mitigate ddos attacks in ndn by interest traceback
DESCRIPTION
Mitigate DDoS Attacks in NDN by Interest Traceback. Huichen Dai , Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China. Outline. Background of Named Data Networking (NDN ) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack - PowerPoint PPT PresentationTRANSCRIPT
1
Mitigate DDoS Attacks in NDN by Interest Traceback
Huichen Dai, Yi Wang, Jindou Fan, Bin LiuTsinghua University, China
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
2/36
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
3/36
Background of NDN
• Newly proposed clean-slate network architecture;
• Embraces Internet’s function transition from host-to-host communication to content dissemination;
• Routes and forwards packets by content names;• Request-driven communication model (pull):– Request: Interest packet– Response: Data packet
4/36
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
5/36
Pending Interest Table (PIT)
• A special table in NDN and no equivalent in IP;• Keeps track of the Interest packets that are received
but yet un-responded;• NDN router inserts every Interest packet into PIT,
removes each Data packet from PIT;• Brings NDN significant features:– communication without the knowledge of host locations;– loop and packet loss detection;– multipath routing support; etc.
[foreshadowing] PIT – victim of DDoS attack.
6/36
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
7/36
DDoS in IP
• Multiple compromised systems send out numerous packets targeting a single system;
• Spoofed source IP addresses; • Consume the resources of a remote host or network;• Easy to launch, hard to prevent, and difficult to trace
back.
8/36
DDoS in NDN (1/2)
• Is DDoS attack possible in NDN?– YES
• How to launch?– Compromised systems,– Numerous Interest packets with spoofed names,– Make evil use of forwarding rule.
9/36
DDoS in NDN (2/2)
• Results:– Interest packets solicit inexistent content;– Therefore, cannot be satisfied;– Stay in PIT forever or expire;– Exhaust the router’s computing and memory
resources – like DDoS in IP does;– Two categories of NDN DDoS attack:• Single-target DDoS Attacks• Interest Flooding Attack
10/36
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Two Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
11/36
Single-target DDoS Attacks (1/4)
• Resembles IP DDoS – can be viewed as replay of IP DDoS in NDN;
• make use of the Longest Prefix Match rule while looking up Interest names in the FIB;
• Spoofed name composition: existing prefix + forged suffix;
• Encapsulate spoofed name in Interest packets;• Interest packets forwarded to the destination content
provider corresponding to the name prefix.• No corresponding content returned.
12/36
Single-target DDoS Attacks (2/4)
• Interest packet with spoofed name.
Existing Prefix Forged Suffix
13/36
Single-target DDoS Attacks (3/4)• The attacking process.
Victims
Spoofed Interest packet
No content returned!
14/36
Single-target DDoS Attacks (4/4)
• Victims: Content Provider (CP), Routers.• Content Provider:
– DDoS may “lock” its memory and computing resource;– Can block attacks by using Bloom filters.
• Routers:– The unsatisfiable Interest packets stay in PIT;– A PIT with huge size and high CPU utilization;– “lock” and even exhaust memory and computing resources on
routers.• Incurs extra load on both end hosts and routers, but the
routers suffer much more!
15/36
Interest Flooding Attack (1/2)
• Flooding Interest packets with full forged names by distributed compromised systems;
• Interest packets cannot match any FIB entry in routers – broadcast or discarded;
• Assume that the un-matched packets will be broadcast (special bit to indicate);
• Forged Interest packets: – duplicated and propagated throughout the network;– reach the hosts at the edge of the network.
• No corresponding content returned.
16/36
Interest Flooding Attack (2/2)• The attacking process.
Broadcast point
Spoofed Interest packet
Broadcast point
Broadcast point
17/36
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
18/36
Counter Measures to NDN DDoS
• First look at counter measures against IP DDoS:– Resource management: helpful for hosts in NDN, but a
simple filter can help to block the attacks;– IP filtering: not applicable, Interest packets have no
information about the source;– Packet traceback: difficult in IP, easy in NDN.
• NDN Interest traceback:– PIT keeps track of unresponded Interest packets –
“bread crumb”;– Use “bread crumb” to trace back to the attackers.
19/36
NDN Interest traceback (1/4)
• Step1: Trigger Interest traceback process while PIT size increases at an alarming rate or exceeds a threshold;
• Step2: Router generates spoofed Data packets to satisfy the long-unsatisfied Interest packets in the PIT;
• Step3: Spoofed Data packets are forwarded back to the originator by looking up the PIT in intermediate routers;
• Step4: Dampen the originator (e.g. rate limiting).
