content-oriented networking platform: a focus on ddos countermeasure ( in incremental deployment...
TRANSCRIPT
Content-oriented Networking Platform:
A Focus on DDoS Countermeasure
(In incremental deployment perspective)
Authors:Junho Suh, Hoon-gyu Choi,
Wonjun Yoon@Seoul National University
Outline
• Introduction
• Content-oriented Networking Architecture– Communication Procedure–Main components– Scenario
• Summary
2
Change in Communication Paradigm
• Move to Content-oriented Network– Internet traffic is already content-
oriented• CDN, multimedia, P2P…
– Users/applications care “what to receive”• They don’t care “from whom”• Host based communication model is
outdated3
IP networking vs. Content networking
• IP networking– Lookup-by-name
• Indirection (from name to locator)– Availability concerned
• Locators can be aggregated– Achieving routing scalability
• Content-oriented networking– Route-by-name
• No indirection– Better availability
• Scalability issue– Content name is flat
• No backward compatibility
4
Content networking under IP network
• Observations– Current IP networking leverages network prefixes in
routing• Routing scalability is good
– Content-oriented networking is not good for routing, but good for availability• Huge scaling burden
– No backward compatibility in content-oriented networking
• Content routing and IP routing should be combined
• We propose a grassroots approach– Some popular contents will be cached– Routing info. for those contents can be propagated in
local and best-effort manner
5
Content-oriented networking platform
• Objectives– Exploit content networking to adopt
current Internet• New entities– Content-aware Agent• Interact content based network and IP
network
• Achievements– Security, accountability, incremental
deployment to the current Internet
6
Content Request• IP-less communication• Assumption
– Lookup “Content Name” by web search– Content Name
• URI form• http://youtube.com/south-afreeca-worldcup-2010.avi
• Communication inside domain– Requests are relayed to CAA by L2 forwarding– CAA contacts DNS– Consumer cannot contact server directly
1: I want a particular content (e.g. HTTP URI)
2: Here you areconsumer CAA
internet
7
Content Distribution
• Registers its domain name in DNS– Agent’s IP address (of the egress link)
8
publisher CAA
internet1: a request for your content
2: here you are
Content-Aware Agent (CAA)
• Proxy for interacting with IP network– Handle content requests/response
• FQDN to obtain IP address for publisher’s CAA– Authority content server’s CAA
– Caching the requested contents
• Gateway for heterogeneous networks– Protocol translate or Tunneling– Relay contents in inter-domain
environment
9
General Architecture
Agent
Gateway A
Gateway B
Publisher
Content request
Agent’s IP address
Agent
DNS
Content based Communication IP based Communication
host
Content Distribution
Domain Name System
Content-Aware Agent (CAA)
Content-Aware Router (CAR)
10
Content distribution
Scenario
• DDoS can happen by requesting content (using HTTP URIs)–Many hosts across multiple ISPs
• Agent of the publisher detects first– Informs the all the gateways of this event– To request countermeasure
• A gateway solicits other gateway to reduce the content request rate to the publisher under attack
11* DDoS might not be activated by some admission control
Implementation
12
Software
PCI Bus
CPURxQCPURxQ
CPUTxQCPUTxQ
CPURxQCPURxQ
CPUTxQCPUTxQ
CPURxQCPURxQ
CPUTxQCPUTxQ
CPURxQCPURxQ
CPUTxQCPUTxQ
nf2_reg_grpnf2_reg_grp
user data pathuser data path
nf2c0nf2c0 nf2c1nf2c1 nf2c2nf2c2 nf2c3nf2c3 ioctlioctl
MACTxQMACTxQ
MACRxQMACRxQ
MACTxQMACTxQ
MACRxQMACRxQ
MACTxQMACTxQ
MACRxQMACRxQ
MACTxQMACTxQ
MACRxQMACRxQ
Ethernet
2. Monitoring Requested contents
NetFPGA-Openflow1. Capture URI/URL
3. Accounting flow
4. Make decision whether DDoS or
not
Implementation
13
– In the header parser http_get messages are captured, and then forwarded to the nc2c0
– Otherwise, the module bypasses normal packets
Implementation
14
• Controller– Each agent solicits other agents to
reduce the content request rate to the publisher under attack via controller• To all connected Agent
• Agent– Checks and limits the rate (if # of
request > threshold)
Scenario Example
15
Attacker
Attacker
ContentServer
Regularhost
controller
Agent
HTTP GET
TCP flowControl flow
Summary
• Grassroots approach
• Content-oriented Networking Platform– Content-Aware Agent (CAA)
16