- COMP.SEC.100
- 13. Distributed Systems Security
- 13.3 Attacks on P2P systems
Attacks on P2P systems¶
A coarse division into two basic peer‑network functionalities is used for presenting attacks:
- Opr: Network‑level operations such as lookup, query, routing, downloading, etc., which are available via the P2P protocol service interface.
- Dat: Data structures, e.g. information stored in a node’s routing table or resources shared with other members of the overlay network. These functions may be accessible either at the network level or locally on the node’s host machine.
User authentication is assumed to have already taken place when members have joined the overlay network. P2P protocols may, however, be open to any visitor. Access control applies to them as well. Naturally, the focus here is on attacks against the peer network, not attacks launched through it against other systems.
Types of attacks¶
Vulnerable basic properties of P2P include the facts that coordination relies on message forwarding and nodes have only partial visibility of the entire system. Attackers try to deceive others by providing false information or by cooperating in order to partition the network.
- Denial‑of‑service attacks (DoS and DDoS) cause resource exhaustion by limiting access to a node or a communication route. The attacker attempts to reduce availability of overlay services by sending too many messages to a selected set of nodes. This may affect the mechanisms for node joining and leaving and many other P2P services, e.g. handling routing information in a hash table (DHT). Maintenance procedures can degrade the service quality received by other nodes. Naturally, denial‑of‑service directly affects bandwidth and resource availability.
- Collusion attacks affect availability, integrity, or confidentiality. Collusion means that a sufficiently large subset of nodes follows a shared strategy targeting P2P services and degrading functionality. A typical attack attempts to bypass control mechanisms such as reputation, trust, or bandwidth management. Sybil and Eclipse attacks (discussed later) rely on cooperation to create partitions and hide state information from honest nodes.
- Pollution attacks and index poisoning affect integrity and the functioning of data structures by introducing false information. Pollution, e.g. partially altered content, can spread from one node to other nodes’ content, causing service degradation.
- Whitewashing means that a member with a poor reputation leaves but later rejoins with a clean reputation. Some system vulnerabilities may allow reputation laundering in other ways. The target is the integrity of data structures, but the misbehaviour that originally caused the bad reputation may continue.
- Censorship attacks mean improper modification, removal, or denial of access to information. Despite the name, these are not necessarily performed by authorities.
- Routing attacks affect availability or integrity through corruption of data structures (Dat). A malicious node may degrade message forwarding by dropping or delaying messages. Another variant is routing table poisoning (RTP), where the attacker alters its own or others’ routing tables by returning incorrect information to peer lookup requests. Pull and push are specific variants of routing attacks that either increase or decrease the attractiveness of peers during path selection or routing‑table maintenance. Routing attacks play an important role in combined attacks such as Eclipse.
- Buffer map cheating (BM cheating, BMC) reduces availability, especially in P2P networks used for streaming applications. The attacker lies about its buffer contents — the “buffer map” indicating which chunks of streamed content it has cached. This is also an integrity violation and impacts the network level (Opr). Consequences include neglect of peer duties, incorrect reports and data blocks, and wrong neighbour selection.
- Sybil attacks degrade availability or confidentiality and affect network‑level operations (Opr). The attacker adds one or more nodes under its control to the overlay network. Depending on the attacker’s goal, this can occur at arbitrary locations in the overlay topology. Because P2P applications may limit the number of nodes per user, e.g. for voting, the attacker may aim for imbalance (not entirely unlike internet trolling). Sybil attacks may also precede many of the above attacks.
- Eclipse attacks degrade availability, integrity, and confidentiality. A group of malicious nodes surrounds the victim and hides its view of the rest of the system, partially or fully. The victim’s influence outward also changes. This is a combined attack and may include routing table poisoning, DoS/DDoS, Sybil attacks, collusion, whitewashing, or censorship. Therefore these attacks affect both network‑ and data‑structure‑level operations (Opr and Dat). Eclipse attacks are also possible against blockchains.
| Attack | Availability | Integrity | Confidentiality | Functionality |
|---|---|---|---|---|
| DoS/DDoS | ✓ | Opr | ||
| Collusion | ✓ | ✓ | ✓ | Opr |
| Pollution | ✓ | Dat | ||
| Whitewashing | ✓ | Dat | ||
| Censorship | ✓ | ✓ | Dat | |
| Routing | ✓ | ✓ | Dat | |
| Buffer | ✓ | ✓ | Opr | |
| Sybil | ✓ | ✓ | Opr | |
| Eclipse | ✓ | ✓ | ✓ | Dat & Opr |
Some attacks are unique to P2P. Some that occur in other systems require much more attacker capability in large P2P networks than in e.g. client‑server systems. Churn (node turnover) is one of the properties that distinguishes peer networks from other systems, and it can be used to cause a DoS effect. Artificially induced churn consumes bandwidth because maintaining the overlay structure requires effort.
Mitigating attacks¶
The basic mechanisms for securing a P2P protocol concern authentication, storage, and routing, because other security can only be built upon these. The role of authentication is central (see another module). Protected storage is essential for data‑centric applications, and one must note that protection is needed even against the node owner. This is easy to understand e.g. in online‑gaming contexts, where modifying data counts as cheating.
Routing protection, in addition to its basic purpose, is important for identifying members that relay incorrect messages. Routing attacks may also be mitigated by limiting the number of paths and/or protecting paths with (heavy) cryptographic mechanisms. Conversely, using several different lookup paths can mitigate routing attacks, though this is expensive. Coordination of cryptographic signatures is difficult to implement in a P2P‑type environment.
Mitigation of Sybil and Eclipse attacks relies on a centralized service that handles member registration. This may be extended by binding certificates to peer identifiers. These can be implemented most strongly as public‑key certificates. This prevents malicious actors from choosing their own network identifiers. Differentiating lookup queries has been proposed as an alternative mitigation for Eclipse attacks, allowing the victim to avoid unnecessary queries to its (topological) neighbourhood.
Buffer map cheating: The KAD P2P network, derived from Kademlia, uses a network‑indexing crawler to monitor the network state and detect malicious peers even during an Eclipse attack. If every network member used such a mechanism, the load would become enormous and infeasible in a large network.
The above security mechanisms improve the natural resilience of P2P systems against various attacks. Naturally, these mechanisms are flexible only up to the point where a critical mass of malicious nodes is reached. Mechanisms requiring cryptographic support or strong member identification may conflict with application requirements such as anonymity, heterogeneity, or resource conservation.