lapsy garg. p2p networks gnutella protocol topological scan worms passive scan worms solutions
TRANSCRIPT
Lapsy Garg
P2P NetworksGnutella ProtocolTopological Scan WormsPassive Scan WormsSolutions
Resource SharingP2P Nodes act both as servers and clientsResilient to single node failureAlmost Infinite Storage CapacityExamples
GnutellaKazzaBit Torrent
Do not waste time probing unused IP addresses.Do not generate high rate of failed connectionsAbility to merge malicious traffic into P2P trafficDetection systems based on analysis of worm
scans cannot differentiate between the normal p2p activity of a client from a worm. Hence, difficult to detect
Distributed p2p protocolDefines the way in which peers communicate
over the networkHighly fault tolerantSome popular Gnutella Clients
LimeWireBearShareGtk-Gnutella
Each Servant has a self selected servant_idA Gnutella Node is typically connected to 2-12
nodesTime to Live(TTL)
Further limits the horizon of NodesWhen a message is passed through a node its TTL
is reduced by 1 If TTL=0, then the message is not forwarded
furtherFile exchange involved two phases
SearchDownload
SearchTo search for a file a node, say n, sends a search
Query message to its neighbor nodes.On receiving a search Query, nodes look for a
match in their local data set If a match is found a Hit message is generated
which is sent back over the same path through which Query message came to the node
Query message is forwarded further if TTL is not zero
DownloadOn receiving Hit messages node n selects a node to
download the fileThe Downloads happen via a HTTP connection
(1)Q
uery
(2)Query(3)Q
uery
(4) Hit
(5) Hit
(6) H
it
(7) Download
Peer A Peer D
Peer BPeer C
Do not waste time probing unavailable IP address
Can use information available with infected p2p node to search for vulnerable nodes
Most of the worm detection systems based on analysis of worm scans rendered useless
Vulnerability in the ApplicationNo case of such worms has been reported yet
Gnutella assumes nodes are trustworthy, which is not always the case
There is no way to determine the authenticity of the files being advertised by a peer
The decision to download a file is more or less based on filename or file size
Vulnerability in the protocol Wait for the vulnerable targets to contact them Case 1
Worm can create infected copies of itself with attractive filenames and place them in the share folder of the p2p client or will replace the files present in the shared folder with itself
e.g. VBS.Gnutella, Benjamin Worm etc. Case 2
Answers positively to a proportion of search queries by changing the name of the corrupted file to match the search query
e.g. Gnuman Case 3 – Middle Man Attack
The infected node can forward the search query and collect good responses to the given query and reply with same to gain better trust of the user
No case of this kind of worm has been reported
Most of the solutions proposed to solve the problem of Passive Worms are based on building trust between the peers
Some of the popular approaches are:EigenTrustCredenceXRep
These approaches do slow down the worm propagation but they do not do anything to detect the worms
Generates the global reputation of the peers without the presence of any central authority
Files from the highly reputed peers are given higher preference
Assumes that files downloaded from the highly reputed peers are much less likely to be infected or junk
This approach would not work if a highly reputed peer starts sharing an infected file
Each peer generates a trust graph i.e. how much it trusts other peers based on its experience with other nodes
Before a file download, it will collect the votes from other peers about the file
The weight of each vote will depend on the reputation of the voter
The files will then get sorted in decreasing order of reputation, which is calculated based on the votes for the file
[1] Worm List, http://www.viruslist.com/en/virusesdescribed?chapter=153311928.
[2] Gnutella, http://www9.limewire.com/developer/gnutella_protocol_0.4.pdf.
[3] LimeWire, http://www.limewire.com.
[4] N. Curtis, R. Safavi-Naini, and W. Susilo. X2rep: Enhanced trust semantics for the xrep protocol. In Applied Cryptography and Network Security, Yellow Mountain, China, June, 2004.
[5] E. Damiani, S. D. C. di Vimercati, S. Paraboschi, P. Samarati, and F. Violante. A reputationbased approach for choosing reliable resources in peer-to-peer networks. In ACM Conference on Computers and Communications Security, Washington, DC, October 2002.
[6] E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati. Managing and sharing servents’ reputations in p2p systems. IEEE Transactions on Knowledge and Data Engineering, vol. 15, n.4, pp. 840-854, July/August 2003.
[7] M Engle and JI Khan. Vulnerabilities of p2p systems and a critical look at their solutions. Medianet Lab Technical Report, Department of Computer Science, Kent State University, 2006.
[8] S. D. Kamvar, M. T. Schlosser, and H. Garcia-Molina. The eigentrust algorithm for reputation management in p2p networks. , In Proceedings of the Twelfth International World Wide Web Conference, 2003.
[9] Nassima Khiat, Yannick Carlinet, and Nazim Agoulmine. The emerging threat of peer-topeer worms. MonAM 2006 Workshop, 2006.
[10] Kevin Walsh and Emin Gün Sirer. Experience with a distributed object reputation system for peer-to-peer filesharing. In Proceedings of the Symposium on Networked System Design and Implementation (NSDI), San Jose, California, May 2006.
[11] Lidong Zhou., Lintao Zhang., Frank McSherry., Nicole Immorlica, Manuel Costa, and Steve Chien. A first look at peer-to-peer worms: Threats and defenses. In Proceedings of the IPTPS, 2005.