Open in app

Sign in

Write

Sign in

DHT: Attacks and Defenses

Is DHT secure enough?

Juin Chiu
Unitychain

--

Foreword

Being so fit for permissionless and decentralized settings, DHT has been popular since blockchain’s early days. But as it is common knowledge that there is no such thing as a flawless protocol, DHT has some design flaws. In this article, we will extend the previous article to illustrate some of the weaknesses of DHT and possible countermeasures.

Note-Passing Protocol

Let’s go back to our note-passing protocol:

Note-Passing Protocol1. The front of the strip must be marked with the target T, and the back of the strip must be marked with the request.2. The distance between S and T is the straight-line distance between the two seats.3. The neighbors of T know the score of T.4. S can only pass the paper to R in the list of S neighbors, and the distance between R and T must be less than the distance between S and T.RequestIn the class, pass the note to the X student and ask him the score of the test.

However, the above description does not explain a key part: How do people who initiate a request know the seat number (key) of the target? Here, i.e. in the note-passing protocol, we must use the seats table to know the seat number of the target:

Seats Table1. The seats table is a comparison table between the seat number and the position of the students sitting in the class.2. The seats table is the only way to know the seat number.3. It needs to be kept between the people in the class.4. There is only one seats table in the whole class.

The seats table is the equivalent of the index in DHT. The index is a list of keys which allows the node to grasp the value of the DHT content that can be queried. Why do you need an index though? When the lookup starts, only the node that writes the content in the DHT knows the key of the content, and other nodes can only obtain a global overview of the DHT through the index, which is especially important for file sharing applications (such as BitTorrent).

Attacks on DHT

We will now cover what are possible attack strategies on DHT. Much literature is present on the topic, and we agree that attacks on a DHT can be overall summarized into seven types. It is important to underline our assumptions on the attacker, i.e. a malicious individual with a destructive intention. For the rest of the article, we will refer to the attacker as E and the victim of the attack as V.

1. Sybil Attacks

A Sybil attack can be described as a situation in which many associates of E join the network and allow E to dominate. In DHT, the node ID is the only way to identify it. This is however very thin and easy to modify, therefore it becomes fairly easy for attackers to mass produce fake identities and get to dominate the entire network.

Identity is quite a difficult topic in general. In today’s network protocols, we can only rely on a small number of authorities (such as governments or Internet service providers) to provide identity authentication. However, this is obviously not a decentralized and privacy-oriented approach.

2. Eclipse Attacks

In an eclipse attack, E colludes with the neighbors of V in order to isolate V and gain access over all the content broadcast by V.

Since a node’s ID can be quite easily changed, the attacker can select a specific victim and modify the ID of the attacking node to be close to the victim, so that the victim’s routing table is occupied by the attacker’s node. Once the victim is isolated inside the attacker’s network, the attacker can block, monitor, and even tamper with the victim’s query message.

3. Churn Attacks

Since joining/exiting DHT requires almost no effort or resources, an attacker can frequently join and leave the network, causing neighboring nodes to exhaust the update of the routing table, which translates in network congestion and offline resources to be unavailable. This is especially relevant for Chord. As Chord lacks redundancy (the routing table only corresponds to one node in each interval) and the routing update process is quite cumbersome (requires 4 steps), it is even more subject to this type of attack.

4. Adversarial Routing

In permissionless environments, the behavior of nodes is unpredictable. The attacker can relay the message to the attacker’s isolated network or directly reject the processing regardless of the routing table. A well-functioning permissionless and decentralized system needs to be based on the normal behavior of the participants. A well-designed, permissionless, decentralized system must ensure that the system works well, meaning that it rewards normal behavior and punishes random behavior or can constrain random behavior. Stemming from this given definition, we can conclude that, lacking a method for rewards and punishments of nodes’ behavior, DHT is not a well-designed system for permissionless and decentralized environments.

