1 / 37

Mitigate DDoS Attacks in NDN by Interest Traceback

Mitigate DDoS Attacks in NDN by Interest Traceback. Huichen Dai , Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China. Outline. Background of Named Data Networking (NDN ) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack

kamal
Download Presentation

Mitigate DDoS Attacks in NDN by Interest Traceback

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Mitigate DDoS Attacks in NDN by Interest Traceback Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China

  2. Outline • Background of Named Data Networking (NDN) • Pending Interest Table (PIT) • DDoS in IP & NDN • Concrete Scenarios of DDoSattack • Counter Measures to NDN DDoSattack • Evaluation • Related Work • Conclusion

  3. Outline • Background of Named Data Networking (NDN) • Pending Interest Table (PIT) • DDoS in IP & NDN • Concrete Scenarios of DDoSattack • Counter Measures to NDN DDoSattack • Evaluation • Related Work • Conclusion

  4. Background of NDN • Newly proposed clean-slate network architecture; • Embraces Internet’s function transition from host-to-host communication to content dissemination; • Routes and forwards packets by content names; • Request-driven communication model (pull): • Request: Interest packet • Response: Data packet

  5. Outline • Background of Named Data Networking (NDN) • Pending Interest Table (PIT) • DDoS in IP & NDN • Concrete Scenarios of DDoSattack • Counter Measures to NDN DDoSattack • Evaluation • Related Work • Conclusion

  6. Pending Interest Table (PIT) • A special table in NDN and no equivalent in IP; • Keeps track of the Interest packets that are received but yet un-responded; • NDN router inserts every Interest packet into PIT, removes each Data packet from PIT; • Brings NDN significant features: • communication without the knowledge of host locations; • loop and packet loss detection; • multipath routing support; etc. • [foreshadowing] PIT – victim of DDoSattack.

  7. Outline • Background of Named Data Networking (NDN) • Pending Interest Table (PIT) • DDoS in IP & NDN • Concrete Scenarios of DDoSattack • Counter Measures to NDN DDoSattack • Evaluation • Related Work • Conclusion

  8. DDoS in IP • Multiple compromised systems send out numerous packetstargeting a single system; • Spoofed source IP addresses; • Consume the resources of a remote host or network; • Easy to launch, hard to prevent, and difficult to trace back.

  9. DDoS in NDN (1/2) • Is DDoSattack possible in NDN? • YES • How to launch? • Compromised systems, • Numerous Interest packets with spoofed names, • Make evil use of forwarding rule.

  10. DDoS in NDN (2/2) • Results: • Interest packets solicit inexistent content; • Therefore, cannot be satisfied; • Stay in PIT forever or expire; • Exhaust the router’s computing and memory resources – like DDoS in IP does; • Two categories of NDN DDoS attack: • Single-target DDoSAttacks • Interest Flooding Attack

  11. Outline • Background of Named Data Networking (NDN) • Pending Interest Table (PIT) • DDoS in IP & NDN • Two Concrete Scenarios of DDoSattack • Counter Measures to NDN DDoSattack • Evaluation • Related Work • Conclusion

  12. Single-target DDoSAttacks (1/4) • Resembles IP DDoS– can be viewed as replay of IP DDoS in NDN; • make use of the Longest Prefix Match rule while looking up Interest names in the FIB; • Spoofed name composition: existing prefix + forged suffix; • Encapsulate spoofed name in Interest packets; • Interest packets forwarded to the destination content provider corresponding to the name prefix. • No corresponding content returned.

  13. Single-target DDoSAttacks (2/4) • Interest packet with spoofed name. Forged Suffix Existing Prefix

  14. Single-target DDoS Attacks (3/4) • The attacking process. Victims No content returned! Spoofed Interest packet

  15. Single-target DDoS Attacks (4/4) • Victims: Content Provider (CP), Routers. • Content Provider: • DDoS may “lock” its memory and computing resource; • Can block attacks by using Bloom filters. • Routers: • The unsatisfiable Interest packets stay in PIT; • A PIT with huge size and high CPU utilization; • “lock” and even exhaust memory and computing resources on routers. • Incurs extra load on both end hosts and routers, but the routers suffer much more!

  16. Interest Flooding Attack (1/2) • Flooding Interest packets with full forged names by distributed compromised systems; • Interest packets cannot match any FIB entry in routers – broadcast or discarded; • Assume that the un-matched packets will be broadcast (special bit to indicate); • Forged Interest packets: • duplicated and propagated throughout the network; • reach the hosts at the edge of the network. • No corresponding content returned.

  17. Interest Flooding Attack (2/2) • The attacking process. Broadcast point Broadcast point Broadcast point Spoofed Interest packet

  18. Outline • Background of Named Data Networking (NDN) • Pending Interest Table (PIT) • DDoS in IP & NDN • Concrete Scenarios of DDoSattack • Counter Measures to NDN DDoSattack • Evaluation • Related Work • Conclusion

  19. Counter Measures to NDN DDoS • First look at counter measures against IP DDoS: • Resource management: helpful for hosts in NDN, but a simple filter can help to block the attacks; • IP filtering: not applicable, Interest packets have no information about the source; • Packet traceback: difficult in IP, easy in NDN. • NDN Interest traceback: • PIT keeps track of unresponded Interest packets – “bread crumb”; • Use “bread crumb” to trace back to the attackers.

