� IFIP, 2013. This is author’s version of this work. It is posted here by permission of IFIP for you personal use. Not for c redistribution. The definitive version was published in the proceedings of IFIP Networking 2013. Interest Flooding Attack and Countermeasures in Named Data Networking Alexander Afanasyev ∗ , Priya Mahadevan † , Ilya Moiseenko ∗ , Ersin Uzun † , Lixia Zhang ∗ ∗ University of California, Los Angeles { afanasev, iliamo, lixia } @cs.ucla.edu † Palo Alto Research Center { ersin.uzun, priya.mahadevan } @parc.com excessive number of Interests can congest the network and Abstract —Distributed Denial of Service (DDoS) attacks are an ongoing problem in today’s Internet, where packets from a large exhaust a router’s memory. We coin the term Interest flooding number of compromised hosts thwart the paths to the victim to refer to such attack and this paper exclusively investigates site and/or overload the victim machines. In a newly proposed the problem and the solution space for it. future Internet architecture, Named Data Networking (NDN), Our effort is an important first step towards a complete end users request desired data by sending Interest packets, and the network delivers Data packets upon request only, effectively investigation of DDoS attacks in NDN. We experiment with eliminating many existing DDoS attacks. However, an NDN three algorithms that allow routers to exploit their state infor- network can be subject to a new type of DDoS attack, namely mation to thwart these attacks. Through extensive simulations, Interest packet flooding. In this paper we investigate effective we show how one of our mitigation methodologies effectively solutions to mitigate Interest flooding. We show that NDN’s shuts down malicious users while preventing legitimate users inherent properties of storing per packet state on each router and maintaining flow balance (i.e., one Interest packet retrieves from service degradation. The rest of the paper is organized at most one Data packet) provides the basis for effective DDoS as follows. We provide an overview of NDN architecture in mitigation algorithms. Our evaluation through simulations shows Section II and describe Interest flooding attacks in Section III. that the solution can quickly and effectively respond and mitigate In Sections IV and V we introduce techniques to mitigate Interest flooding. these attacks, evaluate their effectiveness, and discuss their Index Terms —Information-centric networks, named-data net- limitations. We summarize related work in Section VI. We working, denial-of-service discuss future work and conclude in Section VII. I. I NTRODUCTION II. NDN O VERVIEW Named Data Networking (NDN) [1], [2] is an ongoing In this section we briefly introduce NDN with a focus on research effort that aims to move the Internet into the future its stateful forwarding plane (refer to [1], [2], [5], [6] for more with a content-centric design that is capable of efficient content details). NDN is a receiver-driven, data-centric communication distribution and seamless mobility support. In contrast to protocol. All communications in NDN are performed using today’s Internet, a key goal of the NDN project is “security two distinct types of packets: Interest and Data . Both types by design.” In fact, it goes a long way by guaranteeing the of packets carry a name , which uniquely identifies a piece of integrity and provenance of every Data packet with digital sig- content that can be carried in one Data packet. Data names natures and protecting user-privacy with no source addresses in NDN are hierarchically structured and an example name carried in the packets. However, one big question that is yet for the first segment of a youtube video would look like: to be answered is: how does the NDN architecture fare in “ /youtube/videos/0F8YdlkKO9A/0 ”. terms of its resilience against DDoS attacks? Especially since To retrieve data, a consumer requests it by sending an various forms of DDoS attacks pose a significant threat to the Interest packet with the name of the desired content in it. existing Internet infrastructure [3], it is crucial to ensure that Routers use this name to route the Interest towards data the new design is free of similar vulnerabilities. sources, and a Data packet whose name matches the name NDN eliminates host-based addressing and makes data the in the Interest is returned to the consumer by following the first-class network entity. Instead of sending packets to a reverse path of the Interest. Similar to IP, Interest forwarding is given IP address, NDN nodes request desired data by sending based on longest name prefix match, but, unlike IP, an Interest Interest packets carrying application-level data names, and packet and its matching Data packet always take symmetric the network returns the requested Data packets following the paths. path of Interests. Such a shift automatically eliminates several Each NDN router maintains three major data structures: long-standing DDoS attacks, including direct flooding and reflector attacks through source address spoofing [4]. However, • Pending Interest Table (PIT) holds all “not yet satisfied” malicious users can attack the network by sending an excessive Interests that have been sent upstream towards potential number of Interests. Since each Interest consumes resources data sources. Each PIT entry contains one or multi- at intermediate routers as it is routed through the network, an ple incoming and outgoing physical interfaces; multiple
Recommend
More recommend