5. Pollution Attacks

In a pollution attack, the attacker E tampers with its message to deliver the wrong message to V. Pollution attacks are as simple as adversarial routing, i.e. the attacker E returns the wrong result to the query and the lookup fails. Although it is only necessary to check the hash value and key of the content to check whether the content is polluted, a pollution attack in a sufficient scale is still capable of repressing the entire network.

6. Index Poisoning

DHT’s global overview is provided by the index, which is usually managed by third-party services (such as BitTorrent’s seed site), which are essential for file sharing applications. However, third-party services cannot prevent an attacker from intensively injecting into the DHT resources such as Trojans to contaminate the index. These harmful resources are disguised as meaningful resources to persuade users to download them, and the attacker doesn’t have to bear any costs or use up bandwidth.

7. Denial of Service Attacks

In a denial of service attack, E keeps routing the query, so that V’s resources are exhausted and V is no longer able to perform any further lookup. In other words, DoS is the exhaustion of the limited resources of the service provider through various means, so that the honest node is no longer able to provide any service. Since any node is constrained by network bandwidth and computing resources, it is true to state that DHT can bear a large amount of queries to make the nodes exhausted, and therefore DHT is relatively scalable and fit for decentralization. However, a denial of service attack of sufficient scale may still block a DHT-based service.

Solutions to each problem

The above attack scenarios summarize several major weaknesses:

  1. Nodes are free to enter and exit the network as related costs are extremely low.
  2. Costs associated with repeating a query and therefore flooding the network are very low.
  3. The absence of a rewards and punishments mechanism for nodes translates in the lack of motivation to do good.
  4. The absence of a consensus mechanism similarly causes lack of constraints on random behavior.
  5. The fact that identities of the nodes are so volatile and easy to tamper with makes it extremely easy for attackers to create majorities from fake identities.

It is however important to underline that the above features are not exclusively relevant to DHT. They are instead typical of any permissionless, decentralized system.

In the case of DHT, though, solutions are relatively easy to find.

  1. Sybil attacks: In order to fight Sybil attacks, it may be enough to increase the cost of entering and leaving the network. S/Kademlia provides a great example of this.
  2. Eclipse Attacks: Eclipse attacks shall be prevented by having network users stake some money into the network. This money may come, for example, under the shape of transaction fees.
  3. Churn attacks: Recording good and poor performance of users in the network and eliminating nodes that may have accumulated a too high amount of poor performances.
  4. Adversarial Routing: Measures here concern having everyone subject to all actions before the vote is casted, and voters can verify compliance with the rules of individual behavior, with majority action to be considered fair and correct action.
  5. Pollution Attacks: Decentralized identity is being increasingly studied to provide useful countermeasure against pollution attacks.

Can I issue a currency on DHT?

Of course, but the security of this currency is debatable, as one of the major properties of a stable and reliable currency is that it must be based on its resistance to random behavior, i.e. Byzantine Fault Tolerance.

DHT with a consensus mechanism is an improvement that is worth exploring. Interestingly, this improvement is being recently witnessed in the form of blockchain sharding. By this mechanism, each shard maintains its own consensus, and different shards are cut through key-based routing. Therefore, dependence on the main chain is lost.

Holochain is an interesting example to quote here. As a matter of fact, Holochain is a DHT-based decentralized application platform (Dapp Platform) that holds a different view on currency: money can also be a Mutual Credit that exists only between the parties of the transaction. This is a very interesting point of view, however this does not address the fundamental flaws of DHT.

Conclusion

In addition to being gradually regarded as a blockchain segmentation idea, DHT has also become the infrastructure responsible for data storage in some blockchain projects. This article summarizes the weaknesses of DHT and possible countermeasures. Hopefully, readers can have a clearer understanding of DHT’s strengths and weaknesses.

Blockchain
Dht
Distributed Systems
Distributed Ledger Tech
Distributed Hash Table

--

--

Juin Chiu
Unitychain

Written by Juin Chiu

680 Followers
Writer for

Blockchain researcher, dev, co-organizer of Taipei Ethereum Meetup, focusing on consensus protocol, self-sovereign identity and anonymity network.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams