In this talk, we will first briefly introduce the Network-based Intrusion Detection, Prevention and Forensics System that is currently being developed in the Northwestern Lab of Internet and Security Technology (LIST) (http://list.cs.northwestern.edu), and then focus on one of its components, P2P doctor, as described below.
P2P misconfiguration---the phenomenon in which thousands of peers send P2P file downloading requests to a "random" target on the Internet---possibly triggered by bugs or by malicious reasons, generates large amounts of unwanted traffic. By analyzing three honeynet datasets across four years and across five different /8 networks, we found that P2P misconfiguration events are remarkably prevalent. They contribute on an average of about 30% of Internet background radiation. Surprisingly, this phenomenon is not confined to a single type of P2P system but includes both global popular ones like BitTorrent, eMule, and some regional popular protocols from Korea and China.
In this talk, we design "P2P Doctor", a system which diagnoses the root causes by melding passive monitoring along with real-time active backtracking automatically. We analyzed hundreds of events for both logged historical events and real-time ones. Some of our major findings are as follows. For all the P2P systems, misconfiguration is caused by the resource mapping uncleanness, i.e., the sources returned for a given file ID through P2P indexing are bogus. We find that different P2P systems have different reasons for such uncleanness. For eMule, we found that it is mainly caused by a network byte ordering problem in the eMule Source Exchange protocol. The protocol switches the byte order for about 12.7% to 25% of peers. BitTorrent misconfigurations are prevalent among both anti-P2P companies peers (e.g., Media Defender) and normal peers with diagonally different sets of characteristics.
Dr. Yan Chen is an Assistant Professor in the Department of Electrical Engineering and Computer Science at Northwestern University, Evanston, IL. He got his Ph.D. in Computer Science at the University of California at Berkeley in 2003. His research interests include network security, network measurement, P2P systems, and wireless and ad hoc networks. He won the Department of Energy (DOE) Early CAREER award in 2005, the Air Force of Scientific Research (AFOSR) Young Investigator Award in 2007, and the Microsoft Trustworthy Computing Awards in 2004 and 2005 with his colleagues.