In other words, opennet sucks. We know this. :) An attacker is unlikely to be able to control a large fraction of nodes on a darknet (he can have many nodes but they won't receive much traffic unless they have many connections).
However, hops may well be more than 8. On Thu, Jul 06, 2006 at 11:35:32AM +0100, Michael Rogers wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Imagine the following attack: for each word or phrase in a dictionary, > the attacker generates the corresponding KSK keypair and creates a KSK > pointing to an attacker-controlled site. The attacker doesn't insert the > fake KSK, but if it ever receives a request for the KSK, it returns the > fake version instead of forwarding the request. > > The important thing to note is that the attacker doesn't have to control > the node at the KSK's location: it can opportunistically spoof any > requests that pass through its node. To work out how dangerous this > attack is, we need to work out the probability that a given request > passes through a malicious node. > > If we assume the attackers are uniformly distributed around the circle, > the probability of a request hitting at least one malicious node in h > hops is 1-(1-c/n)^h, where c is the number of malicious nodes and n is > the number of nodes. Here are the probabilities: > > attackers > 1% 5% 10% > > 1 0.01 0.05 0.1 > 2 0.02 0.10 0.19 > h 3 0.03 0.14 0.27 > o 4 0.04 0.19 0.34 > p 5 0.05 0.23 0.41 > s 6 0.06 0.26 0.47 > 7 0.07 0.30 0.52 > 8 0.08 0.34 0.57 > > In other words an attacker that controls 5% of the nodes can spoof a > significant fraction of KSK requests. > > Cheers, > Michael > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.3 (GNU/Linux) > > iD8DBQFErOd0yua14OQlJ3sRAkrgAJ9bx8iPY5nPu1C5f63aNxX6tStsQQCfSvSe > pR2stZeZ4LO+4EW2IwlAXqs= > =R8kj > -----END PGP SIGNATURE----- > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > -- Matthew J Toseland - toad at amphibian.dyndns.org Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/tech/attachments/20060706/25f4c847/attachment.pgp>
