Security Review of P2P Applications and Networks Stephen S Kirkman, CISSP

Kamyar Dezhgosha

1467 E Riverbend St Superior, Colorado 80027

The University of Illinois at Springfield One University Plaza, MS UHB 3111

(720) 304-8628

Springfield, IL 62703

[email protected]

(217) 206-7243 Fax (217) 206-6162 IEEE Member

[email protected]

Abstract - P2P security should be of interest to anyone who wants to protect their personal information and who actively uses the Internet. P2P Security has been a popular research topic for as long as P2P computing came into existence nearly a decade ago. P2P file sharing applications still remain popular and other applications based on P2P networks have gained in popularity. How do you secure your information when using P2P applications? How do you protect yourself against malicious nodes in a P2P network? This paper will review the risks inherent to P2P computing and discuss methods for securing a P2P network.

computation. The clients are highly dependent on the server, and all communication is routed through it. On the other hand, in a P2P network, all the nodes are equal and have multiple communication paths leading to several of your closest nodes. The communication paths are built upon the foundation of the Internet and comprised of ―…collections of computers (i.e. nodes) that simultaneously function as both clients and servers to achieve a common purpose [1].‖ What this means is that each node (i.e. process) is both a ―supplier‖ and ―consumer‖ of data simultaneously.

Keywords: P2P Networks, Internet Security, Network Attacks, Client-Server Computing, P2P Security

1 Introduction Where client/server computing laid the foundations of the Internet in the mid-1990s, P2P computing grew out of the Internet itself. The Internet has made it possible to decentralize the computing experience away from the client/server model. P2P technologies have enabled Internet applications such as file sharing and new technologies such as Voice Over Internet Protocol (VOIP). Prior to the internetworking of computers, you needed to sit at the computer in order to break into it or maybe you could use a modem as in the movie War Games. Security was not a huge concern due to the requirement to be physically at the computer. Since the Internet, securing computers has become a discipline and its own branch of study in Computer Science. In a client/server network, the topology is highly centralized; meaning there are multiple clients obtaining data from one or only a few servers on the network. This model is a byproduct of the pre-Internet years, where the client is dependent on the server for all communication and most data processing power including databases and

Figure 1 Client / Server - Centralized[2]

In order for peers to communicate, P2P networks use a virtual network, called an ―overlay‖ network. The overlay network uses the structure of the Internet for basic communication, but contains its own logical links over which all nodes communicate with one another. The pure P2P paradigm calls for network topologies which are highly decentralized; though in reality, the majority of P2P overlay networks are a hybrid of both centralized and decentralized network topologies.

Incentives to share a large number of files: due to the general laziness on the part of the user, the user may allow access to the My Documents folder. Software wizards: automatically determine your folders that contain media. Folders that normally contain media might contain important documents. These folders could be exposed by these wizards.

Figure 2 P2P - Decentralized [2]

P2P file sharing is still very popular. ―From 2009 to 2010, the major changes to the peak period composition of North America’s fixed networks is the increasing presence of Real-Time Entertainment, and a slight rebound in the levels of P2P File sharing traffic (which has increased to 19.2%).‖ As of 2010, BitTorrent is the dominant P2P Files sharing protocol (just about everywhere except Latin America), representing almost 30% of upstream peak period traffic and slightly more than 8% of downstream peak period traffic [25].

1.2 Industries

Figure 3 P2P - Hybrid [2]

1.1 P2P File Sharing P2P networks gained much of their popularity from file sharing applications provided by companies such as Napster, Gnutella, Freenet, and BitTorrent. P2P networking made it very easy for users to exchange files – software is widely available, typically free, and easy to use. But file sharing applications are widely considered by security experts to be inherently dangerous to computer security. These are just some of the risks identified by The National Cyber Alert System [7] and ―Why file Sharing Networks are Dangerous [8]‖: Installation of malicious code: it is difficult, if not impossible, to verify that the source of the files is trustworthy. Exposure of sensitive or personal information: you may be giving other users access to personal information: passwords and family pictures might be kept in the same folder, or a file is placed accidentally into the wrong folder. Susceptibility to attack: certain ports on your firewall might be open by default and allowed to transmit the files. Confusing interface design: in a user study mentioned in [8], Good and Krekelberg found that the KaZaA interface design contributed to user confusion over what files were being shared.

