A Focus on DDoS Countermeasure
( In incremental deployment perspective)
Authors:
Junho Suh, Hoon-gyu Choi,
Wonjun Yoon
@Seoul National University

• Introduction
• Content-oriented Networking
Architecture
– Communication Procedure
– Main components
– Scenario
• Summary
2

• Move to Content-oriented Network
– Internet traffic is already content-oriented
• CDN, multimedia, P2P…
– Users/applications care “what to receive”
• They don’t care “from whom”
• Host based communication model is outdated
3

• IP networking
– Lookup-by-name
• Indirection (from name to locator)
– Availability concerned
• Locators can be aggregated
– Achieving routing scalability
• Content-oriented networking
– Route-by-name
• No indirection
– Better availability
• Scalability issue
– Content name is flat
• No backward compatibility
4

• Observations
– Current IP networking leverages network prefixes in routing
• Routing scalability is good
– Content-oriented networking is not good for routing, but good for availability
• Huge scaling burden
– No backward compatibility in content-oriented networking
• Content routing and IP routing should be combined
• We propose a grassroots approach
– Some popular contents will be cached
– Routing info. for those contents can be propagated in local and best-effort manner
5

• Objectives
– Exploit content networking current Internet to adopt
• New entities
– Content-aware Agent
• Interact content based network and IP network
• Achievements
– Security, accountability, incremental deployment to the current Internet
6

• IP-less communication
• Assumption
– Lookup “Content Name” by web search
– Content Name
• URI form
• http://youtube.com/south-afreeca-worldcup-2010.avi
• Communication inside domain
– Requests are relayed to CAA by L2 forwarding
– CAA contacts DNS
– Consumer cannot contact server directly
1: I want a particular content (e.g. HTTP URI) internet consumer
2: Here you are
CAA
7

• Registers its domain name in DNS
– Agent’s IP address (of the egress link) publisher
1: a request for your content
2: here you are
CAA internet
8

• Proxy for interacting with IP network
– Handle content requests/response
• FQDN to obtain IP address for publisher’s CAA
– Authority content server’s CAA
– Caching the requested contents
• Gateway for heterogeneous networks
– Protocol translate or Tunneling
– Relay contents in inter-domain environment
9

Content based Communication
IP based Communication
DNS
Agent’s IP address
Gateway A
Content request host Agent
Gateway B
Content Distribution
Content distribution
Agent
Publisher
Domain Name System
Content-Aware Agent (CAA)
Content-Aware Router (CAR)
10

• DDoS can happen by requesting content
(using HTTP URIs)
– Many hosts across multiple ISPs
• Agent of the publisher detects first
– Informs the all the gateways of this event
– To request countermeasure
• A gateway solicits other gateway to reduce the content request rate to the publisher under attack
* DDoS might not be activated by some admission control
11

2. Monitoring
Requested contents
3. Accounting flow
Software nf2c0 nf2c1 nf2c2 nf2c3
4. Make decision whether DDoS or not ioctl
PCI Bus
CPU
RxQ
CPU
TxQ
CPU
RxQ
CPU
TxQ
CPU
RxQ
CPU
TxQ
CPU
RxQ user data path
CPU
TxQ nf2_reg_grp
MAC
TxQ
MAC
RxQ
MAC
TxQ
MAC
RxQ
MAC
TxQ
MAC
RxQ
MAC
TxQ
MAC
RxQ
Ethernet
12

– In the header parser http_get messages are captured, and then forwarded to the nc2c0
– Otherwise, the module bypasses normal packets
13

• Controller
– Each agent solicits other agents to reduce the content request rate to the publisher under attack via controller
• To all connected Agent
• Agent
– Checks and limits the rate (if # of request > threshold)
14

controller
HTTP GET
TCP flow
Control flow
Attacker
Regular host
Agent
Content
Server
Attacker
15

• Grassroots approach
• Content-oriented Networking Platform
– Content-Aware Agent (CAA)
16