1

Mitigate DDoS Attacks in NDN by Interest Traceback

Huichen Dai, Yi Wang, Jindou Fan, Bin LiuTsinghua University, China

Outline

• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion

2/36

Outline

• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion

3/36

Background of NDN

• Newly proposed clean-slate network architecture;

• Embraces Internet’s function transition from host-to-host communication to content dissemination;

• Routes and forwards packets by content names;• Request-driven communication model (pull):– Request: Interest packet– Response: Data packet

4/36

Outline

• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion

5/36

Pending Interest Table (PIT)

• A special table in NDN and no equivalent in IP;• Keeps track of the Interest packets that are received

but yet un-responded;• NDN router inserts every Interest packet into PIT,

removes each Data packet from PIT;• Brings NDN significant features:– communication without the knowledge of host locations;– loop and packet loss detection;– multipath routing support; etc.

[foreshadowing] PIT – victim of DDoS attack.

6/36

Outline

• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion

7/36

DDoS in IP

• Multiple compromised systems send out numerous packets targeting a single system;

• Spoofed source IP addresses; • Consume the resources of a remote host or network;• Easy to launch, hard to prevent, and difficult to trace

back.

8/36

DDoS in NDN (1/2)

• Is DDoS attack possible in NDN?– YES

• How to launch?– Compromised systems,– Numerous Interest packets with spoofed names,– Make evil use of forwarding rule.

9/36

DDoS in NDN (2/2)

• Results:– Interest packets solicit inexistent content;– Therefore, cannot be satisfied;– Stay in PIT forever or expire;– Exhaust the router’s computing and memory

resources – like DDoS in IP does;– Two categories of NDN DDoS attack:• Single-target DDoS Attacks• Interest Flooding Attack

10/36

Outline

• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Two Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion

11/36

Single-target DDoS Attacks (1/4)

• Resembles IP DDoS – can be viewed as replay of IP DDoS in NDN;

• make use of the Longest Prefix Match rule while looking up Interest names in the FIB;

• Spoofed name composition: existing prefix + forged suffix;

• Encapsulate spoofed name in Interest packets;• Interest packets forwarded to the destination content

provider corresponding to the name prefix.• No corresponding content returned.

12/36

Single-target DDoS Attacks (2/4)

• Interest packet with spoofed name.

Existing Prefix Forged Suffix

13/36

Single-target DDoS Attacks (3/4)• The attacking process.

Victims

Spoofed Interest packet

No content returned!

14/36

Single-target DDoS Attacks (4/4)

• Victims: Content Provider (CP), Routers.• Content Provider:

– DDoS may “lock” its memory and computing resource;– Can block attacks by using Bloom filters.

• Routers:– The unsatisfiable Interest packets stay in PIT;– A PIT with huge size and high CPU utilization;– “lock” and even exhaust memory and computing resources on

routers.• Incurs extra load on both end hosts and routers, but the

routers suffer much more!

15/36

Interest Flooding Attack (1/2)

• Flooding Interest packets with full forged names by distributed compromised systems;

• Interest packets cannot match any FIB entry in routers – broadcast or discarded;

• Assume that the un-matched packets will be broadcast (special bit to indicate);

• Forged Interest packets: – duplicated and propagated throughout the network;– reach the hosts at the edge of the network.

• No corresponding content returned.

16/36

Interest Flooding Attack (2/2)• The attacking process.

Broadcast point

Spoofed Interest packet

Broadcast point

Broadcast point

17/36

Outline

• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion

18/36

Counter Measures to NDN DDoS

• First look at counter measures against IP DDoS:– Resource management: helpful for hosts in NDN, but a

simple filter can help to block the attacks;– IP filtering: not applicable, Interest packets have no

information about the source;– Packet traceback: difficult in IP, easy in NDN.

• NDN Interest traceback:– PIT keeps track of unresponded Interest packets –

“bread crumb”;– Use “bread crumb” to trace back to the attackers.

19/36

NDN Interest traceback (1/4)

• Step1: Trigger Interest traceback process while PIT size increases at an alarming rate or exceeds a threshold;

• Step2: Router generates spoofed Data packets to satisfy the long-unsatisfied Interest packets in the PIT;

• Step3: Spoofed Data packets are forwarded back to the originator by looking up the PIT in intermediate routers;

• Step4: Dampen the originator (e.g. rate limiting).

