When it comes to our networks’ and communication’s security, firewalls, SIEM (Security Information and Event Management) systems or anti-virus softwares come to mind first, and, in the same way, regarding cyber attacks against said networks, we associate them to DDoS (Distributed Denial of Service) attacks, different exploits against TCP and UDP protocols and such. But there are other forms of owning a network; forms that aim for the structural and architectural weaknesses instead of well-known vulnerabilities. One of these, which we present in this post, is the so-called sybil attack.

A sybil attack is a type of attack that is carried out against a network to ruin its authority and trust. It is typically seen in reputation systems; these operate the way that users rate each other in order to be possible to tell if a user can be trusted or not. We may think of e-Commerce websites, such as Amazon or eBay. Malicious actors carry out this type of attack by operating with multiple identities on the same node (computer, network etc.). These endorse each other in ratings, so it may appear to other parties that these can be trusted, so the attacker can use them to gain big influence on the system.

The mechanism of Sybil attacks

Source: https://www.pp.io/docs/guide/Five_Kinds_of_Attacks.html

In the history of networks, we have seen many-many sybil attacks. For example an attack of this kind was carried out in 2014, when the Tor network was exploited in order to deanonymize the system’s users; in this scenario, attackers set up at least 155 fast non-exit relays acting as „entry guards”. But there were sybil attacks with even bigger influence, like against blockchain-based currencies or even politics. Many experts state that that the alleged Russian interference in the USA’s presidental election was a type of sybil attack, although the platform itself (Facebook) was not compromised. Some call these pseudo-sybil attacks, and unfortunately, if we observe close enough, we can see this every day in various platforms.

But since this is a blog mainly about PKI, the question arises – are cryptographic tools and methods safe from sybil attacks? Well, yes and no. If we take a close look of networks that are affected by this type of malicious act, we see that the vast majority operate in a peer-to-peer way, meaning the different nodes on the network can act as both servers and clients. We know that there are several P2P crypto solutions, including the famous PGP program. These are not exactly safe from such attacks, certainly not without different access control measures. But the case is different when we talk about (hierarchical) PKIs. These are not ad-hoc, but compensating that, they do not allow nodes to join without pre-distributing keys and that excludes the possibility of a sybil attack to be carried out. So if you use a public key infrastructure ran by a qualified trust service provider, do not worry, you are safe.

Sources:

https://arstechnica.com/information-technology/2014/07/active-attack-on-tor-network-tried-to-decloak-users-for-five-months/

http://tmu.ac.in/college-of-computing-sciences-and-it/wp-content/uploads/sites/17/2016/10/T418.pdf

https://www.freehaven.net/anonbib/cache/sybil.pdf

https://crypto.stackexchange.com/questions/35757/what-are-the-most-appropriate-pki-based-cryptographic-protocols-for-peer-to-peer