This paper reviews the frog-boiling attack as studied by Chan-Tin et al. (2011), analyzing how gradual, incremental manipulation of network coordinate systems can bypass security measures that would otherwise detect large-scale attacks. Drawing on experiments targeting three systems — Veracity, Vivaldi, and Vuze BitTorrent — the paper explains three attack variants: the basic-targeted attack, the network-partition attack, and the closest-node attack. It further examines the Kalman Filter as a proposed security mechanism and demonstrates why it fails to prevent these slow, iterative intrusions. The paper concludes by discussing potential solutions, including anomaly detection, while acknowledging that as long as nodes must trust peer-supplied coordinate updates within accepted margins of error, network coordinate systems remain fundamentally vulnerable.
There is a theory about frogs that says if one places a frog into a pot of boiling water, that frog will immediately jump out because of the heat. That same theory also says that a frog can be placed into cold water and the temperature can be gradually raised. Because the frog will not, allegedly, notice the minor increases in temperature, it is possible for the frog to be boiled to death that way. While this sounds more like something out of an unpleasant science experiment, the same analogy has been used by Chan-Tin et al. (2011) to show that secure network coordinate systems may not be so secure after all.
The theory is that these networks will notice large-scale or significant attacks, but that they will not notice attacks on a much smaller and more incremental scale (Barreno et al., 2006; Shavitt & Tankel, 2003; Sherr, Blaze, & Loo, 2009). With that being the case, anyone who uses a slow, simple, nearly gentle attack on a network system can change the nodes enough over time to make them significantly different from what they were originally. Because the attack is so gradual, the differences in the nodes are not great enough each time they are changed to send up any red flags about what is taking place (Bavier et al., 2004; Kaafar et al., 2007). The end result is far different from what is seen in the beginning, but there is no evidence of attack (Chan-Tin et al., 2011).
Naturally, this is a highly ingenious way of attacking a network and circumventing its security systems. It has been termed the frog-boiling attack for the way it starts out safe and slowly changes to something dangerous without the notice of the affected party (Chan-Tin et al., 2011). Think of the gradual changes in nodes as the slowly rising temperature of the water. The network is the frog. Chan-Tin et al. (2011) have studied this extensively and shown how this particular attack can be used to thwart the security of three systems thought to be the most reputable and safe due to their high-level and very carefully designed security measures.
These three systems are Veracity, Vivaldi, and Vuze BitTorrent. Three different kinds of attacks are examined, and it is shown how they can be highly effective when used properly — even against "secure" systems carefully designed to avoid problems. The issue lies with the variance required to trigger a flag indicating that a problem exists. Remaining under that variance level triggers nothing, yet still changes the node (Chan-Tin et al., 2011). Lying to the node too much will flag a problem; lying to it too little will not produce the desired changes. By lying just the right amount to all the nodes continuously, the frog-boiling attack can be implemented on any secure system, as demonstrated below.
The basic-targeted attack targets a particular node and singles it out. Once the node has been chosen, the attack is launched with the goal of slowly changing the coordinates of that node (Chan-Tin et al., 2011). This must be done carefully and in very small steps, or it will not be successful. In order to carry this out properly, a clear understanding of the node and how the system in which that node is located works is essential. Pyxida, for example, only updates node coordinates when it is pinged. That means the node that is the victim of the attack must contact the attacking nodes in order for the attack to be successful. If there are 10% attackers in the network, the victim node will contact one of them 10% of the time (Chan-Tin et al., 2011). A node that is the neighbor of a victim node will remain there for 32 iterations, which allows others to contact it and spread the attack (Chan-Tin et al., 2011).
All the attacking node needs is just enough time to make contact with other nodes. From there, the attack can spread to more and more nodes as they contact one another over time. What seems like a long process is not, because nodes contact one another very rapidly in order to move information through the network. With this rapid contact, nodes spread attacks such as the frog-boiling attack much more quickly than most people would assume (Chan-Tin et al., 2011).
After 32 iterations, there is a very high probability — more than 96% — that an attacker node will be a neighbor of a victim node (Chan-Tin et al., 2011). When at least one attacker node appears in the neighbor list of a victim node, that victim node can be targeted quite easily. In Pyxida, the neighbor list is updated every 10 seconds so that the current force can be calculated (Chan-Tin et al., 2011). Every time this is updated, the victim node adjusts its coordinates to move a little bit closer to the target coordinates needed for the attack to be effective. The attacking nodes focus solely on the victim node; they do not respond to other nodes, and so they are not noticed by the system in any way (Chan-Tin et al., 2011).
