On Monday 04 August 2008 08:17, you wrote: > On Thu, Jul 31, 2008 at 7:12 PM, Matthew Toseland > <toad at amphibian.dyndns.org> wrote: > > Could I have some input on friend-of-a-friend routing and security please? We > > are ready to go with FOAF routing, but there is a worry that it will greatly > > increase a malicious peer's ability to divert traffic to itself. His > > objective would probably be to capture as much locally originated traffic as > > possible. So in the simplest case he'd just set his location to be far away > > from the target node's location. But if the node has one or more > > other "distant" peers, the attacker would have to share the request data. > > With FOAF, he would have to find out the locations of the target's other > > peers' peers (presumably from swapping), but he could then surround all of > > the "remote" locations with his own bogus locations, and thus capture either > > all traffic (with a lot of locations), or most locally originated traffic > > (probably more useful, and requires relatively few locations). > > > > Ian suggests limiting the proportion of locally originated requests sent to > > any given node to some value, say 30%. This would cause misrouting for the > > first hop, since most nodes mostly have peers near their own locations; one > > node may have more than 30% of the keyspace, and so more than 30% of locally > > originated requests. Does this seem reasonable? > > This sounds like a good countermeasure against one attacking peer > doing the above, but it does not seem to stop the attacker from > creating and simulating a few more opennet nodes (which is easy as far > as i know) connected to the target. With a limit of 30% of the local > traffic, the attacker would only need 4 peers doing the attack in > order to still eat all that traffic. Maybe I fail to understand the > second part of what you say (about the keyspace).
On darknet, this is hard. On opennet, it is easy. We're not attempting to address Sybil on opennet at the moment, although there may be a few options to make it *slightly* harder. > > I think we agree that countering this attack should be seen in the > light of how hard it should be for an attacker to perform, but accept > that it can not be fully fixed at least in the current network model. > What do you think about the following instead: for each request, > randomize the number of your friends whose information you use for > FOAF routing (e.g. with x friends, pick a random number k between 0 > and x, then pick k of your friends randomly and limit the FOAF > information only from those friends when making a routing decision). > This puts a larger burden on the attacker to get all the traffic, but > should still allow some clear improvement (in expectation I think the > improvement should be at least half of the full-FOAF improvement) for > routing. That's a pretty big performance loss, and it still won't beat Sybil in many cases. Why is it worth it? > > > PS when will Vive be back from his holiday? Not swapping on opennet would > > probably be at least as big a performance gain as FOAF... > > Just back since a few days (and just met a deadline for a paper :) > > /vive -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20080805/58138187/attachment.pgp>
