Análisis con Consumo Máximo Hora en la Red

 Transparent rating system: TrustedKad ensures that nodes cannot give unauthor- ized ratings and that trust management cannot fake ratings. Every node that gives a rating must prove that an interaction has taken place and every trust manage- ment node must maintain the original rating messages to prove the validity of the ratings.

 Identification of inoffensive and malicious behavior: The rules how to identify whether a node behaves inoffensively or maliciously are defined. For routing, the nodes that help to identify the responsible nodes receive a positive rating; all oth- er nodes receive a negative rating. For storage, the nodes that deliver the chosen version of the content item receive a positive rating. Nodes that deliver another version of the content item or respond with “unknown item” receive a negative rating.

 Concealment of the content item ID: TrustedKad conceals the target ID to protect against nodes that attempt to attack all requests they receive by simply claiming responsibility for the queried content item.

 Unchoking mechanism: Unchoking is introduced to give nodes that have received too many negative ratings the possibility to regain trustworthiness without having to create a new identity.

4.17 How TrustedKad Protects Against Common Attacks

TrustedKad takes existing knowledge about the possible attacks on P2P systems and on trust systems into account and uses appropriate countermeasures that have proven themselves in other contexts and independently from each other. It combines these countermeasures and makes adaptations where necessary to harmonize the different measures and create a consistent system. In addition, Kademlia-specific rules are defined by which inoffensive and malicious behavior is recognized and the unchoking feature is introduced which allows a node to recover from too many false negative ratings.

The components of TrustedKad counter the basic attacks against P2P and trust systems that are described in Section 2.5. Table 3 lists these attacks and the respective counter- measures of TrustedKad. Identity theft and impersonation attacks are countered via the certificates and the asymmetric key pairs, so an attacker cannot abuse another node’s certificate for himself. The Sybil attack is mitigated using a modular approach that de- pends on the operational environment in which TrustedKad is deployed. The Eclipse at- tack and attacks on routing and storage are countered using the routing and storage trust values: Only trustworthy nodes are used during routing and storage operations, so mali-

Table 3: Overview of common attacks and TrustedKad's respective countermeasures

Attack TrustedKad’s countermeasure

Impersonation attack, identity theft

Sender authentication

Sybil attack Modular approach based on the operational environment. Examples: Certification authority, crypto puzzles

Eclipse attack No free choice of the node ID, Routing and storage trust values Attacks on routing and storage Routing and storage trust values, concealment of content item ID Self-promoting attack Only one rating per node for one node

Slandering attack Only one rating per node for one node

Whitewashing attack Sybil attack countermeasure, unchoking mechanism

Orchestrated attack Sybil attack countermeasure, routing and storage trust values Denial of service attack Distributed storage of trust information

4 TrustedKad

4.17 How TrustedKad Protects Against Common Attacks 59

cious nodes are avoided. The Eclipse attack is also mitigated by denying the nodes the free choice of their node ID. To prevent a malicious node from claiming that it stores eve- ry content item it is queried for, the content item ID is concealed during Get operations. The self-promoting and slandering attacks aim to manipulate the ratings of the attacker’s nodes or inoffensive nodes, respectively. Both attacks are countered by the fact that TrustedKad allows only one routing rating and one storage rating per node for one node. In combination with the Sybil attack countermeasure that prevents that an attacker can create an unlimited amount of identities, this countermeasure mitigates the two attacks on the trust values. The Sybil attack countermeasure also prevents whitewashing and orchestrated attacks. The unchoking mechanisms prevents that inoffensive nodes have to act as if they perform a whitewashing attack in order to recover from too many negative ratings. Routing and storage trust values also help against orchestrated attacks: In Chap- ter 6, several configurations show that TrustedKad is able to identify nodes that change their behavior from inoffensive to malicious.

Denial of service attacks against a central entity that stores trust values are impossible because TrustedKad uses a distributed storage scheme for the trust information. These nodes are located at different positions in the logical address space and most probably are also widely distributed physically. Hence, a denial of service attack against the distrib- uted storage system cannot be concentrated on one physical network location, but needs to be spread across multiple physical locations. The transparent rating system enables nodes to verify that the trust management nodes do not create fake ratings.

61

5 Implementation

Simulations are performed to evaluate if TrustedKad is able to identify inoffensive and malicious nodes correctly and if this classification increases the success rates of the oper- ations in the network. The simulations are conducted using the OverSim framework pre- sented first by Baumgart et al. in [39] and also later by Baumgart in his dissertation the- sis [48].

OverSim is based on OMNeT++ [40], an event-based simulation environment. It is written in C++ and its source code is freely available. The details of OverSim’s functioning had to be reconstructed from the source code because, regrettably, the documentation only consists of a brief introduction on the project website, a few comments in the source code itself and the overviews given by [39] and [48].

The framework is designed in a modular way and already includes modules for several DHT algorithms, with Kademlia being one of them. As S/Kademlia [53] has also been pre- sented by Baumgart et al., OverSim includes its improvements as well. OverSim has been chosen because its basis OMNeT++ is widely accepted as a valid simulation environment in the scientific community [40].

In the following, the intention of the simulations is explained. The components of Over- Sim that are relevant for the evaluation of TrustedKad and the attacks that are performed in the simulations are introduced. For the evaluation, several of the existing components have been changed and extended; these extensions are also presented. Finally, the be- havior of the simulated nodes and the management of the trust information are ex- plained in detail.