Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitigate DDoS Attacks in NDN by Interest Traceback Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China 1.

Similar presentations


Presentation on theme: "Mitigate DDoS Attacks in NDN by Interest Traceback Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China 1."— Presentation transcript:

1 Mitigate DDoS Attacks in NDN by Interest Traceback Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China 1

2 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 2/36

3 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 3/36

4 Background of NDN Newly proposed clean-slate network architecture; Embraces Internet’s function transition from host-to-host communication to content dissemination; Routes and forwards packets by content names; Request-driven communication model (pull): – Request: Interest packet – Response: Data packet 4/36

5 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 5/36

6 Pending Interest Table (PIT) A special table in NDN and no equivalent in IP; Keeps track of the Interest packets that are received but yet un-responded; NDN router inserts every Interest packet into PIT, removes each Data packet from PIT; Brings NDN significant features: – communication without the knowledge of host locations; – loop and packet loss detection; – multipath routing support; etc. [foreshadowing] PIT – victim of DDoS attack. 6/36

7 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 7/36

8 DDoS in IP Multiple compromised systems send out numerous packets targeting a single system; Spoofed source IP addresses; Consume the resources of a remote host or network; Easy to launch, hard to prevent, and difficult to trace back. 8/36

9 DDoS in NDN (1/2) Is DDoS attack possible in NDN? – YES How to launch? – Compromised systems, – Numerous Interest packets with spoofed names, – Make evil use of forwarding rule. 9/36

10 DDoS in NDN (2/2) Results: – Interest packets solicit inexistent content; – Therefore, cannot be satisfied; – Stay in PIT forever or expire; – Exhaust the router’s computing and memory resources – like DDoS in IP does; – Two categories of NDN DDoS attack: Single-target DDoS Attacks Interest Flooding Attack 10/36

11 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Two Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 11/36

12 Single-target DDoS Attacks (1/4) Resembles IP DDoS – can be viewed as replay of IP DDoS in NDN; make use of the Longest Prefix Match rule while looking up Interest names in the FIB; Spoofed name composition: existing prefix + forged suffix; Encapsulate spoofed name in Interest packets; Interest packets forwarded to the destination content provider corresponding to the name prefix. No corresponding content returned. 12/36

13 Single-target DDoS Attacks (2/4) Interest packet with spoofed name. Existing Prefix Forged Suffix 13/36

14 Single-target DDoS Attacks (3/4) The attacking process. Victims Spoofed Interest packet No content returned! 14/36

15 Single-target DDoS Attacks (4/4) Victims: Content Provider (CP), Routers. Content Provider: – DDoS may “lock” its memory and computing resource; – Can block attacks by using Bloom filters. Routers: – The unsatisfiable Interest packets stay in PIT; – A PIT with huge size and high CPU utilization; – “lock” and even exhaust memory and computing resources on routers. Incurs extra load on both end hosts and routers, but the routers suffer much more! 15/36

16 Interest Flooding Attack (1/2) Flooding Interest packets with full forged names by distributed compromised systems; Interest packets cannot match any FIB entry in routers – broadcast or discarded; Assume that the un-matched packets will be broadcast (special bit to indicate); Forged Interest packets: – duplicated and propagated throughout the network; – reach the hosts at the edge of the network. No corresponding content returned. 16/36

17 Interest Flooding Attack (2/2) The attacking process. Broadcast point Spoofed Interest packet Broadcast point 17/36

18 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 18/36

19 Counter Measures to NDN DDoS First look at counter measures against IP DDoS: – Resource management: helpful for hosts in NDN, but a simple filter can help to block the attacks; – IP filtering: not applicable, Interest packets have no information about the source; – Packet traceback: difficult in IP, easy in NDN. NDN Interest traceback: – PIT keeps track of unresponded Interest packets – “bread crumb”; – Use “bread crumb” to trace back to the attackers. 19/36

