Abstract
We show that malicious nodes in a peer-to-peer system may impact the
external Internet environment, by causing large-scale distributed
denial of service attacks on nodes not even part of the overlay
system. This is in contrast to attacks that disrupt the normal
functioning, and performance of the overlay system itself.
We formulate several principles critical to the design of
membership management protocols robust to such attacks.
We show that (i) pull-based mechanisms are preferable to push-based mechanisms;
(ii) it is critical to validate membership information received by a
node, and even simple probe-based techniques can be quite effective;
(iii) validating information by requiring corrobaration from multiple
sources can provide good security properties with insignificant
performance penalties; and (iv) it is important to bound the
number of distinct logical identifier (e.g. IDs in a DHT)
corresponding to the same physical identifier (e.g., IP address),
which a participating node is unable to validate.
We demonstrate the importance of these principles in the context of
the KAD system for file distribution, and ESM system for video broadcasting.
To our knowledge, this is the first systematic study of issues in the design of
membership management algorithms in peer-to-peer systems so they may
be robust to attacks exploiting them for DDoS attacks on external nodes.
Keywords
Denial of Service, Peer-to-Peer, Group Management, Reflector Attacks, Intrusion Detection