20/36

NDN Interest traceback (2/4)• Spoofed Data packets are filled with the same forged names as in the

Interest packets;• Match the Un-responded Interest packet in the PIT, i.e. trace back along

the “bread crumb”.

Existing Prefix Forged Suffix

21/36

NDN Interest traceback (3/4)• Against Single-target DDoS Attacks

spoofed Data packet 22/36

NDN Interest traceback (4/4)• Against Interest Flooding Attack

spoofed Data packet 23/36

Outline

• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion

24/36

Evaluation (1/7)

• Two parts:– Harmful consequences of the DDoS attacks;– Effects of the counter measure.

• Platform– Xeon E5500 CPU, 2.27GHz, 15.9G RAM.

• Topology– sub-topology from EBONE – the Rocketfuel

topology for EBONE (AS1755), consisting of 172 routers and 763 edges. (Randomly chosen.)

25/36

Evaluation (2/7)

• Single-target DDoS Attacks– 100 attackers; – Interest packets sending rate: 1,000 per second.– Spoofed names = existing prefix + forged suffixes,

around 1,000 bytes.• Evaluation Goals (on edge routers)– Number of PIT entries;– Memory consumption of PIT;– CPU cycles on the edge router due to DDoS attack.

26/36

Evaluation (3/7)

Figure: Increased # of PIT entries due to DDoS attacks.

Figure: Increased memory consumption of PIT due to DDoS attacks. 27/36

Evaluation (4/7)

Figure: Router’s CPU cycles consumed per second under DDoS attacks. 28/36

Evaluation (5/7)

• Interest Flooding Attack– Similar results as Single-target DDoS on each

router.• Effect of Interest Traceback, goals:– Number of identified attackers;– Extra # of PIT entries due to DDoS attacks after

Interest traceback begins;– CPU cycles consumed per second decline after

Interest traceback begins.

29/36

Evaluation (6/7)

Figure: number of identified attackers over time 30/36

Evaluation (7/7)

0 2 4 6 8 10 12 14 16 18 20 22 24 26 280

1x109

2x109

3x109

4x109

5x109

6x109

7x109

CPU

Cycle

s

simulated time (s)

timeout = 1s timeout = 2s timeout = 4s

T raceback begins

0 2 4 6 8 10 12 14 16 18 20 22 24 26 28

0

1x105

2x105

3x105

4x105

5x105

incre

ased

# of

PIT e

ntire

s afte

r atta

cker

decti

on

simulated time (s)

timeout = 1s timeout = 2s timeout = 4s

T raceback begins

Figure: number of PIT entries decreases as more and more attackers are detected.

Figure: consumed CPU cycles decrease as more and more attackers are detected.

31/36

Outline

• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion

32/36

Related Work (1/2)

• [1] T. Lauinger, Security & scalability of content-centric networking, Master’s Thesis, Technischeat Universit Darmstadt, 2010.– Come up with the idea that DoS can use PIT to fill up available

memory in a router;– Some preliminary ideas of counter measures.

• [2] Y. Chung, Distributed denial of service is a scalability problem, ACM SIGCOMM CCR, 2012.– Identify that broadcasting Interest packets can overfill the PIT

in a router;– No counter measure proposed.

33/36

Related Work (2/2)• [3] [Technical Report] M. Wahlisch, T. C. Schmidt, and M.

Vahlenkamp, Backscatter from the data plane – threats to stability and security in information-centric networking, 2012.– massive requests for locally unavailable content;– No counter measure proposed.

• [4] [Technical Report] P. Gasti, G. Tsudik, E. Uzun, and L. Zhang, Dos & ddos in named-data networking, 2012.– Aware of the Interest Flooding attack (one of the two basic DDoS

categories in our paper) as we do;– a Tentative Countermeasure – Push-back Mechanism, different from

out Traceback method;– no assessment or evaluation.

34/36

Outline

• Background of Named Data Networking (NDN)• Pending Interest Table (PIT)• DDoS in IP & NDN• Concrete Scenarios of DDoS attack• Counter Measures to NDN DDoS attack• Evaluation• Related Work• Conclusion

35/36

Conclusion

• Present a specific and concrete scenario of DDoS attacks in NDN;

• Demonstrate the possibility of NDN DDoS attacks;• Identify the Pending Interest Table as the largest

victim of NDN DDoS;• Propose a counter measures called Interest

traceback against NDN DDoS;• Verify the effectiveness of Interest traceback.

36/36

THANK YOU!

QUESTIONS PLEASE

36/37