Content-oriented Networking Platform

advertisement

Content-oriented Networking Platform:

A Focus on DDoS Countermeasure

( In incremental deployment perspective)

Authors:

Junho Suh, Hoon-gyu Choi,

Wonjun Yoon

@Seoul National University

Outline

• Introduction

• Content-oriented Networking

Architecture

– Communication Procedure

– Main components

– Scenario

• Summary

2

Change in Communication Paradigm

• Move to Content-oriented Network

– Internet traffic is already content-oriented

• CDN, multimedia, P2P…

– Users/applications care “what to receive”

• They don’t care “from whom”

• Host based communication model is outdated

3

IP networking vs. Content networking

• IP networking

– Lookup-by-name

• Indirection (from name to locator)

– Availability concerned

• Locators can be aggregated

– Achieving routing scalability

• Content-oriented networking

– Route-by-name

• No indirection

– Better availability

• Scalability issue

– Content name is flat

• No backward compatibility

4

Content networking under IP network

• Observations

– Current IP networking leverages network prefixes in routing

• Routing scalability is good

– Content-oriented networking is not good for routing, but good for availability

• Huge scaling burden

– No backward compatibility in content-oriented networking

• Content routing and IP routing should be combined

• We propose a grassroots approach

– Some popular contents will be cached

– Routing info. for those contents can be propagated in local and best-effort manner

5

Content-oriented networking platform

• Objectives

– Exploit content networking current Internet to adopt

• New entities

– Content-aware Agent

• Interact content based network and IP network

• Achievements

– Security, accountability, incremental deployment to the current Internet

6

Content Request

• IP-less communication

• Assumption

– Lookup “Content Name” by web search

– Content Name

• URI form

• http://youtube.com/south-afreeca-worldcup-2010.avi

• Communication inside domain

– Requests are relayed to CAA by L2 forwarding

– CAA contacts DNS

– Consumer cannot contact server directly

1: I want a particular content (e.g. HTTP URI) internet consumer

2: Here you are

CAA

7

Content Distribution

• Registers its domain name in DNS

– Agent’s IP address (of the egress link) publisher

1: a request for your content

2: here you are

CAA internet

8

Content-Aware Agent (CAA)

• Proxy for interacting with IP network

– Handle content requests/response

• FQDN to obtain IP address for publisher’s CAA

– Authority content server’s CAA

– Caching the requested contents

• Gateway for heterogeneous networks

– Protocol translate or Tunneling

– Relay contents in inter-domain environment

9

General Architecture

Content based Communication

IP based Communication

DNS

Agent’s IP address

Gateway A

Content request host Agent

Gateway B

Content Distribution

Content distribution

Agent

Publisher

Domain Name System

Content-Aware Agent (CAA)

Content-Aware Router (CAR)

10

Scenario

• DDoS can happen by requesting content

(using HTTP URIs)

– Many hosts across multiple ISPs

• Agent of the publisher detects first

– Informs the all the gateways of this event

– To request countermeasure

• A gateway solicits other gateway to reduce the content request rate to the publisher under attack

* DDoS might not be activated by some admission control

11

Implementation

2. Monitoring

Requested contents

3. Accounting flow

Software nf2c0 nf2c1 nf2c2 nf2c3

4. Make decision whether DDoS or not ioctl

PCI Bus

CPU

RxQ

CPU

TxQ

CPU

RxQ

CPU

TxQ

CPU

RxQ

CPU

TxQ

CPU

RxQ user data path

CPU

TxQ nf2_reg_grp

MAC

TxQ

MAC

RxQ

MAC

TxQ

MAC

RxQ

MAC

TxQ

MAC

RxQ

MAC

TxQ

MAC

RxQ

Ethernet

12

Implementation

– In the header parser http_get messages are captured, and then forwarded to the nc2c0

– Otherwise, the module bypasses normal packets

13

Implementation

• Controller

– Each agent solicits other agents to reduce the content request rate to the publisher under attack via controller

• To all connected Agent

• Agent

– Checks and limits the rate (if # of request > threshold)

14

Scenario Example

controller

HTTP GET

TCP flow

Control flow

Attacker

Regular host

Agent

Content

Server

Attacker

15

Summary

• Grassroots approach

• Content-oriented Networking Platform

– Content-Aware Agent (CAA)

16

Download