P2P networks were made popular by file sharing applications, but the P2P technology has made its way into many other industries, including the Government [2]: Bioinformatics: Used to run large programs designed to carry out tests to identify drug candidates. Education and academia: Pennsylvania State University, MIT, and Simon Fraser University are working on LionShare, a secure P2P network for facilitating file sharing among educational institutions globally. Also, the sciencenet P2P search engine provides a free and open search engine for scientific knowledge. Military: The U.S. Department of Defense has already started research on P2P networks as part of its modern network warfare strategy. Mobile Peer-to-Peer (P2P) systems: Advances in wireless networking and mobile computing technologies, such as wireless LANs, wireless mesh networks and 3G cellular networks have further facilitated the migration of the P2P paradigm into wireless mobile computing [3].

2 P2P Security Concerns P2P networks pose challenges to computer security beyond those of client/server computing and also beyond simply being connected to the Internet.

Besides the specific risks associated with sharing files, there are several reasons why P2P networks are inherently less secure than client/server networks.

2.1 “Open” networks. In client/server computing, the malicious users are typically on the ―outside.‖ Protecting yourself from malicious users involves implementing precautionary measures such as firewalls and antivirus software. These techniques are generally enough to keep malicious programs out. However P2P networks are traditionally open networks and are less secure since their functionality is based on the principles of decentralization. The P2P application software might allow members unfettered access to your computer. So the malicious user might be one of your peers with whom you share files. Extra vigilance is required to protect against malicious nodes on your network.

former cyber-security adviser to the Bush administration, former chief information security officer at Microsoft and eBay, and now a principal in R&H Security Consulting) said that ―...one woman’s credit-card information was found in such disparate places as Troy, Mich., Tobago, Slovenia, and a dozen other places. Why? We found that the shared folder in her music-downloading application was in fact making readily available her entire My Documents folder to that apps entire P2P audience, 24 hours per day [12].‖

3

Attacks on P2P networks

What makes an attack possible on the Internet? The Internet was designed for the efficiency of moving packets, not on security. ―The end-to-end paradigm pushes the complexity to end hosts, leaving the intermediate network simple and optimized for packet forwarding [10].‖ There are a number of attacks that thrive in the world of P2P computing.

2.2 No central management 3.1 Sybil Because the structure and content of P2P networks are more varied, there is typically no centralized management of security functions. ―IP and domain level security features like logging, filtering, and standard authentication methods don’t apply due to a lack of Super Servers [5]‖. A Super Server is actually a process on a server. In a typical UNIX system, you can have lots of server processes running simultaneously, passively waiting until a request comes in. Instead of having several processes just waiting, a single Super-server can listen to many endpoints for each service [18, p.89].

2.3 Users are novices Many users of P2P applications are novices. According to Bailes [6], ―They do not understand the consequences of their inaction with regard to security. Configuration is only nominally supported during setup and ongoing use in P2P applications. That is a core problem with P2P deployment on even the most secure networks—the technology risk relies heavily upon the user’s level of technical knowledge and skills [6].‖

2.4 Identity Theft There is a greater risk for Identity Theft. According to an article on www.eweek.com file sharing not only opens you up to malicious programs, but can be an enabling factor for malicious users to steal your identity. Howard Schmidt (a

In a Sybil attack, a malicious node with multiple identities takes over the network. ―Within a distributed environment, it is possible for the same physical entity to appear under different identities, particularly in systems with highly transient populations of nodes. This poses a security threat, especially in P2P systems that employ content replication, or fragmentation schemes over many peers for security and availability, and, therefore, rely on the existence of independent peers with different identities [9].‖ The only way to prevent this attack is to use some form of centralized authentication management.

3.2 Distributed Denial of service (DDOS) DDOS or DOS attacks can use Botnets. Botnets are tiny nodes with malicious data that are hard to find. What makes this type of exploit particularly damaging on P2P networks is the popularity and ease of file sharing on P2P networks. File sharing and careless downloads enable the Botnets to spread. The Botnets flood a network, a node, or group of nodes that have data to share.

