Authors: Alexander Afanasyev, Priya Mahadevany, Ilya Moiseenko, Ersin Uzuny, Lixia Zhang Publisher: IFIP Networking, 2013 (International Federation for.

Slides:

Advertisements

Similar presentations

Network II.5 simulator ..

Advertisements

Martin Suchara, Ryan Witt, Bartek Wydrowski California Institute of Technology Pasadena, U.S.A. TCP MaxNet Implementation and Experiments on the WAN in.

Quality-of-Service Routing in IP Networks Donna Ghosh, Venkatesh Sarangan, and Raj Acharya IEEE TRANSACTIONS ON MULTIMEDIA JUNE 2001.

University of Calgary – CPSC 441.  We need to break down big networks to sub-LANs  Limited amount of supportable traffic: on single LAN, all stations.

Packet Switching COM1337/3501 Textbook: Computer Networks: A Systems Approach, L. Peterson, B. Davie, Morgan Kaufmann Chapter 3.

24-1 Chapter 24. Congestion Control and Quality of Service (part 1) 23.1 Data Traffic 23.2 Congestion 23.3 Congestion Control 23.4 Two Examples.

Mitigate DDoS Attacks in NDN by Interest Traceback Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China 1.

CISCO NETWORKING ACADEMY PROGRAM (CNAP)

1.  Congestion Control Congestion Control  Factors that Cause Congestion Factors that Cause Congestion  Congestion Control vs Flow Control Congestion.

Robust Packet Delivery in Named Data Networking

Bridging. Bridge Functions To extend size of LANs either geographically or in terms number of users. − Protocols that include collisions can be performed.

Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.

1 Complexity of Network Synchronization Raeda Naamnieh.

Copyright: RSVP The ReSerVation Protocol by Sujay koduri.

Beneficial Caching in Mobile Ad Hoc Networks Bin Tang, Samir Das, Himanshu Gupta Computer Science Department Stony Brook University.

Efficient IP-Address Lookup with a Shared Forwarding Table for Multiple Virtual Routers Author: Jing Fu, Jennifer Rexford Publisher: ACM CoNEXT 2008 Presenter:

Multiple constraints QoS Routing Given: - a (real time) connection request with specified QoS requirements (e.g., Bdw, Delay, Jitter, packet loss, path.

Peer-to-Peer Based Multimedia Distribution Service Zhe Xiang, Qian Zhang, Wenwu Zhu, Zhensheng Zhang IEEE Transactions on Multimedia, Vol. 6, No. 2, April.

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Muhammad Mahmudul Islam Ronald Pose Carlo Kopp School of Computer Science & Software Engineering Monash University, Australia.

Dissemination protocols for large sensor networks Fan Ye, Haiyun Luo, Songwu Lu and Lixia Zhang Department of Computer Science UCLA Chien Kang Wu.

A simulation-based comparative evaluation of transport protocols for SIP Authors: M.Lulling*, J.Vaughan Department of Computer science, University college.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

1 Emulating AQM from End Hosts Presenters: Syed Zaidi Ivor Rodrigues.

Adaptive Self-Configuring Sensor Network Topologies ns-2 simulation & performance analysis Zhenghua Fu Ben Greenstein Petros Zerfos.

5/12/05CS118/Spring051 A Day in the Life of an HTTP Query 1.HTTP Brower application Socket interface 3.TCP 4.IP 5.Ethernet 2.DNS query 6.IP router 7.Running.

Power saving technique for multi-hop ad hoc wireless networks.

NFS. The Sun Network File System (NFS) An implementation and a specification of a software system for accessing remote files across LANs. The implementation.

 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Receiver-driven Layered Multicast Paper by- Steven McCanne, Van Jacobson and Martin Vetterli – ACM SIGCOMM 1996 Presented By – Manoj Sivakumar.

Network Simulation Internet Technologies and Applications.

Distributed Denial of Service Attack and Prevention Andrew Barkley Quoc Thong Le Gia Matt Dingfield Yashodhan Gokhale.

Proxy-assisted Content Sharing Using Content Centric Networking (CCN) for Resource-limited Mobile Consumer Devices Jihoon Lee, Dae Youb Kim IEEE Transactions.

Ad Hoc Networking via Named Data Michael Meisel, Vasileios Pappas, and Lixia Zhang UCLA, IBM Research MobiArch’10, September 24, Shinhaeng.

Routing and Routing Protocols Dynamic Routing Overview.

1 Highly Secure and Efficient Routing Ioannis Avramopulos, Hisashi Kobayashi Randolph Wang Arvind Krishamurthy Dept. of EE Dept. of CS Dept. of CS Dept.

