Frog-Boiling Attack Studied and Carried

¶ … frog-boiling attack studied and carried out by Chan-Tin, et al. (2011). The goal of the attack is to infiltrate a network coordinate system without knowledge of the system and without disrupting the system to the point that the attack will fail. The "frog-boiling" attack is named after a theory that a frog placed in cold water will not jump out of the water as the temperature is slowly raised. Eventually, the frog will be boiled to death without noticing the temperature change, because it is so gradual. In theory, the same general rule can be applied to the network coordinate system. If a change is gradual enough so as to go undetected by the failsafes in place to catch attacks and malfunctions, the entire system can be attacked, taken over, or badly damaged because the change was so slow so as not to be noticed until it is too late. Chan-Tin, et al. (2011) noticed that this could be done on all network coordinate systems with three different types of attacks. Even with other filters in place to prevent the danger, nothing could be done to stop the slow, gradual attacks. This led the researchers to determine that the frog-boiling attack was one way in which a network coordinate system could be overtaken, and that these systems are not safe to use until this is corrected. Possible solutions include filters that pick up anomalies, but so far even these types of filters have not been successful on prolonged, serious, and strategic attacks.

A Review of the Frog-Boiling Attack:

Limitations of Secure Network Coordinate Systems

Introduction

There is a theory about frogs, that says if one places a frog into a pot of boiling water, that frog will immediately jump out because of the heat. That same theory also says that a frog can be placed into cold water and the temperature can be gradually raised. Because the frog will not, allegedly, notice the minor increases in temperature, it is possible for the frog to be boiled to death that way. While this sounds more like something out of an unpleasant science experience, the some analogy has been used by Chan-Tin, et al. (2011) to show that secure network coordinate systems may not be so secure after all.

The theory is that these networks will notice large-scale or significant attacks, but that they will not notice attacks on a much smaller and more incremental scale (Barreno, et al., 2006; Shavitt & Tankel, 2003; Sherr, Blaze, & Loo, 2009). With that being the case, anyone who uses a slow, simple, nearly gentle attack on a network system can change the nodes enough over time to make them significantly different from what they were originally. Because the attack is so gradual, the differences in the nodes are not great enough each time they are changed to send up any red flags about what is taking place (Bavier, et al., 2004; Kaafar, et al., 2007). The end result is far different from what is seen in the beginning, but there is no evidence of attack (Chan-Tin, et al., 2011).

Naturally, this is a highly ingenious way of attacking a network and skirting its security systems. It has been termed the frog-boiling attack for the way it starts out safe and slowly changes to something dangerous without the notice of the affected (injured) party (Chan-Tin, et al., 2011). Think of the gradual changes in nodes as the slowly-rising temperature of the water. The network is the frog. Chan-Tin, et al. (2011) have studied this extensively and shown how this particular attack can be used to thwart the security of three systems thought to be the most reputable and safe due to their high-level and very carefully designed security measures.

These three systems are Veracity, Vivaldi, and Vuze BitTorrent. There will be three different kinds of attacks used, and it will be shown how they can be highly effective when they are used properly - even against "secure" systems that are carefully designed to avoid problem. The issue is with the variance required to trigger a flag that there is a problem. Remaining under that variance level triggers nothing, but still changes the node (Chan-Tin, et al., 2011). Lying to the node too much will flag a problem. Lying to the node too little will not make the desired changes. By lying just the right amount to all the nodes continuously, the frog-boiling attack can be implemented on any secure system, as will be shown here.

Basic-Targeted Attack

The basic-targeted attack is one that targets a particular node and singles it out. Once the node has been chosen the attack is launched and the goal is to slowly change the coordinates of that node (Chan-Tin, et al., 2011). This must be done carefully, and in very small steps, or it will not be successful. In order to determine how to do this properly, a clear understanding of the node and how the system in which that node is located works is needed. Pyxida, for example, only updates node coordinates when it is pinged. That means that the node that is the victim of the attack must contact the nodes that are attacking in order for the attack to be successful. If there are 10% attackers in the network, the node being attacked will contact one 10% of the time (Chan-Tin, et al., 2011). A node that is the neighbor of a "victim node" will remain there for 32 iterations, which will allow others to contact it and spread the attack (Chan-Tin, et al., 2011).

All the node that is attacking needs is just enough time to "touch base" with other nodes, and then the node can spread the attack to more and more nodes as they all contact one another over time. What seems like a long process really is not, because nodes contact one another very rapidly in order to move information through the network. With the rapid contact they have, nodes spread attacks such as the frog-boiling attack much more quickly than most would easily assume (Chan-Tin, et al., 2011).