3.3 P2P attacks “The attacker instructs clients of large P2P file sharing hubs to disconnect from their P2P network and to connect to the victim's website instead. As a result, several thousand computers may aggressively try to connect to a target website. This method of attack can be prevented by specifying in the P2P protocol which ports are allowed or not. If port 80 is not allowed, the possibilities for attack on websites can be very limited [21].‖

3.4 Eclipse In an eclipse attack, malicious nodes conspire to fool correct nodes into adopting the malicious nodes as their peers, with the goal of dominating the neighbor sets of all correct nodes.

3.5 File Poisoning The following is the sequence of events in a file poisoning attack on a P2P network [11]: 1. Corrupt the target file 2. Inject the poisoned files into the P2P system, 3. Unsuspecting P2P users download the poisoned file into their own shared folders

Figure 4 Distributed Hash Table [2] According to Tannenbaum and Van Steen[18], secure routing for DHT-based P2P networks requires that: a) Nodes are assigned identifiers in a secure way b) Routing tables are securely maintained c) Lookup requests are securely forwarded between nodes

4 Securing P2P Networks What makes a P2P network secure? There are three major pillars of P2P security [15, p.105]: Ensure Secure Communication (between peers) Trust Management (know your peers) Access Control (secure admission to the P2P network)

4.1 Ensure Secure Communication Peers within a P2P network are formed into overlay networks. An overlay network allows peers to communicate without specifying an IP address. By far the most researched security issue in overlay networks is in secure routing between peers. To understand the requirements of secure routing, it is necessary to review the structure of overlay networks. In an overlay network, each node is running the P2P software, has its own node identifier, and maintains a routing table. This routing table is the key to finding its peers. The overlay network is based on TCP/IP networking since it is built upon the foundation of the Internet. A Distributed Hash Table (DHT) is a common form of routing table. Each node maintains a DHT which contains key/value pairs of its neighbors. Values can be any type of object. When a piece of data is requested, the data value is hashed which returns a unique key. With that key, a DHT can locate the node that has the requested resource.

First, if nodes are not assigned in a secure way, a malicious node can assign itself multiple personalities (Sybil attack). If a malicious node controls many non-faulty neighbors, you have an eclipse attack. Solutions do exist, but they require some form of centralized authority for handing out identifiers, which goes against a pure P2P paradigm. The more decentralized the network the harder to assign node identifiers in a secure way. Without a secure way to assign node identifiers, an attacker could ―…arrange to control all replicas of a given object, or to mediate all traffic to and from a victim node [19].‖ Second, maintaining secure routing tables ensures that ―…the fraction of faulty nodes that appear in the routing tables of correct nodes does not exceed, on average, the fraction of faulty nodes in the entire overlay. Without it, an attacker could prevent correct message delivery, given only a relatively small number of faulty nodes [19].‖ Finally, lookup requests should be securely forwarded between nodes. When a node in a P2P network issues a request, typically that request is sent out to possibly dozens of other known peers. Confidentiality and integrity of this communication are generally built into the overlay network. The solution proposed by Berket [20] suggests using Secure Group Layer (SGL) for secure group communication and using a shared group key for securing the messages. In existing P2P file sharing networks, any authenticated peer has unfettered access to the information at all other authenticated peers. Berket [20] ―…provides mechanisms that allow each end user to autonomously specify the authentication and authorization requirements for each information item.‖

4.2 Trust Management How do you know the good from the bad? Use Trust Management or Reputation Systems. The goal is to achieve

a ―good‖ reputation once you are already a peer. According to Jumppanen[16], ―…the reputation system rewards peers that cooperate with other peers. Secondly it punishes peers that cheat or behave maliciously. Finally, it motivates or even forces network peers to cooperate with each other.‖

policy. If the policy stipulates using an existing GAUTH, once enough votes are collected (according to the group charter), Mnew sends GAUTH a group membership certificate request message. It contains PKCnew, group name, and the set of votes collected in Step 3.

