Mitigate DDoS Attacks in NDN
by Interest Traceback
Huichen Dai, Yi Wang, Jindou Fan, Bin Liu
Tsinghua University, China
1
Outline
•
•
•
•
•
•
•
•
Background of Named Data Networking (NDN)
Pending Interest Table (PIT)
DDoS in IP & NDN
Concrete Scenarios of DDoS attack
Counter Measures to NDN DDoS attack
Evaluation
Related Work
Conclusion
2/36
Outline
•
•
•
•
•
•
•
•
Background of Named Data Networking (NDN)
Pending Interest Table (PIT)
DDoS in IP & NDN
Concrete Scenarios of DDoS attack
Counter Measures to NDN DDoS attack
Evaluation
Related Work
Conclusion
3/36
Background of NDN
• Newly proposed clean-slate network architecture;
• Embraces Internet’s function transition from
host-to-host communication to content
dissemination;
• Routes and forwards packets by content names;
• Request-driven communication model (pull):
– Request:
– Response:
Interest packet
Data packet
4/36
Outline
•
•
•
•
•
•
•
•
Background of Named Data Networking (NDN)
Pending Interest Table (PIT)
DDoS in IP & NDN
Concrete Scenarios of DDoS attack
Counter Measures to NDN DDoS attack
Evaluation
Related Work
Conclusion
5/36
Pending Interest Table (PIT)
• A special table in NDN and no equivalent in IP;
• Keeps track of the Interest packets that are
received but yet un-responded;
• NDN router inserts every Interest packet into PIT,
removes each Data packet from PIT;
• Brings NDN significant features:
[foreshadowing] PIT – victim of
DDoS attack.
– communication without the knowledge of host
locations;
– loop and packet loss detection;
– multipath routing support; etc.
6/36
Outline
•
•
•
•
•
•
•
•
Background of Named Data Networking (NDN)
Pending Interest Table (PIT)
DDoS in IP & NDN
Concrete Scenarios of DDoS attack
Counter Measures to NDN DDoS attack
Evaluation
Related Work
Conclusion
7/36
DDoS in IP
• Multiple compromised systems send out numerous
packets targeting a single system;
• Spoofed source IP addresses;
• Consume the resources of a remote host or network;
• Easy to launch, hard to prevent, and difficult to trace
back.
8/36
DDoS in NDN (1/2)
• Is DDoS attack possible in NDN?
– YES
• How to launch?
– Compromised systems,
– Numerous Interest packets with spoofed names,
– Make evil use of forwarding rule.
9/36
DDoS in NDN (2/2)
• Results:
– Interest packets solicit inexistent content;
– Therefore, cannot be satisfied;
– Stay in PIT forever or expire;
– Exhaust the router’s computing and memory
resources – like DDoS in IP does;
– Two categories of NDN DDoS attack:
• Single-target DDoS Attacks
• Interest Flooding Attack
10/36
Outline
•
•
•
•
•
•
•
•
Background of Named Data Networking (NDN)
Pending Interest Table (PIT)
DDoS in IP & NDN
Two Concrete Scenarios of DDoS attack
Counter Measures to NDN DDoS attack
Evaluation
Related Work
Conclusion
11/36
Single-target DDoS Attacks (1/4)
• Resembles IP DDoS – can be viewed as replay of IP
DDoS in NDN;
• make use of the Longest Prefix Match rule while
looking up Interest names in the FIB;
• Spoofed name composition: existing prefix + forged
suffix;
• Encapsulate spoofed name in Interest packets;
• Interest packets forwarded to the destination content
provider corresponding to the name prefix.
• No corresponding content returned.
12/36
Single-target DDoS Attacks (2/4)
• Interest packet with spoofed name.
Existing Prefix
Forged Suffix
13/36
Single-target DDoS Attacks (3/4)
• The attacking process.
Victims
Spoofed Interest packet
No content returned!
14/36
Single-target DDoS Attacks (4/4)
• Victims: Content Provider (CP), Routers.
• Content Provider:
– DDoS may “lock” its memory and computing resource;
– Can block attacks by using Bloom filters.
• Routers:
– The unsatisfiable Interest packets stay in PIT;
– A PIT with huge size and high CPU utilization;
– “lock” and even exhaust memory and computing resources
on routers.
• Incurs extra load on both end hosts and routers, but
the routers suffer much more!
15/36
Interest Flooding Attack (1/2)
• Flooding Interest packets with full forged names
by distributed compromised systems;
• Interest packets cannot match any FIB entry in
routers – broadcast or discarded;
• Assume that the un-matched packets will be
broadcast (special bit to indicate);
• Forged Interest packets:
– duplicated and propagated throughout the network;
– reach the hosts at the edge of the network.
• No corresponding content returned.
16/36
Interest Flooding Attack (2/2)
• The attacking process.
Broadcast point
Broadcast point
Broadcast point
Spoofed Interest packet
17/36
Outline
•
•
•
•
•
•
•
•
Background of Named Data Networking (NDN)
Pending Interest Table (PIT)
DDoS in IP & NDN
Concrete Scenarios of DDoS attack
Counter Measures to NDN DDoS attack
Evaluation
Related Work
Conclusion
18/36
Counter Measures to NDN DDoS
• First look at counter measures against IP DDoS:
– Resource management: helpful for hosts in NDN, but
a simple filter can help to block the attacks;
– IP filtering: not applicable, Interest packets have no
information about the source;
– Packet traceback: difficult in IP, easy in NDN.
• NDN Interest traceback:
– PIT keeps track of unresponded Interest packets –
“bread crumb”;
– Use “bread crumb” to trace back to the attackers.
