The InterPlanetary File System (IPFS) is a decentralized peer-to-peer (P2P) storage built on Kademlia, a Distributed Hash Table (DHT) structure commonly used in P2P systems and known for its proved scalability. However, DHTs susceptible to Sybil attacks, where a single entity controls multiple malicious nodes. Recent studies have shown that IPFS is affected by a passive content eclipse attack, leveraging Sybils, in which adversarial nodes hide received indexed information from other peers, making the content appear unavailable. Fortunately, the latest mitigation strategy coupling an attack detection based on statistical tests and a wider publication strategy upon detection was able to circumvent it. In this work, we present a new active attack in which malicious nodes return semantically correct but intentionally false data. The attack leverages strategic Sybil placement to evade detection and exploits an early termination in the actual Kubo, the main IPFS implementation. It achieves to fully eclipse content on recent Kubo versions. When evaluated against the most recent known mitigation, it successfully denies access to the target content in approximately 80% of lookup attempts. To address this vulnerability, we propose a new mitigation called SR-DHT-Store, which enables efficient, Sybil-resistant content publication without relying on attack detection. Instead, it uses systematic and precise use of region-based queries based on a dynamically computed XOR distance to the target ID. SR-DHT-Store can be combined with other defense mechanisms, fully mitigating passive and active Sybil attacks at a lower overhead while supporting an incremental deployment.

翻译：星际文件系统（IPFS）是一种基于Kademlia的去中心化点对点（P2P）存储系统，Kademlia采用分布式哈希表（DHT）结构，因其可证明的可扩展性而广泛应用于P2P系统中。然而，DHT易受女巫攻击（Sybil attack）影响，即单个实体控制多个恶意节点。近期研究表明，IPFS受一种利用女巫节点的被动内容遮蔽攻击影响，在此攻击中，恶意节点向其他对等节点隐藏已接收的索引信息，使内容显示为不可用。幸运的是，最新结合基于统计检验的攻击检测与检测后更广泛的发布策略的缓解方法，能够绕过此类攻击。在本文中，我们提出一种新的主动攻击：恶意节点返回语义正确但故意错误的数据。该攻击利用策略性女巫节点布局以规避检测，并利用实际IPFS主要实现Kubo中的早期终止机制。该攻击能在最新Kubo版本上实现内容的完全遮蔽。当针对已知的最新型缓解方法进行评估时，它在约80%的查找尝试中成功拒绝目标内容的访问。为解决此漏洞，我们提出一种名为SR-DHT-Store的新型缓解方案，该方案无需依赖攻击检测即可实现高效、抗女巫的内容发布。取而代之的是，它基于动态计算的目标ID的XOR距离，系统且精确地使用区域查询。SR-DHT-Store可与其他防御机制结合使用，以较低开销完全缓解被动和主动女巫攻击，同时支持增量部署。