After 32 iterations, there is a very high probability (more than 96%) that an attacker node will be a "neighbor" of a victim node (Chan-Tin, et al., 2011). When there is at least one attacker node in the neighbor "list" of a victim node, that victim node can be targeted quite easily. In Pyxida, there is a neighbor list update every 10 seconds so the current force can be calculated (Chan-Tin, et al., 2011). Every time this is updated, the victim node adjusts its coordinates to move a little bit closer to the target coordinates it needs for the attack to be effective. The nodes that are attacking only focus on the victim node. They do not respond to other nodes, and so they are not noticed by the system in any way (Chan-Tin, et al., 2011).

The variance changes in the victim node are so small that they, too, are not noticed. They fall within the tolerance levels required for that particular node each time they change, so there is no alert that a problem is brewing (Chan-Tin, et al., 2011). Because other nodes are not aware of the attacker nodes, and because the victim node is changing so incrementally as to avoid being out of tolerance or accepted variation, it is clear that the attack is effective when carried out correctly on the right type of system. Any kind of outlier system for detection, therefore, is not suitable for security when it comes to a network coordinate system (Chan-Tin, et al., 2011). It is simply too easy to attack the system and make changes to it.

The attack works because the victim is moved to a new location in small steps, instead of attempting to make a large move that would surely be detected by other nodes in the network. The new location for the node is insignificant for the purposes of showing that there can be an effective attack that will change node coordinates and that will not be noticed by the other nodes or by the system itself. By varying the number of attackers and the change in coordinates, an attack on a victim node and its network can be slowed down or sped up at will (Chan-Tin, et al., 2011). The only requirement is that the change in coordinates be small enough each time so as to go undetected. Other than that, there is little else that needs to be done and that can allow for large attacks over significant areas of the network, even when the network is designed to be secure and has been tested to have a very low tolerance level when it comes to changes that can be made to it internally or externally (Chan-Tin, et al., 2011).

The number of attack nodes and the level of variance the victim node can tolerate can affect how quickly the network is disrupted. For example, increasing the variance to a higher level and/or adding more attack nodes can change an expected four hour attack timeframe to two hours or less. That only requires 36 contacts between the victim nodes and the attack nodes, with 720 intervals for updates (Chan-Tin, et al., 2011). At that point, disruptions in the network would begin to be seen. The attacker can continue to increase the variance, but there will eventually be a point reached at which the variance is no longer successful because the frog-boiling attack fails (Chan-Tin, et al., 2011). This usually comes about due to a too-rapid increase in the changing victim node coordinates, which stops the attack because the system flags the changes in the node as something that may be problematic. Naturally, in order for the attack to be successful the node changes must be gradual enough to avoid a flag by the system.

Network-Partition Attack

The second kind of attack discussed by Chan-Tin, et al. (2011) is the network-partition attack. This attack is similar to the basic-targeted attack, but yet there is a distinct difference to be considered. In the basic-targeted attack, the victim nodes are gradually moved until they reach far-away coordinates. In the network-partition attack, the rest of the network to which the nodes belong is also moved. By partitioning off part of the network, the attack is able to isolate only the area it needs or wants to attack or infect (Chan-Tin, et al., 2011). A section of the network can be taken over instead of only adjusting selected nodes or trying to take over an entire network. It takes nearly 500 minutes for the network-partition attack to have an effect, but at that time the network will start to separate off into two parts. There is a pull between the two networks, so the coordinates that were intended by Chan-Tin, et al. (2011) were not reached. Despite that, the networks were partitioned effectively, which was the ultimate goal of the attack (Chan-Tin, et al., 2011).

There is a ration reached between the intracluster distance and the intercluster distance, as well (Chan-Tin, et al., 2011). Over time, the intracluster distance remains the same or gets smaller, but the intercluster distance gets larger and larger. That effectively indicates that the network has been partitioned into two separate entities, and both of them (now two separate networks, essentially) continue to move aware from one another. If this can be done (which has been clearly demonstrated), than a network-partition attack will work on a network that is deemed to be secure (Chan-Tin, et al., 2011). There is also no reason one could not expand the attack and make more than two clusters and one partition. Theoretically, it would be possible to move the attack to something that was creating multiple partitions and clusters, all of which were moving away from one another. That would dissolve the network to some degree, and would be a significant way in which an individual could attack a network and "divide and conquer" it in such a way that it would be difficult to detect until it was too late. It would also be hard to correct.

