Who can survive without p2p today? P2P has enabled an explosion of sharing music, movies, software, etc. The Recording Industry Association of America's overwhelming threats of copyright lawsuits and fines have not been able to stall the growth of file sharing but rather have forced p2p to become more robust, stealthy, and sophisticated. Studies by Cachelogic and BigChampagne show that p2p file-sharing continues to grow. Due to the scalability and reliability properties of decentralized p2p architectures, Vudu is developing a movie on-demand system that is based on p2p. Unlike file sharing, Vudu has many studios signed up. P2P is also moving into the enterprise setting with p2p-based collaboration tools and p2p-based storage systems. A recent study shows that the p2p-based Skype outperforms MSN’s centralized approach. Among the ways in which Skype achieves improvement over MSN is its ability to burrow through firewalls and NATs. On the other hand, this same resilience to firewalls and NATs can be a security nightmare.
In a p2p network, there is no notion of a client or server. Every node can perform both functions and the aggregate of the end-hosts form the p2p network. In order to form this network, most of these p2p applications start up by scanning for other systems running the application. A robust p2p application scans intensely and persistently; looking exactly like malware. State-of-the-art scan anomaly detectors rely on the evidence that the scanners do not have knowledge about the network topology and system configuration; hence they are more likely to make failures than successes. However, these techniques will detect p2p scans as a malicious scan. The detectors need intelligence to make a distinction between benign application scans and malicious scans. The traditional detectors can fix the problem of p2p false positives by tuning the thresholds. However, p2p applications such as Skype can scan up to a few hundred hosts in a short time interval. Keeping thresholds high enough to support this behavior will undoubtedly result in false negatives. The solution to this problem is to identify p2p application scans and treat them differently.
Signature-based application recognition will not solve the problem of false positives with scan detectors. For applications such as Skype, the signature only matches after the host connects to another peer successfully; that is, the signature can only be matched after the scan, at which point the alarm is already raised (unless the detector is delayed, which dramatically limits the detector's effectiveness). A reasonable p2p application will encrypt all communication, and hence, it limits the signature-match capabilities. In order to navigate dynamic access conditions (e.g., when the host is mobile), the p2p application tries a wide variety of ports and protocols. This makes it hard to rely on port-protocol pairs for detection. Regardless of the difficulties, Nevis has behavioral anomaly based solutions to address this problem.
P2P problems don’t stop with false alarm mitigation. P2P networks may span millions of hosts, and enterprise p2p systems may span critical systems. Thus, a worm that spreads over a p2p network could be highly effective. Stopping such worms is also possible with p2p-aware detectors. P2P is yet another application. Once identified as a p2p application, anomaly detection can be performed in the same way it is done with any other application. Another problem with p2p applications is that botnets may pose as p2p networks, complicating their identification.
P2P is here to stay, but while it poses security challenges, solutions exist.
Khushboo Shah, Ph.D.
Thanks for your interest in specific solutions regarding these p2p threats. As I mentioned, there are three problems with p2p: 1) p2p scans 2) zero-day p2p worm detection 3) botnets over p2p network. The first problem is hard to recognize and solve. Nevis has addressed the p2p scan problem with a novel framework. Nevis also solves the second problem, as do other vendors such as IMLogic, Akonix Systems, and FaceTime. Regarding the third problem, today, most of the security vendors, such as Arbor Networks, are focusing on detecting IRC botnet detection. With the botnets transitioning over p2p networks, detection becomes harder. Nevis is studying this trend and is devising counter measures in an upcoming release. We are not aware of a commercially available solution to this aspect of the problem today. -KS
Posted by: Khushboo Shah | May 29, 2007 at 02:04 PM
I am confused by the statement "...but while it poses security challenges, solutions exist."
Did you allude to any solutions in your post? I apologize but I didn't see anything definitve in the post.
Thanks
Posted by: knujlla | May 25, 2007 at 02:40 PM