One problem we were facing was that an attacker could spawn a bunch of malicious Nodes and pick their IDs strategically (due to lack of central control) so that they would take over a certain key-space and make the affected section of the DHT essentially unusable or let's say not trustworthy.
The simple idea I had to address this problem was to limit the number of hosts coming from the same Class-C Network per bucket. Once a certain threshold was reached the routing table would refuse to add a new host from the affected subnet and an attacker would have to spread among many subnets to pull this off.
It's great to see that this simple idea is living on in gtk-gnutella and I've generalized it since then and implemented it as a standalone class in my ardverk-base library.