Sibyl Attack

Sybil attack is a type of attack in a peer- to -peer network , as a result of which the victim connects only to nodes controlled by the attacker. The term was proposed in 2002 by Microsoft Research Associate Brian Zill. The name is chosen in honor of the pseudonym of the main character of the 1973 bestselling book 'Sibyl' about the treatment of dissociative personality disorder . ^[1] Despite the fact that in the Russian translation of the book - the original source of the title - the version of 'Sibyl' is used, the use of the transliteration of 'Sibyl' is also found. Until 2002, attacks of the same class were known under the term pseudo-spoofing , which was introduced by L. Detweiler on the cipherpunk mailing list. ^[2]

Content

Description

In peer-to-peer networks, where no node is trusted, each request is duplicated to several recipients so that there is no single node whose answer would have to be completely trusted. At the same time, network users can have several identifiers that are physically related to different nodes. In good faith, these identifiers can be used to share shares or to have several copies of them. The latter will create redundancy, which allows you to check the integrity of the data received from the network independently. The flip side of this approach is that at some point, all available nodes, which should represent different recipients of a request, can be controlled by the same user. Thus, if this user turns out to be an attacker, he will have all the capabilities of an intermediary in this session, who unjustifiably gain the full confidence of the session initiator. The more identifiers the attacker owns, the more likely it is that the next session of a user with a p2p network will be closed on these alias nodes. At the same time, it is important for an attacker to make the new identifier easy enough to create. ^[3]

Due to the lack of a trusted center, in a peer-to-peer network there are 2 ways to recognize a new identifier: either obtain guarantees of its integrity from other nodes, or independently verify it in some way. ^[3]

For direct verification:

Even if resources are limited, an attacker can still control a certain number of identifiers.
An attacker can create alias identifiers over and over again if he is not required to confirm ownership of all of them at the same time.

In indirect verification:

A sufficiently large number of controlled identifiers allows you to fake an unlimited number of new ones.
An attacker will always be able to control a large number of identifiers if he is not required to continuously confirm them.

As the decentralized network grows, so does the number of alias identifiers. It becomes inexpedient to require each user to confirm ownership of their identifiers simultaneously and continuously, since this significantly interferes with network scalability. ^[3] In 2012, it was shown that large-scale attacks can be carried out cheaply and efficiently in existing systems such as BitTorrent Mainline DHT. ^[4] ^[5] Active attention is being paid to counteracting the Sibyl attack as part of the development of vehicle-to-vehicle (v2v) automotive networks. ^[6]

Incidents

2014 - the Sibyl attack lasting five months (from February to July) was carried out by unknowns within the Tor network . ^[7] ^[8] Later, network developers created a software tool that allowed them to discover many alias nodes. The schemes of rewriting Bitcoin wallet addresses, redirecting to phishing sites, as well as a number of nodes used to study the possibility of deanonymizing the network were revealed. ^[9]

Counteraction

Direct Verification

It is believed that the only direct way to convince a participant that two nodes belong to different users is to solve a problem that one user cannot solve on his own. This takes into account that the resources of the nodes are limited.

Given the limited connection speed, the participant can send a broadcast request and receive responses only for a limited time interval.
Given the limited storage resources, a participant may require identifiers to store a large amount of unique information. At the same time, having a small squeeze of these data with him, the participant will be able to make sure that with high probability these data are still stored in these nodes.
If you use the limited computing resources, then the participant may require each identifier to solve a unique, computationally complex problem. ^[3]

Indirect verification

You can save your own resources if you delegate the task of validating nodes to other participants. In addition, with this approach, an additional argument in favor of successful validation will be the number of checks that the node successfully passed before. Chayan Banerji proposed a scheme of indirect verification of the node, consisting of two stages. At the first stage, the result of the verification — the degree of trust in the checked node — is reported by the nearest nodes, which allows not to send data far. The obtained values are compared with the results of a similar check by several other randomly selected remote nodes. In the vast majority of cases, this allows you to detect the alias nodes that took part in the verification at the first stage. ^[ten]

Registration Fee

If valuable assets are in circulation in a decentralized network, a fee may be required for each identifier created. In this case, the attacker will have to correlate the cost of organizing the attack with the expected benefit. Of course, in such a scheme, the organization of a re-attack will not cost the attacker anything. This drawback can be avoided by requiring regular payment. ^[eleven]

Social Graphs

Prevention methods based on the characteristics of connectedness of social graphs can limit the degree of damage from the Sibyl attack without depriving the network participants of anonymity. These methods cannot completely prevent an attack, and they are especially vulnerable to widespread small-scale attacks. However, these methods are used by Advogato Trust Metric and SybilGuard. ^[12]

Gate Keeper

Ph.D. Nguyen Tran ^[13] proposed the decentralized Gate Keeper protocol, which performs a site-resistant node scan based on the social network mechanism. The protocol allows the most honest nodes to control the number of nodes capable of attacking. ^[11] The author of the protocol proceeds from the assumption that the alias nodes are located nearby. Then, if you distribute the voting right between the remote nodes, it will be very unlikely that the attacker controls most of the nodes that confirm the validation. The protocol uses the concept of 'level' based on the distance between nodes. Let a limited number of votes be distributed evenly among the nodes of the same level, they leave one vote for themselves, then the votes are sent to the next level. This continues until either the votes or the levels end (at the next level there will be no nodes without a voice). At first glance, with such a distribution, it is not so easy to distribute votes between bona fide nodes (with a more detailed analysis, there will be only about 60% of them). There is also the possibility that a large proportion of the votes in the first iterations will fall to the attacker who will use them to his advantage. Therefore, the protocol randomly selects several remote nodes - the primary sources of votes. ^[14]

