 conference on Data communication, pages 315--326, New York, NY, USA, 2009. ACM.
[3]
R. A. Bazzi and G. Konjevod. On the establishment of distinct identities in overlay networks. In PODC: ACM symposium on Principles of distributed computing, 2005.
[4]
E. Chan-Tin, D. Feldman, Y. Kim, and N. Hopper. The Frog-Boiling Attack: Limitations of Anomaly Detection for Secure Network Coordinates. SecureComm, 2009.
[5]
D. R. Choffnes and F. E. Bustamante. Taming the torrent: a practical approach to reducing cross-isp traffic in peer-to-peer systems. SIGCOMM Comput. Commun. Rev., 38(4): 363--374, 2008.
[6]
J. Cowling, D. Ports, B. Liskov, R. A. Popa, and A. Gaikwad. Census: Location-Aware Membership Management for Large-Scale Distributed Systems. In proceedings of USENIX Technical Conference, 2009.
[7]
F. Dabek, R. Cox, F. Kaashoek, and R. Morris. Vivaldi: a decentralized network coordinate system. In SIGCOMM, 2004.
[8]
J. R. Douceur. The sybil attack. In IPTPS '01: International Workshop on Peer-to-Peer Systems, 2002.
[9]
M. A. Kaafar, L. Mathy, C. Barakat, K. Salamatian, T. Turletti, and W. Dabbous. Securing internet coordinate embedding systems. SIGCOMM Comput. Commun. Rev., 37(4): 61--72, 2007.
[10]
M. A. Kaafar, L. Mathy, T. Turletti, and W. Dabbous. Real attacks on virtual networks: Vivaldi out of tune. In LSAD: SIGCOMM workshop on Large-scale attack defense, 2006.
[11]
J. Ledlie, P. Gardner, and M. Seltzer. Network coordinates in the wild. In Proceeding of USENIX Symposium on Networked Systems Design and Implementation (NSDI)âĂŹ07, 2007.
[12]
J. Ledlie, P. Pietzuch, and M. Seltzer. Stable and accurate network coordinates. In ICDCS '06: Proceedings of the 26th IEEE International Conference on Distributed Computing Systems, page 74, Washington, DC, USA, 2006. IEEE Computer Society.
[13]
C. Lumezanu, D. Levin, and N. Spring. Peer wise discovery and negotiation of faster path. HotNets, 2007.
[14]
T. S. E. Ng and H. Zhang. Predicting internet network distance with coordinates-based approaches. In IEEE INFOCOM, pages 170--179, 2001.
[15]
T. S. E. Ng and H. Zhang. A network positioning system for the internet. In USENIX Technical Conference, 2004.
[16]
D. Saucez, B. Donnet, and O. Bonaventure. A reputation-based approach for securing vivaldi embedding system. In EUNICE'07: Proceedings of the 13th open European summer school and IFIP TC6.6 conference on Dependable and adaptable networks and services, pages 78--85, Berlin, Heidelberg, 2007. Springer-Verlag.
[17]
M. Sherr, M. Blaze, and B. T. Loo. Veracity: Practical Secure Network Coordinates via Vote-based Agreements. In USENIX Annual Technical Conference, 2009.
[18]
Vuze. http://azureus.sourceforge.net, Accessed 2011.
[19]
G. Wang and T. E. Ng. Distributed algorithms for stable and secure network coordinates. In IMC: ACM SIGCOMM conference on Internet measurement, 2008.
[20]
D. J. Zage and C. Nita-Rotaru. On the accuracy of decentralized virtual coordinate systems in adversarial networks. In CCS: Proceedings of the ACM conference on Computer and communications security, 2007.

Cited By

View all
  • (2018)Accurate geolocation using network coordinatesInternational Journal of Security and Networks10.1504/IJSN.2015.07183010:3(170-182)Online publication date: 17-Dec-2018
  • (2015)A secure DHT-based key distribution system for attribute-based encryption and decryption2015 9th International Conference on Signal Processing and Communication Systems (ICSPCS)10.1109/ICSPCS.2015.7391732(1-9)Online publication date: Dec-2015
  • (2015)Hijacking the Vuze BitTorrent network: all your hop are belong to usIET Information Security10.1049/iet-ifs.2014.03379:4(203-208)Online publication date: 1-Jul-2015

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ASIACCS '12: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security
May 2012
119 pages
ISBN:9781450316484
DOI:10.1145/2414456
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 May 2012

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Conference

ASIA CCS '12
Sponsor:

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)3
  • Downloads (Last 6 weeks)1
Reflects downloads up to 20 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2018)Accurate geolocation using network coordinatesInternational Journal of Security and Networks10.1504/IJSN.2015.07183010:3(170-182)Online publication date: 17-Dec-2018
  • (2015)A secure DHT-based key distribution system for attribute-based encryption and decryption2015 9th International Conference on Signal Processing and Communication Systems (ICSPCS)10.1109/ICSPCS.2015.7391732(1-9)Online publication date: Dec-2015
  • (2015)Hijacking the Vuze BitTorrent network: all your hop are belong to usIET Information Security10.1049/iet-ifs.2014.03379:4(203-208)Online publication date: 1-Jul-2015

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media