The authors of [17] have proposed a reputation management scheme that builds trust among members. ―The proposed algorithms can detect malicious peers sending inauthentic files. The Malicious Detector Algorithm is also proposed to detect liar peers that send the wrong feedback to subvert the reputation system. Simulation results confirm the capability of the proposed algorithms to effectively detect malicious peers and isolate them from the system, hence reducing the amount of inauthentic uploads, increasing peers’ satisfaction, and preserving network resources.‖

4.3 Access Control Saxena[15] argues that there is no point in maintaining key management (secure communication) or trust management (trust your peers) unless there is some form of access control (secure admission). They suggest that once inside, a malicious peer could easily generate false identities which could impact trust mechanisms. How do you become a peer in a secure manner? The hallmark of pure P2P networking is that the peers are in control. If there is no single entity making admission decisions, and you still want access control, then some form of consensus is required to determine who can be admitted to the P2P network. In order to determine even a limited consensus, information about the present membership of the network must be maintained somewhere. For example, in order to achieve 75% consensus regarding the admission of a peer, you’ll need to know the current total number of peers. Saxena[15] describes a generic admission process: 1.

2.

3.

4.

A prospective peer Mnew obtains the group charter out of band and then the information of current group size from either the Group Authority(GAUTH) or some bootstrap node; which is a designated node that has information on the membership of the group. Mnew, initiates the protocol by sending a join request message to the group. This message, signed by Mnew, includes Mnew’s public key certificate and the target group name. Upon receipt of a join request, a group member first extracts the sender’s public key certificate and verifies the signature. If a voting peer approves of admission it replies with a signed message. Several signature schemes can be used for this purpose. Exactly who issues the Group Membership Certificate(GMC) for Mnew depends on the security

Figure 5 Secure Admissions Process [15]

The new member can then prove membership to another party by signing a message.

5 Anonymity The authors found references [14][24][26] that suggest anonymity is a desirable characteristic of P2P networks. Anonymity supports both privacy as well as freedom of speech. To what extent does it support P2P Security? According to Lee [26], ―Anonymous P2P provides enough anonymity such that it is extremely difficult to find the source or destination of a data stream.‖ Using this definition, anonymity impacts Trust Management; which encourages peers to behave for the good of the overall network. The Trust Management paradigm suggests rewarding peers for good behavior and punishing them for bad behavior. If your peers remain anonymous, there is no mechanism to build reputations and ―know your peers.‖ Anonymity might also defeat the secure admission process for the same reason because a new peer is admitted by consensus. Anonymity can also make prosecution difficult in copyright and pirating cases. Even though anonymity supports freedom of speech and can prevent certain attacks, it interferes with other mechanisms used for the overall security of the P2P network.

6 Conclusion The same security practices that apply computing also apply to P2P computing. Internet, you should follow computer practices‖ in order to protect yourself. include, but are not limited to:

to client/server If you use the security ―best These practices

Don’t open suspicious or unrecognizable emails Don’t click on links within emails unless you’re absolutely sure the source is legitimate; Use anti-virus software that is up-to-date. However, because of the structure of the overlay network and the general ease of becoming a peer, anyone who uses P2P networks must be extra vigilant. All the security precautions discussed here will play a pivotal role in P2P computing security. Technologies that enable users to collaborate so easily will provide efficiency and convenience and at the same time introduce new challenges to secure computing.

7 References [1] Definition of P2P networks, http://www.sans.org/top20/2006/, section C3.1. [2] Topology diagrams, Distributed Hash Table, P2P Architecture http://en.wikipedia.org/wiki/Peer-to-peer [3] J. Walkerdine, S. Lock. Towards Secure Mobile P2P Systems. Internet and Web Applications and Services. ICIW '07 Second International Conference, 13-19 May 2007, p. 6. [4] V. Matossian. SETI@Home a Driving Peer-to-Peer Application. Electrical and Computer Engineering Dept, Rutgers Univ., Oct 11, 2001, http://www.caip.rutgers.edu/~vincentm/DOCS/WORD/ SETI.doc. [5] J. Kim. Security Issues in Peer to Peer Systems. Advanced Communication Technology, The 7th International Conference of Advanced Communication Technology (ICACT 2005 . 11 July 2005, p. 1059. [6] J. Bailes, G. Templeton. Managing P2P Security. Communications of the ACM - End-user development: tools that empower users to create their own software solutions CACM Homepage table of contents archive. Volume 47 Issue 9, ACM Press. September 2004, pp. 95 – 98. [7] M. McDowell, B. Wrisley, W. Dormann. Risks of File Sharing Technology. National Cyber Alert System, Cyber Security Tip ST05-007, Carnegie Mellon University. May 19, 2010. [8] M. Johnson, D. McGuire, N. Willey. Why File Sharing Networks Are Dangerous. Center for Digital Strategies, Tuck School of Business. Communications of the ACM - Inspiring Women in Computing CACM Volume 52 Issue 2, February 2009, pp. 134-138. [9] S. Androutsellis-Theotokis, D. Spinellis. A Survey of Peer-to-Peer Content Distribution Technologies. Athens University of Economics and Business. ACM Computing Surveys (CSUR) Surveys. Volume 36 Issue 4, December 2004, pp. 335 – 371.