19/36
NDN Interest traceback (1/4)
• Step1: Trigger Interest traceback process while
PIT size increases at an alarming rate or exceeds a
threshold;
• Step2: Router generates spoofed Data packets to
satisfy the long-unsatisfied Interest packets in the
PIT;
• Step3: Spoofed Data packets are forwarded back
to the originator by looking up the PIT in
intermediate routers;
• Step4: Dampen the originator (e.g. rate limiting).
20/36
NDN Interest traceback (2/4)
• Spoofed Data packets are filled with the same forged names as in the
Interest packets;
• Match the Un-responded Interest packet in the PIT, i.e. trace back along
the “bread crumb”.
Existing Prefix
Forged Suffix
21/36
NDN Interest traceback (3/4)
• Against Single-target DDoS Attacks
spoofed Data packet
22/36
NDN Interest traceback (4/4)
• Against Interest Flooding Attack
spoofed Data packet
23/36
Outline
•
•
•
•
•
•
•
•
Background of Named Data Networking (NDN)
Pending Interest Table (PIT)
DDoS in IP & NDN
Concrete Scenarios of DDoS attack
Counter Measures to NDN DDoS attack
Evaluation
Related Work
Conclusion
24/36
Evaluation (1/7)
• Two parts:
– Harmful consequences of the DDoS attacks;
– Effects of the counter measure.
• Platform
– Xeon E5500 CPU, 2.27GHz, 15.9G RAM.
• Topology
– sub-topology from EBONE – the Rocketfuel
topology for EBONE (AS1755), consisting of 172
routers and 763 edges. (Randomly chosen.)
25/36
Evaluation (2/7)
• Single-target DDoS Attacks
– 100 attackers;
– Interest packets sending rate: 1,000 per second.
– Spoofed names = existing prefix + forged suffixes,
around 1,000 bytes.
• Evaluation Goals (on edge routers)
– Number of PIT entries;
– Memory consumption of PIT;
– CPU cycles on the edge router due to DDoS attack.
26/36
Evaluation (3/7)
Figure: Increased # of PIT
entries due to DDoS attacks.
Figure: Increased memory
consumption of PIT due to
DDoS attacks.
27/36
Evaluation (4/7)
Figure: Router’s CPU cycles consumed per second under
DDoS attacks.
28/36
Evaluation (5/7)
• Interest Flooding Attack
– Similar results as Single-target DDoS on each
router.
• Effect of Interest Traceback, goals:
– Number of identified attackers;
– Extra # of PIT entries due to DDoS attacks after
Interest traceback begins;
– CPU cycles consumed per second decline after
Interest traceback begins.
29/36
Evaluation (6/7)
Figure: number of identified attackers over time
30/36
9
7x10
timeout = 1s
timeout = 2s
timeout = 4s
5
5x10
9
6x10
timeout = 1s
timeout = 2s
timeout = 4s
5
4x10
9
5x10
CPU Cycles
increased
# of PIT entires after attacker dection
Evaluation (7/7)
5
3x10
5
2x10
9
4x10
9
3x10
9
2x10
5
1x10
Traceback begins
Traceback begins
9
1x10
0
0
0
2
4
6
8
10 12 14 16 18 20 22 24 26 28
simulated time (s)
Figure: number of PIT entries
decreases as more and more
attackers are detected.
0
2
4
6
8
10 12 14 16 18 20 22 24 26 28
simulated time (s)
Figure: consumed CPU cycles
decrease as more and more
attackers are detected.
31/36
Outline
•
•
•
•
•
•
•
•
Background of Named Data Networking (NDN)
Pending Interest Table (PIT)
DDoS in IP & NDN
Concrete Scenarios of DDoS attack
Counter Measures to NDN DDoS attack
Evaluation
Related Work
Conclusion
32/36
Related Work (1/2)
• [1] T. Lauinger, Security & scalability of contentcentric networking, Master’s Thesis, Technischeat
Universit Darmstadt, 2010.
– Come up with the idea that DoS can use PIT to fill up
available memory in a router;
– Some preliminary ideas of counter measures.
• [2] Y. Chung, Distributed denial of service is a
scalability problem, ACM SIGCOMM CCR, 2012.
– Identify that broadcasting Interest packets can overfill
the PIT in a router;
– No counter measure proposed.
33/36
Related Work (2/2)
• [3] [Technical Report] M. Wahlisch, T. C. Schmidt, and M.
Vahlenkamp, Backscatter from the data plane – threats to
stability and security in information-centric networking, 2012.
– massive requests for locally unavailable content;
– No counter measure proposed.
• [4] [Technical Report] P. Gasti, G. Tsudik, E. Uzun, and L. Zhang,
Dos & ddos in named-data networking, 2012.
– Aware of the Interest Flooding attack (one of the two basic DDoS
categories in our paper) as we do;
– a Tentative Countermeasure – Push-back Mechanism, different from
out Traceback method;
– no assessment or evaluation.
34/36
Outline
•
•
•
•
•
•
•
•
Background of Named Data Networking (NDN)
Pending Interest Table (PIT)
DDoS in IP & NDN
Concrete Scenarios of DDoS attack
Counter Measures to NDN DDoS attack
Evaluation
Related Work
Conclusion
35/36
Conclusion
• Present a specific and concrete scenario of
DDoS attacks in NDN;
• Demonstrate the possibility of NDN DDoS
attacks;
• Identify the Pending Interest Table as the
largest victim of NDN DDoS;
• Propose a counter measures called Interest
traceback against NDN DDoS;
• Verify the effectiveness of Interest traceback.
36/36
THANK YOU!
QUESTIONS PLEASE 
36/37