mitigate ddos attacks in ndn by interest traceback
DESCRIPTION
Mitigate DDoS Attacks in NDN by Interest Traceback. Huichen Dai , Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China. Outline. Background of Named Data Networking (NDN ) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/1.jpg)
1
Mitigate DDoS Attacks in NDN by Interest Traceback
Huichen Dai, Yi Wang, Jindou Fan, Bin LiuTsinghua University, China
![Page 2: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/2.jpg)
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
2/36
![Page 3: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/3.jpg)
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
3/36
![Page 4: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/4.jpg)
Background of NDN
• Newly proposed clean-slate network architecture;
• Embraces Internet’s function transition from host-to-host communication to content dissemination;
• Routes and forwards packets by content names;• Request-driven communication model (pull):– Request: Interest packet– Response: Data packet
4/36
![Page 5: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/5.jpg)
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
5/36
![Page 6: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/6.jpg)
Pending Interest Table (PIT)
• A special table in NDN and no equivalent in IP;• Keeps track of the Interest packets that are received
but yet un-responded;• NDN router inserts every Interest packet into PIT,
removes each Data packet from PIT;• Brings NDN significant features:– communication without the knowledge of host locations;– loop and packet loss detection;– multipath routing support; etc.
[foreshadowing] PIT – victim of DDoS attack.
6/36
![Page 7: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/7.jpg)
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
7/36
![Page 8: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/8.jpg)
DDoS in IP
• Multiple compromised systems send out numerous packets targeting a single system;
• Spoofed source IP addresses; • Consume the resources of a remote host or network;• Easy to launch, hard to prevent, and difficult to trace
back.
8/36
![Page 9: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/9.jpg)
DDoS in NDN (1/2)
• Is DDoS attack possible in NDN?– YES
• How to launch?– Compromised systems,– Numerous Interest packets with spoofed names,– Make evil use of forwarding rule.
9/36
![Page 10: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/10.jpg)
DDoS in NDN (2/2)
• Results:– Interest packets solicit inexistent content;– Therefore, cannot be satisfied;– Stay in PIT forever or expire;– Exhaust the router’s computing and memory
resources – like DDoS in IP does;– Two categories of NDN DDoS attack:• Single-target DDoS Attacks• Interest Flooding Attack
10/36
![Page 11: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/11.jpg)
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Two Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
11/36
![Page 12: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/12.jpg)
Single-target DDoS Attacks (1/4)
• Resembles IP DDoS – can be viewed as replay of IP DDoS in NDN;
• make use of the Longest Prefix Match rule while looking up Interest names in the FIB;
• Spoofed name composition: existing prefix + forged suffix;
• Encapsulate spoofed name in Interest packets;• Interest packets forwarded to the destination content
provider corresponding to the name prefix.• No corresponding content returned.
12/36
![Page 13: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/13.jpg)
Single-target DDoS Attacks (2/4)
• Interest packet with spoofed name.
Existing Prefix Forged Suffix
13/36
![Page 14: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/14.jpg)
Single-target DDoS Attacks (3/4)• The attacking process.
Victims
Spoofed Interest packet
No content returned!
14/36
![Page 15: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/15.jpg)
Single-target DDoS Attacks (4/4)
• Victims: Content Provider (CP), Routers.• Content Provider:
– DDoS may “lock” its memory and computing resource;– Can block attacks by using Bloom filters.
• Routers:– The unsatisfiable Interest packets stay in PIT;– A PIT with huge size and high CPU utilization;– “lock” and even exhaust memory and computing resources on
routers.• Incurs extra load on both end hosts and routers, but the
routers suffer much more!
15/36
![Page 16: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/16.jpg)
Interest Flooding Attack (1/2)
• Flooding Interest packets with full forged names by distributed compromised systems;
• Interest packets cannot match any FIB entry in routers – broadcast or discarded;
• Assume that the un-matched packets will be broadcast (special bit to indicate);
• Forged Interest packets: – duplicated and propagated throughout the network;– reach the hosts at the edge of the network.
• No corresponding content returned.
16/36
![Page 17: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/17.jpg)
Interest Flooding Attack (2/2)• The attacking process.
Broadcast point
Spoofed Interest packet
Broadcast point
Broadcast point
17/36
![Page 18: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/18.jpg)
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
18/36
![Page 19: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/19.jpg)
Counter Measures to NDN DDoS
• First look at counter measures against IP DDoS:– Resource management: helpful for hosts in NDN, but a
simple filter can help to block the attacks;– IP filtering: not applicable, Interest packets have no
information about the source;– Packet traceback: difficult in IP, easy in NDN.
• NDN Interest traceback:– PIT keeps track of unresponded Interest packets –
“bread crumb”;– Use “bread crumb” to trace back to the attackers.
19/36
![Page 20: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/20.jpg)
NDN Interest traceback (1/4)
• Step1: Trigger Interest traceback process while PIT size increases at an alarming rate or exceeds a threshold;
• Step2: Router generates spoofed Data packets to satisfy the long-unsatisfied Interest packets in the PIT;
• Step3: Spoofed Data packets are forwarded back to the originator by looking up the PIT in intermediate routers;
• Step4: Dampen the originator (e.g. rate limiting).
