Presentation is loading. Please wait.

Presentation is loading. Please wait.

Content-oriented Networking Platform: A Focus on DDoS Countermeasure ( In incremental deployment perspective) Authors: Junho Suh, Hoon-gyu Choi, Wonjun.

Published byKory Floyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Content-oriented Networking Platform: A Focus on DDoS Countermeasure ( In incremental deployment perspective) Authors: Junho Suh, Hoon-gyu Choi, Wonjun."— Presentation transcript:

1 Content-oriented Networking Platform: A Focus on DDoS Countermeasure ( In incremental deployment perspective) Authors: Junho Suh, Hoon-gyu Choi, Wonjun Yoon @Seoul National University

2 Outline Introduction Content-oriented Networking Architecture –Communication Procedure –Main components –Scenario Summary 2

3 Change in Communication Paradigm Move to Content-oriented Network –Internet traffic is already content-oriented CDN, multimedia, P2P… –Users/applications care “what to receive” They don’t care “from whom” Host based communication model is outdated 3

4 IP networking vs. Content networking IP networking –Lookup-by-name Indirection (from name to locator) –Availability concerned Locators can be aggregated –Achieving routing scalability Content-oriented networking –Route-by-name No indirection –Better availability Scalability issue –Content name is flat No backward compatibility 4

5 Content networking under IP network Observations –Current IP networking leverages network prefixes in routing Routing scalability is good –Content-oriented networking is not good for routing, but good for availability Huge scaling burden –No backward compatibility in content-oriented networking Content routing and IP routing should be combined We propose a grassroots approach –Some popular contents will be cached –Routing info. for those contents can be propagated in local and best-effort manner 5

6 Content-oriented networking platform Objectives –Exploit content networking to adopt current Internet New entities –Content-aware Agent Interact content based network and IP network Achievements –Security, accountability, incremental deployment to the current Internet 6

7 Content Request IP-less communication Assumption –Lookup “Content Name” by web search –Content Name URI form http://youtube.com/south-afreeca-worldcup-2010.avi Communication inside domain –Requests are relayed to CAA by L2 forwarding –CAA contacts DNS –Consumer cannot contact server directly 1: I want a particular content (e.g. HTTP URI) 2: Here you are consumer CAA internet 7

8 Content Distribution Registers its domain name in DNS –Agent’s IP address (of the egress link) 8 publisher CAA internet 1: a request for your content 2: here you are

9 Content-Aware Agent (CAA) Proxy for interacting with IP network –Handle content requests/response FQDN to obtain IP address for publisher’s CAA –Authority content server’s CAA –Caching the requested contents Gateway for heterogeneous networks –Protocol translate or Tunneling –Relay contents in inter-domain environment 9

10 General Architecture Agent Gateway A Gateway B Publisher Content request Agent’s IP address Agent DNS Content based Communication IP based Communication host Content Distribution Domain Name System Content-Aware Agent (CAA) Content-Aware Router (CAR) 10 Content distribution

11 Scenario DDoS can happen by requesting content (using HTTP URIs) –Many hosts across multiple ISPs Agent of the publisher detects first –Informs the all the gateways of this event –To request countermeasure A gateway solicits other gateway to reduce the content request rate to the publisher under attack 11 * DDoS might not be activated by some admission control

12 Implementation 12 Software PCI Bus CPU RxQ CPU RxQ CPU TxQ CPU TxQ CPU RxQ CPU RxQ CPU TxQ CPU TxQ CPU RxQ CPU RxQ CPU TxQ CPU TxQ CPU RxQ CPU RxQ CPU TxQ CPU TxQ nf2_reg_grp user data path nf2c0 nf2c1 nf2c2 nf2c3 ioctl MAC TxQ MAC TxQ MAC RxQ MAC RxQ MAC TxQ MAC TxQ MAC RxQ MAC RxQ MAC TxQ MAC TxQ MAC RxQ MAC RxQ MAC TxQ MAC TxQ MAC RxQ MAC RxQ Ethernet 2. Monitoring Requested contents NetFPGA-Openflow 1. Capture URI/URL 3. Accounting flow 4. Make decision whether DDoS or not

13 Implementation 13 –In the header parser http_get messages are captured, and then forwarded to the nc2c0 –Otherwise, the module bypasses normal packets

14 Implementation 14 Controller –Each agent solicits other agents to reduce the content request rate to the publisher under attack via controller To all connected Agent Agent –Checks and limits the rate (if # of request > threshold)

15 Scenario Example 15 Attacker Content Server Regular host controller Agent HTTP GET TCP flow Control flow

16 Summary Grassroots approach Content-oriented Networking Platform –Content-Aware Agent (CAA) 16

Download ppt "Content-oriented Networking Platform: A Focus on DDoS Countermeasure ( In incremental deployment perspective) Authors: Junho Suh, Hoon-gyu Choi, Wonjun."

Similar presentations

Identifying MPLS Applications

Identifying MPLS Applications
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.

IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.
Location vs. Identities in Internet Content: Applying Information-Centric Principles in Today’s Networks Instructor: Assoc. Prof. Chung-Horng Lung Group.

Location vs. Identities in Internet Content: Applying Information-Centric Principles in Today’s Networks Instructor: Assoc. Prof. Chung-Horng Lung Group.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Review of Important Networking Concepts

Review of Important Networking Concepts
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
CDNs & Replication Prof. Vern Paxson EE122 Fall 2007 TAs: Lisa Fowler, Daniel Killebrew, Jorge Ortiz.

CDNs & Replication Prof. Vern Paxson EE122 Fall 2007 TAs: Lisa Fowler, Daniel Killebrew, Jorge Ortiz.
Computer Network Architecture and Programming

Computer Network Architecture and Programming
Anycast Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

Anycast Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.

Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.
1 Review of Important Networking Concepts Introductory material. This module uses the example from the previous module to review important networking concepts:

1 Review of Important Networking Concepts Introductory material. This module uses the example from the previous module to review important networking concepts:
Internet Telephony Helen J. Wang Network Reading Group, Jan 27, 99 Acknowledgement: Jimmy, Bhaskar.

Internet Telephony Helen J. Wang Network Reading Group, Jan 27, 99 Acknowledgement: Jimmy, Bhaskar.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Vocabulary URL = uniform resource locator: web address protocol –set of rules that networked computers follow in order to share data and coordinate communications.

Vocabulary URL = uniform resource locator: web address protocol –set of rules that networked computers follow in order to share data and coordinate communications.
A Scalable, Commodity Data Center Network Architecture.

A Scalable, Commodity Data Center Network Architecture.

Similar presentations

Ads by Google