DNS (Domain Name System) Protocol On the Internet, the DNS associates various sorts of information with domain names. A domain name is a meaningful and.

Routing Information Protocol (RIP). Intra-and Interdomain Routing An internet is divided into autonomous systems. An autonomous system (AS) is a group.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.

FiWi Integrated Fiber-Wireless Access Networks

“Intra-Network Routing Scheme using Mobile Agents” by Ajay L. Thakur.

Design and Implementation of a Multi-Channel Multi-Interface Network Chandrakanth Chereddi Pradeep Kyasanur Nitin H. Vaidya University of Illinois at Urbana-Champaign.

Let’s ChronoSync: Decentralized Dataset State Synchronization in Named Data Networking Zhenkai Zhu Alexander Afanasyev (presenter) Tuesday, October 8,

Authors: Haowei Yuan, Tian Song, and Patrick Crowley Publisher: ICCCN 2012 Presenter: Chai-Yi Chu Date: 2013/05/22 1.

Review of the literature : DMND:Collecting Data from Mobiles Using Named Data Takashima Daiki Park Lab, Waseda University, Japan 1/15.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.

TCP Trunking: Design, Implementation and Performance H.T. Kung and S. Y. Wang.

Simulation of the OLSRv2 Protocol First Report Presentation.

Authors: Haowei Yuan and Patrick Crowley Publisher: 2013 Proceedings IEEE INFOCOM Presenter: Chia-Yi Chu Date: 2013/08/14 1.

Packet switching network Data is divided into packets. Transfer of information as payload in data packets Packets undergo random delays & possible loss.

Multimedia & Mobile Communications Lab.

Rate-Based Channel Assignment Algorithm for Multi-Channel Multi- Rate Wireless Mesh Networks Sok-Hyong Kim and Young-Joo Suh Department of Computer Science.

Deadline-based Resource Management for Information- Centric Networks Somaya Arianfar, Pasi Sarolahti, Jörg Ott Aalto University, Department of Communications.

Measuring the Capacity of a Web Server USENIX Sympo. on Internet Tech. and Sys. ‘ Koo-Min Ahn.

An Energy Efficient MAC Protocol for Wireless LANs, E.-S. Jung and N.H. Vaidya, INFOCOM 2002, June 2002 吳豐州.

We used ns-2 network simulator [5] to evaluate RED-DT and compare its performance to RED [1], FRED [2], LQD [3], and CHOKe [4]. All simulation scenarios.

1 An Arc-Path Model for OSPF Weight Setting Problem Dr.Jeffery Kennington Anusha Madhavan.

Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.

Link Layer Support for Unified Radio Power Management in Wireless Sensor Networks IPSN 2007 Kevin Klues, Guoliang Xing and Chenyang Lu Database Lab.

CCNA3 Module 4 Brierley Module 4. CCNA3 Module 4 Brierley Topics LAN congestion and its effect on network performance Advantages of LAN segmentation in.

Topics discussed in this section:

MZR: A Multicast Protocol based on Zone Routing

Routing Information Protocol (RIP)

ARP and RARP Objectives Chapter 7 Upon completion you will be able to:

Fuzzy Interest Forwarding

Dynamic Routing Protocols part3 B

Chapter 2 from ``Introduction to Parallel Computing'',

Presentation transcript:

Authors: Alexander Afanasyev, Priya Mahadevany, Ilya Moiseenko, Ersin Uzuny, Lixia Zhang Publisher: IFIP Networking, 2013 (International Federation for Information Processing) Presenter: Chia-Yi, Chu Date: 2013/11/27 1

 Introduction  NDN Overview  Interest Flooding Attacks in NDN  Interest Flooding Mitigation Methods  Evaluation of Interest Flooding Mitigation Methods 2

 Provides 3 mitigation algorithms to mitigate Interest flooding  Interest flooding ◦ malicious users can attack the network by sending an excessive number of Interests. Since each Interest consumes resources at intermediate routers as it is routed through the network, an excessive number of Interests can congest the network and exhaust a router’s memory. 3

 A receiver-driven, data-centric communication protocol  Communications in NDN are performed using two distinct types of packets ◦ Interest and Data.  Both types of packets carry a name ◦ which uniquely identifies a piece of content that can be carried in one Data packet.  content name is composed of one or more variable- length components and be delimited by “/”. ◦ youtube video would look like: “/youtube/videos/0F8YdlkKO9A/0 ”. 4

