Mitigate DDoS Attacks in NDN by Interest Traceback Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China 1

Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 2/36

Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 3/36

Background of NDN Newly proposed clean-slate network architecture; Embraces Internet’s function transition from host-to-host communication to content dissemination; Routes and forwards packets by content names; Request-driven communication model (pull): – Request: Interest packet – Response: Data packet 4/36

Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 5/36

Pending Interest Table (PIT) A special table in NDN and no equivalent in IP; Keeps track of the Interest packets that are received but yet un-responded; NDN router inserts every Interest packet into PIT, removes each Data packet from PIT; Brings NDN significant features: – communication without the knowledge of host locations; – loop and packet loss detection; – multipath routing support; etc. [foreshadowing] PIT – victim of DDoS attack. 6/36

Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 7/36

DDoS in IP Multiple compromised systems send out numerous packets targeting a single system; Spoofed source IP addresses; Consume the resources of a remote host or network; Easy to launch, hard to prevent, and difficult to trace back. 8/36

DDoS in NDN (1/2) Is DDoS attack possible in NDN? – YES How to launch? – Compromised systems, – Numerous Interest packets with spoofed names, – Make evil use of forwarding rule. 9/36

DDoS in NDN (2/2) Results: – Interest packets solicit inexistent content; – Therefore, cannot be satisfied; – Stay in PIT forever or expire; – Exhaust the router’s computing and memory resources – like DDoS in IP does; – Two categories of NDN DDoS attack: Single-target DDoS Attacks Interest Flooding Attack 10/36

Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Two Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 11/36

Single-target DDoS Attacks (1/4) Resembles IP DDoS – can be viewed as replay of IP DDoS in NDN; make use of the Longest Prefix Match rule while looking up Interest names in the FIB; Spoofed name composition: existing prefix + forged suffix; Encapsulate spoofed name in Interest packets; Interest packets forwarded to the destination content provider corresponding to the name prefix. No corresponding content returned. 12/36

Single-target DDoS Attacks (2/4) Interest packet with spoofed name. Existing Prefix Forged Suffix 13/36

Single-target DDoS Attacks (3/4) The attacking process. Victims Spoofed Interest packet No content returned! 14/36

Single-target DDoS Attacks (4/4) Victims: Content Provider (CP), Routers. Content Provider: – DDoS may “lock” its memory and computing resource; – Can block attacks by using Bloom filters. Routers: – The unsatisfiable Interest packets stay in PIT; – A PIT with huge size and high CPU utilization; – “lock” and even exhaust memory and computing resources on routers. Incurs extra load on both end hosts and routers, but the routers suffer much more! 15/36

Interest Flooding Attack (1/2) Flooding Interest packets with full forged names by distributed compromised systems; Interest packets cannot match any FIB entry in routers – broadcast or discarded; Assume that the un-matched packets will be broadcast (special bit to indicate); Forged Interest packets: – duplicated and propagated throughout the network; – reach the hosts at the edge of the network. No corresponding content returned. 16/36

Interest Flooding Attack (2/2) The attacking process. Broadcast point Spoofed Interest packet Broadcast point 17/36

Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 18/36

Counter Measures to NDN DDoS First look at counter measures against IP DDoS: – Resource management: helpful for hosts in NDN, but a simple filter can help to block the attacks; – IP filtering: not applicable, Interest packets have no information about the source; – Packet traceback: difficult in IP, easy in NDN. NDN Interest traceback: – PIT keeps track of unresponded Interest packets – “bread crumb”; – Use “bread crumb” to trace back to the attackers. 19/36

NDN Interest traceback (1/4) Step1: Trigger Interest traceback process while PIT size increases at an alarming rate or exceeds a threshold; Step2: Router generates spoofed Data packets to satisfy the long-unsatisfied Interest packets in the PIT; Step3: Spoofed Data packets are forwarded back to the originator by looking up the PIT in intermediate routers; Step4: Dampen the originator (e.g. rate limiting). 20/36

NDN Interest traceback (2/4) Spoofed Data packets are filled with the same forged names as in the Interest packets; Match the Un-responded Interest packet in the PIT, i.e. trace back along the “bread crumb”. Existing Prefix Forged Suffix 21/36

NDN Interest traceback (3/4) Against Single-target DDoS Attacks spoofed Data packet 22/36

NDN Interest traceback (4/4) Against Interest Flooding Attack spoofed Data packet 23/36

Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 24/36

Evaluation (1/7) Two parts: – Harmful consequences of the DDoS attacks; – Effects of the counter measure. Platform – Xeon E5500 CPU, 2.27GHz, 15.9G RAM. Topology – sub-topology from EBONE – the Rocketfuel topology for EBONE (AS1755), consisting of 172 routers and 763 edges. (Randomly chosen.) 25/36

Evaluation (2/7) Single-target DDoS Attacks – 100 attackers; – Interest packets sending rate: 1,000 per second. – Spoofed names = existing prefix + forged suffixes, around 1,000 bytes. Evaluation Goals (on edge routers) – Number of PIT entries; – Memory consumption of PIT; – CPU cycles on the edge router due to DDoS attack. 26/36

Evaluation (3/7) Figure: Increased # of PIT entries due to DDoS attacks. Figure: Increased memory consumption of PIT due to DDoS attacks. 27/36

Evaluation (4/7) Figure: Router’s CPU cycles consumed per second under DDoS attacks. 28/36

Evaluation (5/7) Interest Flooding Attack – Similar results as Single-target DDoS on each router. Effect of Interest Traceback, goals: – Number of identified attackers; – Extra # of PIT entries due to DDoS attacks after Interest traceback begins; – CPU cycles consumed per second decline after Interest traceback begins. 29/36

Evaluation (6/7) Figure: number of identified attackers over time 30/36

Evaluation (7/7) Figure: number of PIT entries decreases as more and more attackers are detected. Figure: consumed CPU cycles decrease as more and more attackers are detected. 31/36

Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 32/36

Related Work (1/2) [1] T. Lauinger, Security & scalability of content- centric networking, Master’s Thesis, Technischeat Universit Darmstadt, – Come up with the idea that DoS can use PIT to fill up available memory in a router; – Some preliminary ideas of counter measures. [2] Y. Chung, Distributed denial of service is a scalability problem, ACM SIGCOMM CCR, – Identify that broadcasting Interest packets can overfill the PIT in a router; – No counter measure proposed. 33/36

Related Work (2/2) [3] [Technical Report] M. Wahlisch, T. C. Schmidt, and M. Vahlenkamp, Backscatter from the data plane – threats to stability and security in information-centric networking, – massive requests for locally unavailable content; – No counter measure proposed. [4] [Technical Report] P. Gasti, G. Tsudik, E. Uzun, and L. Zhang, Dos & ddos in named-data networking, – Aware of the Interest Flooding attack (one of the two basic DDoS categories in our paper) as we do; – a Tentative Countermeasure – Push-back Mechanism, different from out Traceback method; – no assessment or evaluation. 34/36

Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 35/36

Conclusion Present a specific and concrete scenario of DDoS attacks in NDN; Demonstrate the possibility of NDN DDoS attacks; Identify the Pending Interest Table as the largest victim of NDN DDoS; Propose a counter measures called Interest traceback against NDN DDoS; Verify the effectiveness of Interest traceback. 36/36

THANK YOU! QUESTIONS PLEASE 36/37