Mitigate DDoS Attacks in NDN by Interest Traceback

Mitigate DDoS Attacks in NDN by Interest Traceback Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China

Outline • Background of Named Data Networking (NDN) • Pending Interest Table (PIT) • DDoS in IP & NDN • Concrete Scenarios of DDoSattack • Counter Measures to NDN DDoSattack • Evaluation • Related Work • Conclusion

Background of NDN • Newly proposed clean-slate network architecture; • Embraces Internet’s function transition from host-to-host communication to content dissemination; • Routes and forwards packets by content names; • Request-driven communication model (pull): • Request: Interest packet • Response: Data packet

Pending Interest Table (PIT) • A special table in NDN and no equivalent in IP; • Keeps track of the Interest packets that are received but yet un-responded; • NDN router inserts every Interest packet into PIT, removes each Data packet from PIT; • Brings NDN significant features: • communication without the knowledge of host locations; • loop and packet loss detection; • multipath routing support; etc. • [foreshadowing] PIT – victim of DDoSattack.

DDoS in IP • Multiple compromised systems send out numerous packetstargeting a single system; • Spoofed source IP addresses; • Consume the resources of a remote host or network; • Easy to launch, hard to prevent, and difficult to trace back.

DDoS in NDN (1/2) • Is DDoSattack possible in NDN? • YES • How to launch? • Compromised systems, • Numerous Interest packets with spoofed names, • Make evil use of forwarding rule.

DDoS in NDN (2/2) • Results: • Interest packets solicit inexistent content; • Therefore, cannot be satisfied; • Stay in PIT forever or expire; • Exhaust the router’s computing and memory resources – like DDoS in IP does; • Two categories of NDN DDoS attack: • Single-target DDoSAttacks • Interest Flooding Attack

Outline • Background of Named Data Networking (NDN) • Pending Interest Table (PIT) • DDoS in IP & NDN • Two Concrete Scenarios of DDoSattack • Counter Measures to NDN DDoSattack • Evaluation • Related Work • Conclusion

Single-target DDoSAttacks (1/4) • Resembles IP DDoS– can be viewed as replay of IP DDoS in NDN; • make use of the Longest Prefix Match rule while looking up Interest names in the FIB; • Spoofed name composition: existing prefix + forged suffix; • Encapsulate spoofed name in Interest packets; • Interest packets forwarded to the destination content provider corresponding to the name prefix. • No corresponding content returned.

Single-target DDoSAttacks (2/4) • Interest packet with spoofed name. Forged Suffix Existing Prefix

Single-target DDoS Attacks (3/4) • The attacking process. Victims No content returned! Spoofed Interest packet

Single-target DDoS Attacks (4/4) • Victims: Content Provider (CP), Routers. • Content Provider: • DDoS may “lock” its memory and computing resource; • Can block attacks by using Bloom filters. • Routers: • The unsatisfiable Interest packets stay in PIT; • A PIT with huge size and high CPU utilization; • “lock” and even exhaust memory and computing resources on routers. • Incurs extra load on both end hosts and routers, but the routers suffer much more!

Interest Flooding Attack (1/2) • Flooding Interest packets with full forged names by distributed compromised systems; • Interest packets cannot match any FIB entry in routers – broadcast or discarded; • Assume that the un-matched packets will be broadcast (special bit to indicate); • Forged Interest packets: • duplicated and propagated throughout the network; • reach the hosts at the edge of the network. • No corresponding content returned.

Interest Flooding Attack (2/2) • The attacking process. Broadcast point Broadcast point Broadcast point Spoofed Interest packet

Counter Measures to NDN DDoS • First look at counter measures against IP DDoS: • Resource management: helpful for hosts in NDN, but a simple filter can help to block the attacks; • IP filtering: not applicable, Interest packets have no information about the source; • Packet traceback: difficult in IP, easy in NDN. • NDN Interest traceback: • PIT keeps track of unresponded Interest packets – “bread crumb”; • Use “bread crumb” to trace back to the attackers.