  20. NDN Interest traceback (1/4) • Step1: Trigger Interest traceback process while PIT size increases at an alarming rate or exceeds a threshold; • Step2: Router generates spoofedData packets to satisfy the long-unsatisfied Interest packets in the PIT; • Step3: Spoofed Data packets are forwarded back to the originator by looking up the PIT in intermediate routers; • Step4: Dampen the originator (e.g. rate limiting).

  21. NDN Interest traceback(2/4) • Spoofed Data packets are filled with the same forged names as in the Interest packets; • Match the Un-responded Interest packet in the PIT, i.e. trace back along the “bread crumb”. Existing Prefix Forged Suffix

  22. NDN Interest traceback(3/4) • Against Single-target DDoSAttacks spoofedData packet

  23. NDN Interest traceback(4/4) • Against Interest Flooding Attack spoofedData packet

  24. Outline • Background of Named Data Networking (NDN) • Pending Interest Table (PIT) • DDoS in IP & NDN • Concrete Scenarios of DDoSattack • Counter Measures to NDN DDoSattack • Evaluation • Related Work • Conclusion

  25. Evaluation (1/7) • Two parts: • Harmful consequences of the DDoSattacks; • Effects of the counter measure. • Platform • Xeon E5500 CPU, 2.27GHz, 15.9G RAM. • Topology • sub-topology from EBONE – the Rocketfueltopology for EBONE (AS1755), consisting of 172 routers and 763 edges.(Randomly chosen.)

  26. Evaluation (2/7) • Single-target DDoS Attacks • 100 attackers; • Interest packets sending rate: 1,000 per second. • Spoofed names = existing prefix + forged suffixes, around 1,000 bytes. • Evaluation Goals (on edge routers) • Number of PIT entries; • Memory consumption of PIT; • CPU cycles on the edge router due to DDoS attack.

  27. Evaluation (3/7) Figure: Increased # of PIT entries due to DDoSattacks. Figure: Increased memory consumption of PIT due to DDoS attacks.

  28. Evaluation (4/7) Figure: Router’s CPU cycles consumed per second under DDoS attacks.

  29. Evaluation (5/7) • Interest Flooding Attack • Similar results as Single-target DDoSon each router. • Effect of Interest Traceback, goals: • Number of identified attackers; • Extra # of PIT entries due to DDoS attacks after Interest tracebackbegins; • CPU cycles consumed per second decline after Interest traceback begins.

  30. Evaluation (6/7) • Figure: number of identified attackers over time

  31. Evaluation (7/7) Figure: number of PIT entries decreases as more and more attackers are detected. Figure: consumed CPU cycles decrease as more and more attackers are detected.

  32. Outline • Background of Named Data Networking (NDN) • Pending Interest Table (PIT) • DDoS in IP & NDN • Concrete Scenarios of DDoSattack • Counter Measures to NDN DDoSattack • Evaluation • Related Work • Conclusion

  33. Related Work (1/2) • [1] T. Lauinger, Security & scalability of content-centric networking, Master’s Thesis, TechnischeatUniversit Darmstadt, 2010. • Come up with the idea that DoS can use PIT to fill up available memory in a router; • Some preliminary ideas of counter measures. • [2] Y. Chung, Distributed denial of service is a scalability problem, ACM SIGCOMM CCR, 2012. • Identify that broadcasting Interest packets can overfill the PIT in a router; • No counter measure proposed.

  34. Related Work (2/2) • [3] [Technical Report] M. Wahlisch, T. C. Schmidt, and M. Vahlenkamp, Backscatter from the data plane – threats to stability and security in information-centric networking, 2012. • massive requests for locally unavailable content; • No counter measure proposed. • [4] [Technical Report] P. Gasti, G. Tsudik, E. Uzun, and L. Zhang, Dos & ddos in named-data networking, 2012. • Aware of the Interest Flooding attack (one of the two basic DDoS categories in our paper) as we do; • a Tentative Countermeasure – Push-back Mechanism, different from out Traceback method; • no assessment or evaluation.

  35. Outline • Background of Named Data Networking (NDN) • Pending Interest Table (PIT) • DDoS in IP & NDN • Concrete Scenarios of DDoSattack • Counter Measures to NDN DDoSattack • Evaluation • Related Work • Conclusion

  36. Conclusion • Present a specific and concrete scenario of DDoS attacks in NDN; • Demonstrate the possibility of NDN DDoS attacks; • Identify the Pending Interest Table as the largest victim of NDN DDoS; • Propose a counter measures called Interest traceback against NDN DDoS; • Verify the effectiveness of Interest traceback.

  37. Thank You!Questions please 

More Related