Securing Structured Overlays Against Identity Attacks

Krishna P. N. Puttaswamy
Haitao Zheng
Ben Y. Zhao

IEEE Transactions on Parallel and Distributed Systems, Vol. 20, No. 10, Pgs 1487-1498, October 2009

[Full Text in PDF Format, 2MB]


Paper Abstract

Structured overlay networks can greatly simplify data storage and management for a variety of distributed applications. Despite their attractive features, these overlays remain vulnerable to the Identity attack, where malicious nodes assume control of application components by intercepting and hijacking key-based routing (KBR) requests. Attackers can assume arbitrary application roles such as storage node for a given file, or return falsified contents of an online shopper's shopping cart. In this paper, we define a generalized form of the Identity attack, and propose a light-weight detection and tracking system that protects applications by redirecting traffic away from attackers. We describe how this attack can be amplified by a Sybil or Eclipse attack, and analyze the costs of performing such an attack. Finally, we present measurements of a deployed overlay that show our techniques to be significantly more light-weight than prior techniques, and highly effective at detecting and avoiding both single node and colluding attacks under a variety of conditions.