20 NDN Interest traceback (1/4) Step1: Trigger Interest traceback process while PIT size increases at an alarming rate or exceeds a threshold; Step2: Router generates spoofed Data packets to satisfy the long-unsatisfied Interest packets in the PIT; Step3: Spoofed Data packets are forwarded back to the originator by looking up the PIT in intermediate routers; Step4: Dampen the originator (e.g. rate limiting). 20/36

21 NDN Interest traceback (2/4) Spoofed Data packets are filled with the same forged names as in the Interest packets; Match the Un-responded Interest packet in the PIT, i.e. trace back along the “bread crumb”. Existing Prefix Forged Suffix 21/36

22 NDN Interest traceback (3/4) Against Single-target DDoS Attacks spoofed Data packet 22/36

23 NDN Interest traceback (4/4) Against Interest Flooding Attack spoofed Data packet 23/36

24 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 24/36

25 Evaluation (1/7) Two parts: – Harmful consequences of the DDoS attacks; – Effects of the counter measure. Platform – Xeon E5500 CPU, 2.27GHz, 15.9G RAM. Topology – sub-topology from EBONE – the Rocketfuel topology for EBONE (AS1755), consisting of 172 routers and 763 edges. (Randomly chosen.) 25/36

26 Evaluation (2/7) Single-target DDoS Attacks – 100 attackers; – Interest packets sending rate: 1,000 per second. – Spoofed names = existing prefix + forged suffixes, around 1,000 bytes. Evaluation Goals (on edge routers) – Number of PIT entries; – Memory consumption of PIT; – CPU cycles on the edge router due to DDoS attack. 26/36

27 Evaluation (3/7) Figure: Increased # of PIT entries due to DDoS attacks. Figure: Increased memory consumption of PIT due to DDoS attacks. 27/36

28 Evaluation (4/7) Figure: Router’s CPU cycles consumed per second under DDoS attacks. 28/36

29 Evaluation (5/7) Interest Flooding Attack – Similar results as Single-target DDoS on each router. Effect of Interest Traceback, goals: – Number of identified attackers; – Extra # of PIT entries due to DDoS attacks after Interest traceback begins; – CPU cycles consumed per second decline after Interest traceback begins. 29/36

30 Evaluation (6/7) Figure: number of identified attackers over time 30/36

31 Evaluation (7/7) Figure: number of PIT entries decreases as more and more attackers are detected. Figure: consumed CPU cycles decrease as more and more attackers are detected. 31/36

32 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 32/36

33 Related Work (1/2) [1] T. Lauinger, Security & scalability of content- centric networking, Master’s Thesis, Technischeat Universit Darmstadt, – Come up with the idea that DoS can use PIT to fill up available memory in a router; – Some preliminary ideas of counter measures. [2] Y. Chung, Distributed denial of service is a scalability problem, ACM SIGCOMM CCR, – Identify that broadcasting Interest packets can overfill the PIT in a router; – No counter measure proposed. 33/36

34 Related Work (2/2) [3] [Technical Report] M. Wahlisch, T. C. Schmidt, and M. Vahlenkamp, Backscatter from the data plane – threats to stability and security in information-centric networking, – massive requests for locally unavailable content; – No counter measure proposed. [4] [Technical Report] P. Gasti, G. Tsudik, E. Uzun, and L. Zhang, Dos & ddos in named-data networking, – Aware of the Interest Flooding attack (one of the two basic DDoS categories in our paper) as we do; – a Tentative Countermeasure – Push-back Mechanism, different from out Traceback method; – no assessment or evaluation. 34/36

35 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 35/36

36 Conclusion Present a specific and concrete scenario of DDoS attacks in NDN; Demonstrate the possibility of NDN DDoS attacks; Identify the Pending Interest Table as the largest victim of NDN DDoS; Propose a counter measures called Interest traceback against NDN DDoS; Verify the effectiveness of Interest traceback. 36/36

37 THANK YOU! QUESTIONS PLEASE 36/37


Download ppt "Mitigate DDoS Attacks in NDN by Interest Traceback Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China 1."

Similar presentations


Ads by Google