1 / 16

Authors: Junho Suh, Hoon-gyu Choi, Wonjun Yoon @Seoul National University

Content-oriented Networking Platform: A Focus on DDoS Countermeasure ( In incremental deployment perspective). Authors: Junho Suh, Hoon-gyu Choi, Wonjun Yoon @Seoul National University. Outline. Introduction Content-oriented Networking Architecture Communication Procedure Main components

gcook
Download Presentation

Authors: Junho Suh, Hoon-gyu Choi, Wonjun Yoon @Seoul National University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Content-oriented Networking Platform:A Focus on DDoS Countermeasure(In incremental deployment perspective) Authors: Junho Suh, Hoon-gyu Choi, Wonjun Yoon @Seoul National University

  2. Outline • Introduction • Content-oriented Networking Architecture • Communication Procedure • Main components • Scenario • Summary

  3. Change in Communication Paradigm • Move to Content-oriented Network • Internet traffic is already content-oriented • CDN, multimedia, P2P… • Users/applications care “what to receive” • They don’t care “from whom” • Host based communication model is outdated

  4. IP networking vs. Content networking • IP networking • Lookup-by-name • Indirection (from name to locator) • Availability concerned • Locators can be aggregated • Achieving routing scalability • Content-oriented networking • Route-by-name • No indirection • Better availability • Scalability issue • Content name is flat • No backward compatibility

  5. Content networking under IP network • Observations • Current IP networking leverages network prefixes in routing • Routing scalability is good • Content-oriented networking is not good for routing, but good for availability • Huge scaling burden • No backward compatibility in content-oriented networking • Content routing and IP routing should be combined • We propose a grassroots approach • Some popular contents will be cached • Routing info. for those contents can be propagated in local and best-effort manner

  6. Content-oriented networking platform • Objectives • Exploit content networking to adopt current Internet • New entities • Content-aware Agent • Interact content based network and IP network • Achievements • Security, accountability, incremental deployment to the current Internet

  7. Content Request • IP-less communication • Assumption • Lookup “Content Name” by web search • Content Name • URI form • http://youtube.com/south-afreeca-worldcup-2010.avi • Communication inside domain • Requests are relayed to CAA by L2 forwarding • CAA contacts DNS • Consumer cannot contact server directly 1: I want a particular content (e.g. HTTP URI) internet CAA consumer 2: Here you are

  8. Content Distribution • Registers its domain name in DNS • Agent’s IP address (of the egress link) 1: a request for your content internet CAA publisher 2: here you are

  9. Content-Aware Agent (CAA) • Proxy for interacting with IP network • Handle content requests/response • FQDN to obtain IP address for publisher’s CAA • Authority content server’s CAA • Caching the requested contents • Gateway for heterogeneous networks • Protocol translate or Tunneling • Relay contents in inter-domain environment

  10. General Architecture Content based Communication Content Distribution IP based Communication DNS Content distribution Agent’s IP address Gateway A Content request Agent Publisher Agent host Gateway B Domain Name System Content-Aware Agent (CAA) Content-Aware Router (CAR)

  11. Scenario • DDoS can happen by requesting content (using HTTP URIs) • Many hosts across multiple ISPs • Agent of the publisher detects first • Informs the all the gateways of this event • To request countermeasure • A gateway solicits other gateway to reduce the content request rate to the publisher under attack * DDoS might not be activated by some admission control

  12. Implementation 4. Make decision whether DDoS or not CPU RxQ CPU RxQ CPU RxQ CPU RxQ MAC TxQ MAC TxQ MAC TxQ MAC TxQ 3. Accounting flow 2. Monitoring Requested contents Software Openflowdatapath Agent Driver nf2c0 nf2c1 nf2c2 nf2c3 ioctl PCI Bus DMA Registers CPU TxQ CPU TxQ CPU TxQ CPU TxQ nf2_reg_grp NetFPGA-Openflow 1. Capture URI/URL user data path MAC RxQ MAC RxQ MAC RxQ MAC RxQ Ethernet

  13. Implementation • In the header parser http_get messages are captured, and then forwarded to the nc2c0 • Otherwise, the module bypasses normal packets

  14. Implementation • Controller • Each agent solicits other agents to reduce the content request rate to the publisher under attack via controller • To all connected Agent • Agent • Checks and limits the rate (if # of request > threshold)

  15. Scenario Example HTTP GET TCP flow Control flow controller Attacker Attacker Content Server Agent Regular host

  16. Summary • Grassroots approach • Content-oriented Networking Platform • Content-Aware Agent (CAA)

More Related