Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitigate DDoS Attacks in NDN by Interest Traceback Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China 1.

Published byJosiah Hardgrove Modified over 9 years ago

Similar presentations

Presentation on theme: "Mitigate DDoS Attacks in NDN by Interest Traceback Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China 1."— Presentation transcript:

1 Mitigate DDoS Attacks in NDN by Interest Traceback Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China 1

2 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 2/36

3 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 3/36

4 Background of NDN Newly proposed clean-slate network architecture; Embraces Internet’s function transition from host-to-host communication to content dissemination; Routes and forwards packets by content names; Request-driven communication model (pull): – Request: Interest packet – Response: Data packet 4/36

5 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 5/36

6 Pending Interest Table (PIT) A special table in NDN and no equivalent in IP; Keeps track of the Interest packets that are received but yet un-responded; NDN router inserts every Interest packet into PIT, removes each Data packet from PIT; Brings NDN significant features: – communication without the knowledge of host locations; – loop and packet loss detection; – multipath routing support; etc. [foreshadowing] PIT – victim of DDoS attack. 6/36

7 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 7/36

8 DDoS in IP Multiple compromised systems send out numerous packets targeting a single system; Spoofed source IP addresses; Consume the resources of a remote host or network; Easy to launch, hard to prevent, and difficult to trace back. 8/36

9 DDoS in NDN (1/2) Is DDoS attack possible in NDN? – YES How to launch? – Compromised systems, – Numerous Interest packets with spoofed names, – Make evil use of forwarding rule. 9/36

10 DDoS in NDN (2/2) Results: – Interest packets solicit inexistent content; – Therefore, cannot be satisfied; – Stay in PIT forever or expire; – Exhaust the router’s computing and memory resources – like DDoS in IP does; – Two categories of NDN DDoS attack: Single-target DDoS Attacks Interest Flooding Attack 10/36

11 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Two Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 11/36

12 Single-target DDoS Attacks (1/4) Resembles IP DDoS – can be viewed as replay of IP DDoS in NDN; make use of the Longest Prefix Match rule while looking up Interest names in the FIB; Spoofed name composition: existing prefix + forged suffix; Encapsulate spoofed name in Interest packets; Interest packets forwarded to the destination content provider corresponding to the name prefix. No corresponding content returned. 12/36

13 Single-target DDoS Attacks (2/4) Interest packet with spoofed name. Existing Prefix Forged Suffix 13/36

14 Single-target DDoS Attacks (3/4) The attacking process. Victims Spoofed Interest packet No content returned! 14/36

15 Single-target DDoS Attacks (4/4) Victims: Content Provider (CP), Routers. Content Provider: – DDoS may “lock” its memory and computing resource; – Can block attacks by using Bloom filters. Routers: – The unsatisfiable Interest packets stay in PIT; – A PIT with huge size and high CPU utilization; – “lock” and even exhaust memory and computing resources on routers. Incurs extra load on both end hosts and routers, but the routers suffer much more! 15/36

16 Interest Flooding Attack (1/2) Flooding Interest packets with full forged names by distributed compromised systems; Interest packets cannot match any FIB entry in routers – broadcast or discarded; Assume that the un-matched packets will be broadcast (special bit to indicate); Forged Interest packets: – duplicated and propagated throughout the network; – reach the hosts at the edge of the network. No corresponding content returned. 16/36

17 Interest Flooding Attack (2/2) The attacking process. Broadcast point Spoofed Interest packet Broadcast point 17/36

18 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 18/36

19 Counter Measures to NDN DDoS First look at counter measures against IP DDoS: – Resource management: helpful for hosts in NDN, but a simple filter can help to block the attacks; – IP filtering: not applicable, Interest packets have no information about the source; – Packet traceback: difficult in IP, easy in NDN. NDN Interest traceback: – PIT keeps track of unresponded Interest packets – “bread crumb”; – Use “bread crumb” to trace back to the attackers. 19/36

20 NDN Interest traceback (1/4) Step1: Trigger Interest traceback process while PIT size increases at an alarming rate or exceeds a threshold; Step2: Router generates spoofed Data packets to satisfy the long-unsatisfied Interest packets in the PIT; Step3: Spoofed Data packets are forwarded back to the originator by looking up the PIT in intermediate routers; Step4: Dampen the originator (e.g. rate limiting). 20/36

21 NDN Interest traceback (2/4) Spoofed Data packets are filled with the same forged names as in the Interest packets; Match the Un-responded Interest packet in the PIT, i.e. trace back along the “bread crumb”. Existing Prefix Forged Suffix 21/36