Proof of Work

It is believed that the consensus of Nakamoto by binding the identifier to real computing power completely negates the possibility of attack. However, such a scheme also has its drawbacks, primarily due to unjustified energy costs. ^[15] It was proposed to use random identifiers, for the right to dispose of which network participants compete. At the same time, the identifier obtained can only be used for a limited time, after which the participant has to look for a new one. ^[sixteen]

Notes

↑ Lynn Neary (October 20, 2011). Real 'Sybil' Admits Multiple Personalities Were Fake . NPR
↑ Oram, Andrew. Peer-to-peer: harnessing the benefits of a disruptive technology.
↑ ¹ ² ³ ⁴ Douceur, John R. The Sybil Attack (Neopr.) // International workshop on Peer-To-Peer Systems. - 2002.
↑ Wang, Liang; Kangasharju, Jussi. Real-world sybil attacks in BitTorrent mainline DHT (English) // IEEE GLOBECOM: journal. - 2012.
↑ Wang, Liang; Kangasharju, Jussi. Measuring Large-Scale Distributed Systems: Case of BitTorrent Mainline DHT (English) // IEEE Peer-to-Peer: journal. - 2013.
↑ Muhammad Saad Naveed, M Hasan Islma (2015). Detection of Sybil Attacks in Vehicular Ad Hoc Networks .
↑ (July 30, 2014). Tor security advisory: "relay early" traffic confirmation attack .
↑ Dan Goodin (July 31, 2014). Active attack on Tor network tried to decloak users for five months .
↑ (February 29, 2016). Tor developers intend to deal with malicious nodes on the network .
↑ Banerjee, Chayan. Sybil node detection in peer-to-peer networks using indirect validation // IEEE INDICON: journal. - 2014.
↑ ¹ ² Aksah Wanjari (2015). A Survey and Analysis of Sybil Attack in Peer to Peer Network .
↑ O'Whielacronx, Zooko Levien's attack-resistant trust metric (unopened) (inaccessible link) . <p2p-hackers at lists.zooko.com> . gmane.org. Date of treatment February 10, 2012. Archived July 7, 2014.
↑ Nguyen Tran CV .
↑ Tran, Nguyen; Li, Jinyang. Brief Announcement: Improving Social-Network-based Sybil-resilient Node Admission Control (Eng.) // PODC'10: journal. - 2010.
↑ Alina Testova (April 27, 2017). Consensus Algorithms: Proof of stake and proof of work .
↑ Corentin Wallez (2012) Protection against Sybil attacks using proof of workand randomized identifiers Archived December 23, 2017 on Wayback Machine

[”sybil”-1] Lynn Neary (October 20, 2011). Real 'Sybil' Admits Multiple Personalities Were Fake . NPR

[”p2p”-2] Oram, Andrew. Peer-to-peer: harnessing the benefits of a disruptive technology.

[”TheSybilAttack”-3] ¹ ² ³ ⁴ Douceur, John R. The Sybil Attack (Neopr.) // International workshop on Peer-To-Peer Systems. - 2002.

[”wang2012”-4] Wang, Liang; Kangasharju, Jussi. Real-world sybil attacks in BitTorrent mainline DHT (English) // IEEE GLOBECOM: journal. - 2012.

[”wang2013”-5] Wang, Liang; Kangasharju, Jussi. Measuring Large-Scale Distributed Systems: Case of BitTorrent Mainline DHT (English) // IEEE Peer-to-Peer: journal. - 2013.

[”v2v”-6] Muhammad Saad Naveed, M Hasan Islma (2015). Detection of Sybil Attacks in Vehicular Ad Hoc Networks .

[”trafficconfirmationattack”-7] (July 30, 2014). Tor security advisory: "relay early" traffic confirmation attack .

[”ActiveattackonTor”-8] Dan Goodin (July 31, 2014). Active attack on Tor network tried to decloak users for five months .

[”torutil”-9] (February 29, 2016). Tor developers intend to deal with malicious nodes on the network .

[”Sybilindirect”-10] Banerjee, Chayan. Sybil node detection in peer-to-peer networks using indirect validation // IEEE INDICON: journal. - 2014.

[”sybildefence”-11] ¹ ² Aksah Wanjari (2015). A Survey and Analysis of Sybil Attack in Peer to Peer Network .

[”socialusage”-12] O'Whielacronx, Zooko Levien's attack-resistant trust metric (unopened) (inaccessible link) . <p2p-hackers at lists.zooko.com> . gmane.org. Date of treatment February 10, 2012. Archived July 7, 2014.

[”gatekeeperauthor”-13] Nguyen Tran CV .

[”gatekeeper”-14] Tran, Nguyen; Li, Jinyang. Brief Announcement: Improving Social-Network-based Sybil-resilient Node Admission Control (Eng.) // PODC'10: journal. - 2010.

[”pow”-15] Alina Testova (April 27, 2017). Consensus Algorithms: Proof of stake and proof of work .

[powexample-16] Corentin Wallez (2012) Protection against Sybil attacks using proof of workand randomized identifiers Archived December 23, 2017 on Wayback Machine