NDN Interest traceback (1/4) • Step1: Trigger Interest traceback process while PIT size increases at an alarming rate or exceeds a threshold; • Step2: Router generates spoofedData packets to satisfy the long-unsatisfied Interest packets in the PIT; • Step3: Spoofed Data packets are forwarded back to the originator by looking up the PIT in intermediate routers; • Step4: Dampen the originator (e.g. rate limiting).

NDN Interest traceback(2/4) • Spoofed Data packets are filled with the same forged names as in the Interest packets; • Match the Un-responded Interest packet in the PIT, i.e. trace back along the “bread crumb”. Existing Prefix Forged Suffix

NDN Interest traceback(3/4) • Against Single-target DDoSAttacks spoofedData packet

NDN Interest traceback(4/4) • Against Interest Flooding Attack spoofedData packet

Evaluation (1/7) • Two parts: • Harmful consequences of the DDoSattacks; • Effects of the counter measure. • Platform • Xeon E5500 CPU, 2.27GHz, 15.9G RAM. • Topology • sub-topology from EBONE – the Rocketfueltopology for EBONE (AS1755), consisting of 172 routers and 763 edges.(Randomly chosen.)

Evaluation (2/7) • Single-target DDoS Attacks • 100 attackers; • Interest packets sending rate: 1,000 per second. • Spoofed names = existing prefix + forged suffixes, around 1,000 bytes. • Evaluation Goals (on edge routers) • Number of PIT entries; • Memory consumption of PIT; • CPU cycles on the edge router due to DDoS attack.

Evaluation (3/7) Figure: Increased # of PIT entries due to DDoSattacks. Figure: Increased memory consumption of PIT due to DDoS attacks.

Evaluation (4/7) Figure: Router’s CPU cycles consumed per second under DDoS attacks.

Evaluation (5/7) • Interest Flooding Attack • Similar results as Single-target DDoSon each router. • Effect of Interest Traceback, goals: • Number of identified attackers; • Extra # of PIT entries due to DDoS attacks after Interest tracebackbegins; • CPU cycles consumed per second decline after Interest traceback begins.

Evaluation (6/7) • Figure: number of identified attackers over time

Evaluation (7/7) Figure: number of PIT entries decreases as more and more attackers are detected. Figure: consumed CPU cycles decrease as more and more attackers are detected.

Related Work (1/2) • [1] T. Lauinger, Security & scalability of content-centric networking, Master’s Thesis, TechnischeatUniversit Darmstadt, 2010. • Come up with the idea that DoS can use PIT to fill up available memory in a router; • Some preliminary ideas of counter measures. • [2] Y. Chung, Distributed denial of service is a scalability problem, ACM SIGCOMM CCR, 2012. • Identify that broadcasting Interest packets can overfill the PIT in a router; • No counter measure proposed.

Related Work (2/2) • [3] [Technical Report] M. Wahlisch, T. C. Schmidt, and M. Vahlenkamp, Backscatter from the data plane – threats to stability and security in information-centric networking, 2012. • massive requests for locally unavailable content; • No counter measure proposed. • [4] [Technical Report] P. Gasti, G. Tsudik, E. Uzun, and L. Zhang, Dos & ddos in named-data networking, 2012. • Aware of the Interest Flooding attack (one of the two basic DDoS categories in our paper) as we do; • a Tentative Countermeasure – Push-back Mechanism, different from out Traceback method; • no assessment or evaluation.

Conclusion • Present a specific and concrete scenario of DDoS attacks in NDN; • Demonstrate the possibility of NDN DDoS attacks; • Identify the Pending Interest Table as the largest victim of NDN DDoS; • Propose a counter measures called Interest traceback against NDN DDoS; • Verify the effectiveness of Interest traceback.

Thank You!Questions please 

Mitigate DDoS Attacks in NDN by Interest Traceback