We present a novel mechanism for detecting and protecting structured overlay networks against non-conforming (abnormal) behavior of other participating nodes. We use a lightweight distributed detection mechanism that exploits inherent structural invariants of DHTs to ferret out anomalous flow behavior. To prevent identity spoofing leading to Sybil attacks, neighbor identities are established with pair-wise keys, which do not require an authentication infrastructure. Upon detection, a Pushback-like protocol is invoked to notify the predecessor whence the offending traffic is arriving. Recursive applications of the protocol can identify and isolate the offending node.
We evaluate our mechanism's ability to detect attackers via simulation within a DHT network. The results show that our system can detect a simple attacker whose attack traffic deviates by as little as 5\% from average traffic. We also demonstrate the resiliency of our mechanism against coordinated distributed flooding attacks that involve up to 15\% of overlay nodes. We measure the effectiveness with which our approach identifies the offending node(s) and squelches the attacks. The detection and containment mechanisms presented show that overlays can protect themselves from insider DoS attacks, eliminating an important roadblock to their deployment.
Angelos Stavrou is currently a Research Assistant at the Network Security Laboratory at Columbia University. His research interests are Security using Peer-to-peer and Overlay Networks, Network Reliability, and Statistical Inference.
He received his B.S. in Physics with honors from University of Patras, Greece and an M.Sc. in theory of Algoritms, Logic and computation from University of Athens, Greece. He also holds an M.Sc. in Electrical Engineering from Columbia University and he is currently working toward the Ph.D degree at the same university.