22 NDN Interest traceback (3/4) Against Single-target DDoS Attacks spoofed Data packet 22/36

23 NDN Interest traceback (4/4) Against Interest Flooding Attack spoofed Data packet 23/36

24 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 24/36

25 Evaluation (1/7) Two parts: – Harmful consequences of the DDoS attacks; – Effects of the counter measure. Platform – Xeon E5500 CPU, 2.27GHz, 15.9G RAM. Topology – sub-topology from EBONE – the Rocketfuel topology for EBONE (AS1755), consisting of 172 routers and 763 edges. (Randomly chosen.) 25/36

26 Evaluation (2/7) Single-target DDoS Attacks – 100 attackers; – Interest packets sending rate: 1,000 per second. – Spoofed names = existing prefix + forged suffixes, around 1,000 bytes. Evaluation Goals (on edge routers) – Number of PIT entries; – Memory consumption of PIT; – CPU cycles on the edge router due to DDoS attack. 26/36

27 Evaluation (3/7) Figure: Increased # of PIT entries due to DDoS attacks. Figure: Increased memory consumption of PIT due to DDoS attacks. 27/36

28 Evaluation (4/7) Figure: Router’s CPU cycles consumed per second under DDoS attacks. 28/36

29 Evaluation (5/7) Interest Flooding Attack – Similar results as Single-target DDoS on each router. Effect of Interest Traceback, goals: – Number of identified attackers; – Extra # of PIT entries due to DDoS attacks after Interest traceback begins; – CPU cycles consumed per second decline after Interest traceback begins. 29/36

30 Evaluation (6/7) Figure: number of identified attackers over time 30/36

31 Evaluation (7/7) Figure: number of PIT entries decreases as more and more attackers are detected. Figure: consumed CPU cycles decrease as more and more attackers are detected. 31/36

32 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 32/36

33 Related Work (1/2) [1] T. Lauinger, Security & scalability of content- centric networking, Master’s Thesis, Technischeat Universit Darmstadt, 2010. – Come up with the idea that DoS can use PIT to fill up available memory in a router; – Some preliminary ideas of counter measures. [2] Y. Chung, Distributed denial of service is a scalability problem, ACM SIGCOMM CCR, 2012. – Identify that broadcasting Interest packets can overfill the PIT in a router; – No counter measure proposed. 33/36

34 Related Work (2/2) [3] [Technical Report] M. Wahlisch, T. C. Schmidt, and M. Vahlenkamp, Backscatter from the data plane – threats to stability and security in information-centric networking, 2012. – massive requests for locally unavailable content; – No counter measure proposed. [4] [Technical Report] P. Gasti, G. Tsudik, E. Uzun, and L. Zhang, Dos & ddos in named-data networking, 2012. – Aware of the Interest Flooding attack (one of the two basic DDoS categories in our paper) as we do; – a Tentative Countermeasure – Push-back Mechanism, different from out Traceback method; – no assessment or evaluation. 34/36

35 Outline Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 35/36

36 Conclusion Present a specific and concrete scenario of DDoS attacks in NDN; Demonstrate the possibility of NDN DDoS attacks; Identify the Pending Interest Table as the largest victim of NDN DDoS; Propose a counter measures called Interest traceback against NDN DDoS; Verify the effectiveness of Interest traceback. 36/36

37 THANK YOU! QUESTIONS PLEASE 36/37

Download ppt "Mitigate DDoS Attacks in NDN by Interest Traceback Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China 1."

Similar presentations

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
On Pending Interest Table in Named Data Networking

On Pending Interest Table in Named Data Networking
Authors: Alexander Afanasyev, Priya Mahadevany, Ilya Moiseenko, Ersin Uzuny, Lixia Zhang Publisher: IFIP Networking, 2013 (International Federation for.

Authors: Alexander Afanasyev, Priya Mahadevany, Ilya Moiseenko, Ersin Uzuny, Lixia Zhang Publisher: IFIP Networking, 2013 (International Federation for.
1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:

1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:

1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:
IP Spoofing, CS2651 IP Spoofing Bao Ho ToanTai Vu CS 265 - Security Engineering Spring 2003 San Jose State University.

IP Spoofing, CS2651 IP Spoofing Bao Ho ToanTai Vu CS Security Engineering Spring 2003 San Jose State University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Efficient IP-Address Lookup with a Shared Forwarding Table for Multiple Virtual Routers Author: Jing Fu, Jennifer Rexford Publisher: ACM CoNEXT 2008 Presenter:

Efficient IP-Address Lookup with a Shared Forwarding Table for Multiple Virtual Routers Author: Jing Fu, Jennifer Rexford Publisher: ACM CoNEXT 2008 Presenter:
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.

Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.
John Kristoff DePaul Security Forum 2003 1 Network Defenses to Denial of Service Attacks John Kristoff +01 312 362-5878.

John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks

Similar presentations

Ads by Google