E08-2E1 - Preventing DDoS Attacks with P2P Systems - [email protected] - ENS
Preventing DDoS Attacks with P2P SystemsPreventing DDoS Attacks with P2P SystemsXin Sun, Ruben Torres, Sanjay Rao
Vulnerabilities commonly exist in the membership protocols of many P2P systems;
• KAD, BitTorrent-DHT, Overnet, Gnutella, ESM…DDoS attacks are feasible by exploiting those
vulnerabilities;Such attacks can be launched towards any hosts,
even those do not participate in any P2P systems!
Two different P2P systems are exploited:
• DHT-based KAD•Gossip–based ESM
Traffic seen by the victim is shown in the graphs.
ESM (Broadcasting, Gossip)
5 attackers
KAD (File Distribution, DHT)
The large scale of P2P systems (>1M concurrent users) makes such DDoS attacks huge magnitude (~Gbps), hard to stop and hard to trace back.
200 attackers
10% attackers
Preventing such DDoS attacks through
Validation through Multiple Sources Bounding Logical IDs for a Physical IDPull + Direct Validation
Robust Membership ManagementRobust Membership Management
Nodes will not accept anyinformation until learn from at least K members.
An at tacker could repeatedly redirect an innocent node to a victim, using different logical IDs for the same physical ID, to amplify the attack.
Solution: bind the number of logical IDs for a physical ID a node can talk to.
Pull: Any information conveyed by a member is always in response to a prior solicitation
Direct Validation: Immediately probe any new node learned through a third party before considering it as a neighbor.
Pull + Direct Validation: Neither of the two is enough by itself. Combine them for improved system robustness.
A
B
C
X
M
A-REQ: F
M-RESP: V
1
A-REQ: F
B-RESP: X
A-REQ: F
B-RESP: X
2
3
A contacts X 4
Learn from 2 members
A
B
C
X
M
A-REQ: F
M-RESP: V
1
A-REQ: F
B-RESP: X
A-REQ: F
B-RESP: X
2
3
A contacts X 4
Learn from 2 members
ID1 ID2
ID3 ID4
IP-X, Port-Y
A
A-REQ: F
M-RESP: ID1…ID4M
Fake IDs
Bound rate of messages sent to many logical IDs with same IP/Port
ID1 ID2
ID3 ID4
IP-X, Port-Y
A
A-REQ: F
M-RESP: ID1…ID4M
Fake IDs
Bound rate of messages sent to many logical IDs with same IP/Port
Exploiting KAD search mechanism to generate a redirection DDoS attack towards a host that’s not part of KAD.
A
B
C
I
A-REQ: F
B-RESP: CA-REQ: F
C-RESP: I
A-REQ: F
I-RESP: Sources
Index for F
A
A-REQ: F
M-RESP: Victim
M
VictimNormal Search in KAD Redirection Attack
12
3
A-REQ: FA
B
C
I
A-REQ: F
B-RESP: CA-REQ: F
C-RESP: I
A-REQ: F
I-RESP: Sources
Index for F
A
A-REQ: F
M-RESP: Victim
M
VictimNormal Search in KAD Redirection Attack
12
3
A-REQ: F
DDoS attacks are feasible with P2P Systems
E08_2E1.pdf 1 3/1/2007 4:13:09 PM
