Author: | Hermanni Hyytiälä |
---|---|
Date-Created: | 2003-06-05 |
Last-Modified: | 2003-08-01 |
Revision: | 1.41 |
Status: | Incomplete |
This is the first version of PEG document which briefly describes the attack methods used by a "killer" program. The program is intended to be used to test GISP P2P software's robustness against hostile attacks.
In this document we mean with "hostile peer" as an entity which is able to do a (limited/simplified/modified) number of regular GISP peer's functionalies in a way which may be harmful for the GISP network w.r.t. performance and redundancy. The harmfulness of a peer is a consequence of the fact that a peer is wilfully malicious.
This program is only used for research purposes and the goal is to improve GISP's resilience against hostile attacks.
Additionally, the author of GISP has stated that he will address attacks as they become a problem. This inclines us to think that writing an attack program will get the author to address that attacks.
ISSUE: When should we discuss this with the author of GISP?
ISSUE: Does GISP support "free-choice" during lookups?
RESOLVED: No, the current Java implementation does not support "peer-choice". However, the protocol specification of GISP-3.4 allows the "free choice".
not "useful" or not (not just PING scenario) ("a peer can discard information of unreachable peers")
RESOLVED: Yes, there are directions in the protocol specification how GISP peer should handle undesirable messages and peers:
"3.6. Security Behavior
For the security of the entire system, each peer SHOULD deal with possible attacks. A peer SHOULD detect undesirable messages such as: A message that is not valid. A message with <peer> or <insert> elements whose millisecond to live (ttl) is too big. A message or its elements are already received in a short period of time. A whole or a part of an undesirable message SHOULD be discarded. A peer MAY record the undesirable message or its information for the future security purpose.
A peer SHOULD also detect undesirable peers such as: A peer which never respond. A peer which rarely responds. A peer which sends undesirable messages. A peer which sends too many messages. An undesirable peer SHOULD be removed from the peer routing table and SHOULD NOT be included in outgoing messages. A peer MAY record the undesirable peer information for the future security purpose."
Please notice, however, the word "SHOULD".
determined by a GISP peer and is it a reliable method ?
RESOLVED: No, the current GISP implementation does not address "uselessness" properly, since GISP peer only observes reply timeouts for the "seen" messages. Thus, we can implement a "dumb" peer which answers to the "seen" messages normally but does not perform requested operations, e.g., reply to "query" message. This behaviour allows other peers to maintain "dumb" peers in their routing tables while still "dumb" peers are able to cause problems for the network's operation.
GISP does not appear to address the attacks against DHT systems described in ref1 and ref2. Using a simulation process as a research method we want the answers to the following questions:
We will perform simulations on a single desktop computer. We intend to use GISP's native code as much as possible. We start our simulation process by creating simple scenarios in which:
Scenario #1 (static "dumb"):
Description: In this scenario, we use "dumb" peers to test GISP's fault tolerance. In this context, with "dumb" peers we mean peers which do not reply or forward queries at all. There are two variations of this scenario. The first variation is the static scenario in which peers do not join or leave the system while the test is running. In the second variation, peers can join and leave the system while the test is running.
We expect that GISP's fault tolerance is at least at the same level as Chord's fault tolerace since GISP's routing table is based on Chord's routing table.
Chord's general properties:
Additionally, the current version of GISP (3.4) have following properties:
The assumption for the results above is that the system is "in the steady state", according to the authors.
Note: The length of the path to resolve the query is O(log n) with high probability.
Example Chord's path lengths in a static network (from figure):
~10 peers: 2 (average) ~20 peers: 2 (average) ~100 peers: 3 (average) ~1000 peers: 5 (average) ~10000 peers: 6 (average) ~16000 peers: 7 (average)
Chord's fault tolerance properties include (from figures):
Simultaneous peer failures: - Randomly selected fraction of nodes fail - No peers join or leave the system - Result: 20% of lookups fail, when 20% of peers are failed
Lookups during peers join and leave the system:
Simulation Process:
During the simulation process we will use a single hostile peer or a group of hostile peers (fraction of all peers) in the test network. We assume that hostile peer(s) takes part in forming of the network normally.
By using above scenarios, we want to clarify GISP's properties with regard to research questions.
*=We start the simulation process with these scenarios.
Hypothesis:
GISP's lookup failure rate increases linearly in a static network with the fraction of "dumb" peers when a "dumb" peer do not provide a "RESULT" message for a "QUERY" message. More specifically, when randomly selected fraction of f all peers become "dumb", same fraction f of all lookups will fail.
Notes:
n peers, O(log n) path length, all peers perform n-1 lookups. Then the total number of packets is n((n-1)(log n))
n peers, O(log n) path length, random fraction of peers, r, perform rl lookups. Then the total number of packets is r((rl)(log n))
GISP network: n peers, O(log n) path length, all peers perform n-1 lookups. Then the total number of packets is n((n-1)(log n))
n peers where fraction f are hostile, O(log n) path length, all peers perform n-1 lookups. Then the total number of lost packets is [f^((log n)-1)]*[n((n-1)(log n))]
We will compare (and validate) our test results with the Chord's performance and fault tolerance properties.
No changes are required to the Storm implementation codebase.