TY - JOUR
T1 - The Frog-Boiling attack
T2 - Limitations of secure network coordinate systems
AU - Chan-Tin, Eric
AU - Heorhiadi, Victor
AU - Hopper, Nick
AU - Kim, Yongdae
PY - 2011/11
Y1 - 2011/11
N2 - A network coordinate system assigns Euclidean "virtual" coordinates to every node in a network to allow easy estimation of network latency between pairs of nodes that have never contacted each other. These systems have been implemented in a variety of applications, most notably the popular Vuze BitTorrent client. Zage and Nita-Rotaru (at CCS 2007) and independently, Kaafar et al. (at SIGCOMM 2007), demonstrated that several widely-cited network coordinate systems are prone to simple attacks, and proposed mechanisms to defeat these attacks using outlier detection to filter out adversarial inputs. Kaafar et al. goes a step further and requires that a fraction of the network is trusted. More recently, Sherr et al. (at USENIX ATC 2009) proposed Veracity, a distributed reputation system to secure network coordinate systems. We describe a new attack on network coordinate systems, Frog-Boiling, that defeats all of these defenses. Thus, even a system with trusted entities is still vulnerable to attacks. Moreover, having witnesses vouch for your coordinates as in Veracity does not prevent our attack. Finally, we demonstrate empirically that the Frog-Boiling attack is more disruptive than the previously known attacks: systems that attempt to reject "bad" inputs by statistical means or reputation cannot be used to secure a network coordinate system.
AB - A network coordinate system assigns Euclidean "virtual" coordinates to every node in a network to allow easy estimation of network latency between pairs of nodes that have never contacted each other. These systems have been implemented in a variety of applications, most notably the popular Vuze BitTorrent client. Zage and Nita-Rotaru (at CCS 2007) and independently, Kaafar et al. (at SIGCOMM 2007), demonstrated that several widely-cited network coordinate systems are prone to simple attacks, and proposed mechanisms to defeat these attacks using outlier detection to filter out adversarial inputs. Kaafar et al. goes a step further and requires that a fraction of the network is trusted. More recently, Sherr et al. (at USENIX ATC 2009) proposed Veracity, a distributed reputation system to secure network coordinate systems. We describe a new attack on network coordinate systems, Frog-Boiling, that defeats all of these defenses. Thus, even a system with trusted entities is still vulnerable to attacks. Moreover, having witnesses vouch for your coordinates as in Veracity does not prevent our attack. Finally, we demonstrate empirically that the Frog-Boiling attack is more disruptive than the previously known attacks: systems that attempt to reject "bad" inputs by statistical means or reputation cannot be used to secure a network coordinate system.
KW - Attack
KW - Network coordinate
KW - Secure
UR - http://www.scopus.com/inward/record.url?scp=84855230119&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84855230119&partnerID=8YFLogxK
U2 - 10.1145/2043621.2043627
DO - 10.1145/2043621.2043627
M3 - Article
AN - SCOPUS:84855230119
SN - 1094-9224
VL - 14
JO - ACM Transactions on Information and System Security
JF - ACM Transactions on Information and System Security
IS - 3
M1 - 27
ER -