[10] J. Mirkovic, P Reiher. A Taxonomy of DDOS Attack and DDOS Defense Mechanisms. ACM SIGCOMM Computer Communication Review Volume 34 Issue 2, April 2004, pp. 39 – 53. [11] R. Chen, E.K. Lua, J. Crowcroft. Securing Peer-to-Peer Content Sharing Service from Poisoning Attacks. P2P '08 Proceedings of the 2008 Eighth International Conference on Peer-to-Peer Computing. IEEE Computer Society, pp 22-29. [12] C. Preimesberger. Cybercriminals use P2P Tools for Identity Theft. http://www.eweek. com /c/a/ Security/Cybercriminals-Use-P2P-Tools-for-IdentityTheft-Security-Analyst-Warns, June 23, 2006. [13] E. Mills. Conficker wakes up, updates via P2P, drops payload. http://news.cnet.com/8301-1009_310215678-83.html, April 8, 2009. [14] M. Barcellos. P2P-SEC Security Issues and Perspectives on P2P Systems: from Gnutella to BitTorrent. Presentation for the 53nd International Federation for Information Processing (IFIP) 10.4 Working Group on Dependable Computing and Fault Tolerance, Feb 2008. [15] N. Saxena, G. Tsudik, J. Yi. Admission Control in Peer-to-Peer: Design and Performance Evaluation. SASN '03 Proceedings of the 1st ACM workshop on Security of ad hoc and sensor networks. ACM Press, October 25, 2004, pp: 104 – 113. [16] V. Jumppanen. File reputation in decentralized P2P reputation management. Helsinki University of Technology Tele-communications Software and Multimedia Laboratory, Peer-to-peer technologies, networks and systems. Seminar on Internetworking, April 26, 2005. [17] L. Mekouar, Y. Iraqi and R. Boutaba. Peer-to-Peer’s Most Wanted: Malicious Peers. Computer Networks: The International Journal of Computer and Telecommunications Networking - Management in peer-to-peer systems Volume 50 Issue 4, March 15, 2006, pp. 545-562. [18] A. Tanenbaum, M. Van Steen. Distributed Systems: Principles and Paradigms, 2nd Ed. Prentice-Hall 2007. [19] D. Wallach. A Survey of Peer-to-Peer Security Issues. Rice University, ISSS'02 Proceedings of the 2002 Mext-NSF-JSPS international conference on Software security: theories and systems, pp 42-57. [20] K. Berket, A. Essian, A. Muratus. PKI-Based Security for Peer to Peer Information. P2P '04 Proceedings of the Fourth International Conference on Peer-to-Peer Computing. IEEE Computer Society, Washington, DC, August 25, 2004, pp. 45-52. [21] Denial of Service definition; http://en.wikipedia.org/wiki/Denial-of-service_attack. [22] D. Li. Topology and Resource Discovery in Peer to Peer overlay networks. Grid and Cooperative Computing 2004 Workshops, Springer-Verlag, p. 222.

[23] S. Ortiz Jr. Is Peer to Peer on the Decline? IEEE Computer Society, 2011, Technology News, p. 11. [24] D Mhapasekar. Accomplishing Anonymity in a Peer to Peer Network. Proceedings of the 2011 International Conference on Comm, Computing & Security. February 12-14, 2011, p. 555. [25] Fall 2010 Global Internet Phenomena Report. Sandvine Intelligent Broadband Networks, www.sandvine.com. Copyright ©2010 Sandvine Incorporated. Oct 20, 2010. [26] R. Jain. J. Lee. A Survey of Peer-to-Peer Network Security Issues. Washington University in St. Louis, Network Security Course, Fall 2007. http://www1.cse.wustl.edu/ ~jain/cse57107/ftp/p2p/index.html#anon