20/36
NDN Interest traceback (2/4)• Spoofed Data packets are filled with the same forged names as in the
Interest packets;• Match the Un-responded Interest packet in the PIT, i.e. trace back along
the “bread crumb”.
Existing Prefix Forged Suffix
21/36
NDN Interest traceback (3/4)• Against Single-target DDoS Attacks
spoofed Data packet 22/36
NDN Interest traceback (4/4)• Against Interest Flooding Attack
spoofed Data packet 23/36
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
24/36
Evaluation (1/7)
• Two parts:– Harmful consequences of the DDoS attacks;– Effects of the counter measure.
• Platform– Xeon E5500 CPU, 2.27GHz, 15.9G RAM.
• Topology– sub-topology from EBONE – the Rocketfuel
topology for EBONE (AS1755), consisting of 172 routers and 763 edges. (Randomly chosen.)
25/36
Evaluation (2/7)
• Single-target DDoS Attacks– 100 attackers; – Interest packets sending rate: 1,000 per second.– Spoofed names = existing prefix + forged suffixes,
around 1,000 bytes.• Evaluation Goals (on edge routers)– Number of PIT entries;– Memory consumption of PIT;– CPU cycles on the edge router due to DDoS attack.
26/36
Evaluation (3/7)
Figure: Increased # of PIT entries due to DDoS attacks.
Figure: Increased memory consumption of PIT due to DDoS attacks. 27/36
Evaluation (4/7)
Figure: Router’s CPU cycles consumed per second under DDoS attacks. 28/36
Evaluation (5/7)
• Interest Flooding Attack– Similar results as Single-target DDoS on each
router.• Effect of Interest Traceback, goals:– Number of identified attackers;– Extra # of PIT entries due to DDoS attacks after
Interest traceback begins;– CPU cycles consumed per second decline after
Interest traceback begins.
29/36
Evaluation (6/7)
Figure: number of identified attackers over time 30/36
Evaluation (7/7)
0 2 4 6 8 10 12 14 16 18 20 22 24 26 280
1x109
2x109
3x109
4x109
5x109
6x109
7x109
CPU
Cycle
s
simulated time (s)
timeout = 1s timeout = 2s timeout = 4s
T raceback begins
0 2 4 6 8 10 12 14 16 18 20 22 24 26 28
0
1x105
2x105
3x105
4x105
5x105
incre
ased
# of
PIT e
ntire
s afte
r atta
cker
decti
on
simulated time (s)
timeout = 1s timeout = 2s timeout = 4s
T raceback begins
Figure: number of PIT entries decreases as more and more attackers are detected.
Figure: consumed CPU cycles decrease as more and more attackers are detected.
31/36
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
32/36
Related Work (1/2)
• [1] T. Lauinger, Security & scalability of content-centric networking, Master’s Thesis, Technischeat Universit Darmstadt, 2010.– Come up with the idea that DoS can use PIT to fill up available
memory in a router;– Some preliminary ideas of counter measures.
• [2] Y. Chung, Distributed denial of service is a scalability problem, ACM SIGCOMM CCR, 2012.– Identify that broadcasting Interest packets can overfill the PIT
in a router;– No counter measure proposed.
33/36
Related Work (2/2)• [3] [Technical Report] M. Wahlisch, T. C. Schmidt, and M.
Vahlenkamp, Backscatter from the data plane – threats to stability and security in information-centric networking, 2012.– massive requests for locally unavailable content;– No counter measure proposed.
• [4] [Technical Report] P. Gasti, G. Tsudik, E. Uzun, and L. Zhang, Dos & ddos in named-data networking, 2012.– Aware of the Interest Flooding attack (one of the two basic DDoS
categories in our paper) as we do;– a Tentative Countermeasure – Push-back Mechanism, different from
out Traceback method;– no assessment or evaluation.
34/36
Outline
• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion
35/36
Conclusion
• Present a specific and concrete scenario of DDoS attacks in NDN;
• Demonstrate the possibility of NDN DDoS attacks;• Identify the Pending Interest Table as the largest
victim of NDN DDoS;• Propose a counter measures called Interest
traceback against NDN DDoS;• Verify the effectiveness of Interest traceback.
36/36
THANK YOU!
QUESTIONS PLEASE
36/37