> That is not my worry. Signing the data posted to the DHT can prevent
> querying it over a mix network or using a PIR protocol can prevent
> eavesdropping. I'm more worried about various sorts of denial of service
> attacks, or service being shut down by inadvertent behavior.

Of course the data can be signed, encrypted, etc. But the rule of the game
is that the adversary can manufacture as many peers as they want --
something known as the Sybil attack. They can then perform various forms of

For example, the connectivity of the DHT generally relies on connectivity
between nodes of similar indices. The attackers can research hashes that
fall very near the hash of the target node, add the corresponding nodes in
the DHT, and effectively place themselves in the path of DHT traffic meant
for the target node. This enables passive traffic analysis, and active
denial of service.

Another potential attack is to get node indices close to that of a popular
resource, effectively becoming the repository of record for that resource.
Again, that enables passive traffic analysis, e.g. finding who accesses a
specific resource, and also active denial of service attacks.

If the attackers can manufacture enough virtual nodes, they obtain control
of the network. They can use that passively for global traffic analysis.
They can also engineer selective disruption, inject traffic to DOS specific
nodes, and other fun games.

Bottom line, anonymous DHT are fragile.

If we want something robust, we have to forgo the mathematical elegance of
the DHT, and adopt a network structure in which nodes only connect to peers
that they trust. You could call that "networks of friends." That removes the
nice O(log N) properties of the DHT, and it becomes hard to guarantee that
all queries will converge. But the network becomes much harder to penetrate.
The old Freenet had a structure like that.

-- Christian Huitema

The cryptography mailing list

Reply via email to