 NDN routers maintains three major data structures: ◦ Pending Interest Table (PIT)  holds all “not yet satisfied” Interests that have been sent upstream towards potential data sources. ◦ Forwarding Interest Base (FIB)  maps name prefixes to one or multiple physical network interfaces, specifying directions where Interests can be forwarded.. ◦ Content Store (CS)  temporarily buffers Data packets 5

 Interest packets in NDN are routed through the network based on content name prefixes and consume memory resources at intermediate routers.  An attacker or a set of distributed attackers can inject excessive number of Interests in an attempt to overload the network and cause service disruptions for legitimate users  A large volume of such malicious Interests can disrupt service quality in NDN network in two ways: create network congestion and exhaust resources on routers. 6

7

 if the data producer is the exclusive owner of “/foo/bar” namespace, both router B and the data producer would receive all Interests for “/foo/bar/...” that cannot be otherwise satisfied from in-network caches.  An excessive amount of malicious Interests can lead to exhaustion of a router’s memory ◦ NDN routers maintain per-packet states for each forwarded Interes 8

 Naïve solution ◦ restrict the number of Interests forwarded through the network.  Simple implementation technique ◦ To limit the number of forwarded Interests out of each interface based on the physical capacity of the corresponding interface. ◦ a slight modification of the well-known Token Bucket algorithm 9

10

◦ Drawbacks  result in underutilization of the network  not all Interests will result in a Data packet  can nourish DDoS attacks  If a router has utilized all its tokens to forward malicious Interests, it can no longer forward incoming Interests from legitimate users till the pending malicious Interests start to expire ◦ Solution  impose a per interface fairness 11

 Token bucket with per interface fairness ◦ extend the Pending Interest Table ◦ to support flagging of Interests that cannot be immediately forwarded and implement hierarchical queues for each interface ◦ not actually store a packet, but merely a bi-directional pointer to the existing PIT entry. 12

13

14

 Token bucket with per interface fairness ◦ Drawback  still admits a relatively large number of Interests from malicious users  it drops both legitimate and malicious Interests  attempts to ensure that each interface does not forward more than its fair share of Interests ◦ Solution  be able to detect and differentiate to some extent malicious requests from legitimate ones. 15

16

17

18

19

20

 Satisfaction-based pushback ◦ enable and enforce explicit Interest limit for each incoming interface, where the value of the limit depends directly on the interface’s Interest satisfaction ratio. ◦ Announce these limits to their downstream neighbors  Any Interest forwarded from the downstream router is allowed to get through, resulting in genuine Interest satisfaction statistics. 21

22

23

 Use the open-source ndnSIM package ◦ implements NDN protocol stack for NS-3 network simulator  token bucket with per interface fairness  satisfaction-based Interest acceptance  satisfaction-based pushback  To quantify the effectiveness of algorithms ◦ percentage of satisfied Interests for legitimate users. ◦ A high percentage of user-expressed Interests are satisfied even while the network is under attack 24

 Simulations on two different network topologies ◦ Smaller binary tree topology ◦ Larger ISP-like topology  The percentage of attackers in the network ◦ Ranged from 6% attackers to over 50% attackers  Delay ◦ binary tree topology: 80ms ◦ ISP-like topology: 330ms  Data size ◦ 1100 bytes 25

 Small-scale evaluations ◦ There are 16 end users  both legitimate and attackers ◦ Each expressing Interests that are routed towards a single data producer  placed at the root of the tree. ◦ Bandwidth of 10 Mbps ◦ Randomized propagation delay ranging from 1 to 10 ms. 26

27

 Effectiveness of the three mitigation algorithms ◦ Perform 10 independent simulation runs ◦ 7 client nodes to represent adversaries, 9 client nodes represent legitimate users  where randomly choose ◦ 10-minute attack window  Total simulation time was 30 minutes 28

29

 Network reaction to varying number of attackers ◦ vary the percentage of attackers in the topology from 6% to over 50%. ◦ as the number of attackers increases, the number of legitimate users decreases ◦ All other parameters and experimental setup are consistent with the previous experiment 30

31

 Large scale simulations ◦ based on a modified version of Rocketfuel’s AT&T topology ◦ extracted the largest connected component  comprising of 562 nodes ◦ separated the nodes into three categories 1.Clients  Having degree less than four 2.Gateways  directly connected to clients 3.Backbones  the remaining nodes 32

33

◦ Assigned bandwidth and delay values to links based on their type 34

◦ placing the data producer at both a gateway node as well as backbone node ◦ fixed the number of malicious nodes at approximately 40%  140 out of 344 client nodes in the topology ◦ the attack duration spanning a 5-minute interval. 35

36