20/36
![Page 21: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/21.jpg)
NDN Interest traceback (2/4)• Spoofed Data packets are filled with the same forged names as in the
Interest packets;• Match the Un-responded Interest packet in the PIT, i.e. trace back along
the “bread crumb”.
Existing Prefix Forged Suffix
21/36
![Page 22: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/22.jpg)
NDN Interest traceback (3/4)• Against Single-target DDoS Attacks
spoofed Data packet 22/36
![Page 23: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/23.jpg)
NDN Interest traceback (4/4)• Against Interest Flooding Attack
spoofed Data packet 23/36
![Page 24: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/24.jpg)
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
24/36
![Page 25: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/25.jpg)
Evaluation (1/7)
• Two parts:– Harmful consequences of the DDoS attacks;– Effects of the counter measure.
• Platform– Xeon E5500 CPU, 2.27GHz, 15.9G RAM.
• Topology– sub-topology from EBONE – the Rocketfuel
topology for EBONE (AS1755), consisting of 172 routers and 763 edges. (Randomly chosen.)
25/36
![Page 26: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/26.jpg)
Evaluation (2/7)
• Single-target DDoS Attacks– 100 attackers; – Interest packets sending rate: 1,000 per second.– Spoofed names = existing prefix + forged suffixes,
around 1,000 bytes.• Evaluation Goals (on edge routers)– Number of PIT entries;– Memory consumption of PIT;– CPU cycles on the edge router due to DDoS attack.
26/36
![Page 27: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/27.jpg)
Evaluation (3/7)
Figure: Increased # of PIT entries due to DDoS attacks.
Figure: Increased memory consumption of PIT due to DDoS attacks. 27/36
![Page 28: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/28.jpg)
Evaluation (4/7)
Figure: Router’s CPU cycles consumed per second under DDoS attacks. 28/36
![Page 29: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/29.jpg)
Evaluation (5/7)
• Interest Flooding Attack– Similar results as Single-target DDoS on each
router.• Effect of Interest Traceback, goals:– Number of identified attackers;– Extra # of PIT entries due to DDoS attacks after
Interest traceback begins;– CPU cycles consumed per second decline after
Interest traceback begins.
29/36
![Page 30: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/30.jpg)
Evaluation (6/7)
Figure: number of identified attackers over time 30/36
![Page 31: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/31.jpg)
Evaluation (7/7)
0 2 4 6 8 10 12 14 16 18 20 22 24 26 280
1x109
2x109
3x109
4x109
5x109
6x109
7x109
CPU
Cycle
s
simulated time (s)
timeout = 1s timeout = 2s timeout = 4s
T raceback begins
0 2 4 6 8 10 12 14 16 18 20 22 24 26 28
0
1x105
2x105
3x105
4x105
5x105
incre
ased
# of
PIT e
ntire
s afte
r atta
cker
decti
on
simulated time (s)
timeout = 1s timeout = 2s timeout = 4s
T raceback begins
Figure: number of PIT entries decreases as more and more attackers are detected.
Figure: consumed CPU cycles decrease as more and more attackers are detected.
31/36
![Page 32: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/32.jpg)
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
32/36
![Page 33: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/33.jpg)
Related Work (1/2)
• [1] T. Lauinger, Security & scalability of content-centric networking, Master’s Thesis, Technischeat Universit Darmstadt, 2010.– Come up with the idea that DoS can use PIT to fill up available
memory in a router;– Some preliminary ideas of counter measures.
• [2] Y. Chung, Distributed denial of service is a scalability problem, ACM SIGCOMM CCR, 2012.– Identify that broadcasting Interest packets can overfill the PIT
in a router;– No counter measure proposed.
33/36
![Page 34: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/34.jpg)
Related Work (2/2)• [3] [Technical Report] M. Wahlisch, T. C. Schmidt, and M.
Vahlenkamp, Backscatter from the data plane – threats to stability and security in information-centric networking, 2012.– massive requests for locally unavailable content;– No counter measure proposed.
• [4] [Technical Report] P. Gasti, G. Tsudik, E. Uzun, and L. Zhang, Dos & ddos in named-data networking, 2012.– Aware of the Interest Flooding attack (one of the two basic DDoS
categories in our paper) as we do;– a Tentative Countermeasure – Push-back Mechanism, different from
out Traceback method;– no assessment or evaluation.
34/36
![Page 35: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/35.jpg)
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
35/36
![Page 36: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/36.jpg)
Conclusion
• Present a specific and concrete scenario of DDoS attacks in NDN;
• Demonstrate the possibility of NDN DDoS attacks;• Identify the Pending Interest Table as the largest
victim of NDN DDoS;• Propose a counter measures called Interest
traceback against NDN DDoS;• Verify the effectiveness of Interest traceback.
36/36
![Page 37: Mitigate DDoS Attacks in NDN by Interest Traceback](https://reader035.vdocuments.mx/reader035/viewer/2022062302/56816625550346895dd97f1b/html5/thumbnails/37.jpg)
THANK YOU!
QUESTIONS PLEASE
36/37