Depending on the percentage of attackers, it is possible to show that there are many different ways to adjust this kind of attack. Regardless of how many partitions are created or how many nodes are used, however, it is clear that the attack is one in which anyone with the knowledge of how to create it can use it against common networks that are thought to be secure from attack (Chan-Tin, et al., 2011). With the low tolerances and minute changes that are made to the network in any kind of frog-boiling attack, there are all kinds of possibilities for how it can be used and what can be done with it. That makes it a significant and dangerous way to wage a kind of war on network systems.

Closest-Node Attack

In this attack it is the desire of the attacker to become the closest node to the victim (Chan-Tin, et al., 2011). In Vuze, for example that would mean the node to which a file transfer would be initiated and one to which the attacker can control what file to transmit (Chan-Tin, et al., 2011). By querying the victim node to get coordinates, and doing this on a constant basis, the victim node continually tells the attacker node where to find it. The attacker node does not respond to any of the other nodes within the network, just like in the basic-targeted attack (Chan-Tin, et al., 2011). If there are a large number of attacker nodes within the network, there is a higher likelihood that one of those attacker nodes will become the closest node to a victim node. Additionally, the constant querying of the victim node by the attacker node will show the attacker node when the coordinates of the victim node change (Chan-Tin, et al., 2011). When that takes place, the attacker node will update its replies to the victim node, so that it can continue to query that node successfully.

By checking every 10 minutes and allowing 500 minutes for the entire attack, Chan-Tin, et al. (2011) were able to determine how often attacker nodes were the closest node to a victim node. The more attackers there are, the higher chance one will be close to a victim node. This is normal and was to be expected. While there was not a 100% success rate, the updates as to what is the closest node only come every 10 minutes (Chan-Tin, et al., 2011). That means an attacker could have been the closest node for nine minutes, but then would have been discarded. Having 11% of the nodes as attackers returned a success rate of 41% based on the 10 minute updates (Chan-Tin, et al., 2011). If the experiment were to run for a longer period of time, the likelihood of the attacker nodes being the closest nodes would also greatly increase. Eventually, statistics show that all victim nodes and all attacker nodes would meet. On a one day experiment, the 41% chance of an attacker being the closest node to a victim node jumps to 60%, without making any changes to the number of attack nodes present (Chan-Tin, et al., 2011).

The Kalman Filter

There are more ways to secure a network coordinate system than are realized by most people. Because that is the case, it was necessary for Chan-Tin, et al. (2011) to consider other options and other ways of securing a network. One of those was the Kalman Filter (Kaafar, et al., 2007). This filter is designed to look for nodes that are lying, or that are not behaving as anticipated by the network. These are called outlier hosts. The filter works to find these by looking at the predicted error in the node and the actual error in the node, and then comparing the two when it comes to updating coordinates (Chan-Tin, et al., 2011). If the error actually found is larger than the error that was predicted, the update from the node is rejected and the coordinates are not considered to be valid for that node.

It is assumed that all nodes can be trusted until there is evidence that one or more of them cannot (Lehman & Lerman, 2004; Ng & Zhang, 2001). In short, when a node starts providing coordinates that are not within the expected (and accepted) parameters, that node is rejected as being a liar. Lying nodes are not wanted in the network, because they are either malfunctioning or they are being attacked. By rejecting their coordinates the goal is to keep the malfunction or the attack from spreading to other nodes and potentially infecting the entire network (Chan-Tin, et al., 2011). Assumptions in the past have indicated that this has been done with the current network systems that are available, but Chan-Tin, et al. (2011) have shown this not to be the case. If the changes are small enough they fall into the predictable error for the coordinates. It is there where an attack can begin and changes can be made that will go undetected until the problem is much larger.

In the Kalman Filter, there are trusted nodes. For the experiment conducted by Chan-Tin, et al. (2011), 8% of the nodes were set to a trusted state. The way the Filter works is that each of the trusted nodes contacts the other nodes until they stabilize. By stabilization, it is meant that the coordinates have stopped their fluctuation and the relative error they are reporting is a constant one (Chan-Tin, et al., 2011). Then they run a setup and allow the nodes that are not trusted to join in with the network. When normal nodes join in, they contact the trusted node that is closest to them in order to receive parameters and network latency (Lua, et al., 2005; Lumezanu, Levin, & Spring, 2007). Then normal nodes contact other normal nodes or trusted nodes so that the entire setup can be coordinated among all the nodes. Although the Kalman Filter sounds like a good way to protect a network coordinate system, the basic-targeted attack and the network-partition attack were both able to defeat it (Chan-Tin, et al., 2011). The closest-node attack was not run, since the Kalman Filter implementation does not have the understanding of "closest node."