Attacks on Trust Systems

Just as DHTs have got inherent weaknesses, so do trust systems. Hoffman et al. identify five different types of such attacks in [54]: Self-promoting, whitewashing, slandering, or- chestrated attacks and denial of service attacks.

2.5.4.1 Self-Promoting Attack

Self-promoting means that an attacker attempts to increase its own reputation by giving itself positive ratings, e.g., by the means of Sybil nodes. Another way is to manipulate its own reputation data: If it manages this information itself and in a non-authenticated way, it is possible to modify the information. If the trust system does not require a proof of interaction, the self-promoting attack is facilitated. Trust systems that only use positive ratings are especially vulnerable to this attack.

The attack is usually performed by colluding nodes that generate interactions among themselves and give each other positive ratings for the interactions. This way, they could even succeed in countering negative ratings they receive from legitimate nodes [54].

Figure 13: Schema of several network partitions

2 Basics

24 2.5 Security Challenges of Structured Peer-to-Peer Systems and Trust Systems

2.5.4.2 Whitewashing Attack

Whitewashing means that a node that has received too many negative ratings leaves the network and returns with a new and non-rated identifier to dispose of its negative rat- ings. If identifiers can be changed easily, an attacker can create a new identity when the reputation of its old identity is too bad. Trust systems that only use negative ratings are vulnerable to whitewashing because newcomer nodes have the same reputation as nodes that participate in the network for a long time and have behaved well.

Another form of the whitewashing attack is a changing behavior of the node: The attacker behaves correctly first to receive positive ratings and then abuses its high reputation to act maliciously. Nodes that behave this way are called traitor nodes.

In order to make the whitewashing attack more effective, it can be combined with the self-promoting attack: If performed concurrently, the effective duration of the attacks will increase. The whitewashing attack can be countered by limiting users from switching identities, e.g., with a Sybil attack countermeasure, and by giving more weight to more recent ratings to counter traitor nodes [54].

2.5.4.3 Slandering Attack

Slandering is the opposite of self-promoting: Malicious nodes give negative ratings to in- offensive nodes in order to decrease their reputation so that their own reputation in- creases relative to them. Just as the self-promoting attack, the slandering attack is easily conducted if the system does not authenticate the ratings, and it is usually performed with several colluding nodes.

The countermeasures against traitor nodes and the slandering attack interfere with each other: In order to counter traitor nodes, more recent ratings should receive more weight. However, this renders a slandering attack more effective, so a balance has to be found. Limiting the amount of identifiers one physical attacker can obtain impedes the slander- ing attack [54].

2.5.4.4 Orchestrated Attack

In an orchestrated attack, the attacker combines several of the aforementioned attacks in a coordinated manner. One possible example is the oscillation attack [55]: The colluding nodes are divided into several groups that perform different attacks at different times, e.g., one group behaves correctly and another group acts maliciously. So the relative rep- utation of the inoffensive group increases. If at the same time the inoffensive group gives positive ratings to the malicious group, the decline of their reputation is slowed down. When the reputation of the malicious group nodes is too low, the groups swap their be- havior to balance the reputation values. Another group that uses the slandering attack to decrease the reputation values of legitimate nodes could also be used together with the two other groups [54].

Just as with the attacks explained before, limiting the number of logical identities a physi- cal attacker can obtain impedes also orchestrated attacks because in order to be effec- tive, they require a large amount of nodes that are controlled by one attacker.

2.5.4.5 Denial of Service Attack

A denial of service attack is typically conducted against centralized elements if the trust system uses any. If the ratings are stored centrally, an attack against this central element can disable the trust system. Then, if the routing is implemented in way that all nodes are regarded as trustworthy if the trust storage does not respond in time or at all, malicious

2 Basics

2.5 Security Challenges of Structured Peer-to-Peer Systems and Trust Systems 25

nodes can be used as well. Otherwise, if all nodes would be regarded as non-trustworthy if the trust storage is not available, the network would cease functioning [54].

The fewer central elements exist in a network, the fewer attack targets it presents for a denial of service attack, so content items and ratings should be stored in a distributed way. A denial of service attack that targets any arbitrary node of a P2P network cannot be averted by the P2P network because it can only be handled by the underlay (if at all). But if there are several replicas available, the attack needs to be distributed as well and there- fore requires even more resources.

27

3 Related Work

This chapter presents the current state of research of security and trust systems in P2P networks. As a representative for security systems that do not use trust mechanisms, S/Kademlia [53] is chosen, as it is specifically targeting to improve Kademlia. A lot of the existing work regarding trust systems addresses unstructured networks or mentions structured networks only for the storage of the trust information. As an example, a trust system designed by Mekouar [56] that operates in an unstructured hybrid P2P network is presented in detail. Considering widely used P2P applications, however, the structured systems prevail, so the applicability of Mekouar’s concept to structured networks is dis- cussed. Afterwards, several often-cited trust-based approaches are briefly presented. A short excursus about mobile ad hoc networks (MANETs) shows that trust-based routing is also analyzed in related network types. Both MANETs and peer-to-peer networks are dy- namic networks lacking a central authority and can therefore share approaches to en- hance their security. At the end of this chapter, the previously published papers of the author of this thesis are introduced.

S/Kademlia and Mekouar’s concept have been chosen because they are both described comprehensively in the dissertation theses of their respective authors. Both concepts have been published at peer-reviewed conferences before as well.