The variance changes in the victim node are so small that they, too, go unnoticed. They fall within the tolerance levels required for that particular node each time they change, so no alert is triggered that a problem is developing (Chan-Tin et al., 2011). Because other nodes are unaware of the attacker nodes, and because the victim node's changes are incremental enough to avoid falling outside accepted variation, the attack is clearly effective when carried out correctly on the right type of system. Any kind of outlier-detection system is therefore not adequate for security in a distributed network coordinate system (Chan-Tin et al., 2011).
The attack works because the victim is moved to a new location in small steps rather than in one large move that would surely be detected by other nodes in the network. By varying the number of attackers and the magnitude of coordinate changes, an attack on a victim node and its network can be slowed down or sped up at will (Chan-Tin et al., 2011). The only requirement is that the coordinate change each time be small enough to go undetected. Beyond that, there is little else required, and large attacks over significant portions of the network remain possible — even when the network is designed to be secure and has been tested to have very low tolerance for internal or external changes (Chan-Tin et al., 2011).
The number of attack nodes and the variance tolerance of the victim node can affect how quickly the network is disrupted. For example, increasing the variance to a higher level and adding more attack nodes can reduce an expected four-hour attack timeframe to two hours or less. That requires only 36 contacts between the victim nodes and the attack nodes, with 720 update intervals (Chan-Tin et al., 2011). At that point, disruptions in the network would begin to appear. The attacker can continue to increase the variance, but there will eventually come a point at which the variance is no longer effective because the frog-boiling attack fails (Chan-Tin et al., 2011). This typically occurs when the victim node's coordinates change too rapidly, causing the system to flag the changes as potentially problematic. To remain successful, the node changes must be gradual enough to avoid triggering such a flag.
The second kind of attack discussed by Chan-Tin et al. (2011) is the network-partition attack. This attack is similar to the basic-targeted attack but has one distinct difference. In the basic-targeted attack, victim nodes are gradually moved until they reach far-away coordinates. In the network-partition attack, the rest of the network to which those nodes belong is also moved. By partitioning off part of the network, the attack is able to isolate only the area it needs to attack or infect (Chan-Tin et al., 2011). A section of the network can thus be taken over instead of only adjusting selected nodes or attempting to take over the entire network. It takes nearly 500 minutes for the network-partition attack to have an effect, but at that point the network begins to separate into two parts. There is a pull between the two emerging networks, so the exact coordinates intended by Chan-Tin et al. (2011) were not reached. Despite that, the networks were partitioned effectively, which was the ultimate goal of the attack (Chan-Tin et al., 2011).
"Attacker nodes race to become nearest neighbor to victim"
"Kalman Filter security layer fails against gradual attacks"
"Anomaly detection proposed but still insufficient"
Beyond those parameters, there are no requirements. That makes it very easy to make small changes over time — such as those characteristic of the frog-boiling attack — that go undetected until a serious problem has already taken hold. By that time, whatever the attack is specifically designed to accomplish has already infiltrated the network and caused damage that is not easy to repair. It may not even be possible to contain the damage without shutting down the entire network. Depending on the network and its purpose, that could compromise everything from a few personal internet connections to the security of critical national infrastructure. With that in mind, attacks such as the frog-boiling attack must be taken seriously, and effective security measures that are not vulnerable to these incremental intrusions must be developed.
Chan-Tin et al. (2011) provide important points to consider in their work. If network coordinate systems thought to be safe can be attacked so easily and so successfully, the implications for network security as a whole are significant. More importantly, how can these issues be corrected so that frog-boiling attacks will no longer be effective against these systems? Even the Kalman Filter — an additional layer of protection — was not successful at detecting the attack and stopping it before serious problems occurred. Having a decentralized network coordinate system would be beneficial to a large number of internet applications, but only if it can be used safely and securely. The early versions of these systems do not provide the level of security needed to operate them properly. With one attacker and a degree of patience, the entire system can be compromised. This is a serious concern, because it does not require advanced techniques or large-scale attacks to cause significant damage.
You’re 56% through this paper. Sign up to read the remaining 3 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.