Transcript ppt slides
Mitigate DDoS Attacks in NDN by Interest Traceback
Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China
1
Outline
• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 2/36
Outline
• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 3/36
Background of NDN
• • • • Newly proposed clean-slate network architecture; Embraces Internet’s function transition from host-to-host communication to content dissemination; Routes and forwards packets by content names; Request-driven communication model (pull): – Request: – Response: Interest packet Data packet 4/36
Outline
• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 5/36
Pending Interest Table (PIT)
• A special table in NDN and no equivalent in IP; • Keeps track of the Interest packets that are received but yet un-responded; •
[foreshadowing] PIT – victim of
•
DDoS attack.
– communication without the knowledge of host locations; – loop and packet loss detection; – multipath routing support; etc.
6/36
Outline
• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 7/36
DDoS in IP
• • • • Multiple compromised systems send out numerous packets targeting a single system; Spoofed source IP addresses; Consume the resources of a remote host or network; Easy to launch, hard to prevent, and difficult to trace back.
8/36
DDoS in NDN (1/2)
• • Is DDoS attack possible in NDN?
–
YES
How to launch?
– Compromised systems, – Numerous Interest packets with
spoofed names
, – Make evil use of forwarding rule.
9/36
DDoS in NDN (2/2)
• Results: – Interest packets solicit
inexistent
content; – Therefore, cannot be satisfied; – Stay in PIT forever or expire; – Exhaust the router’s computing and memory resources – like DDoS in IP does; – Two categories of NDN DDoS attack: • •
Single-target DDoS Attacks Interest Flooding Attack
10/36
Outline
• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Two Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 11/36
Single-target DDoS Attacks (1/4)
• • • • • • Resembles IP DDoS – can be viewed as replay of IP DDoS in NDN; make use of the Longest Prefix Match rule while looking up Interest names in the FIB; Spoofed name composition:
existing prefix + forged suffix;
Encapsulate spoofed name in Interest packets; Interest packets forwarded to the destination content provider corresponding to the name prefix.
No corresponding content returned.
12/36
Single-target DDoS Attacks (2/4)
• Interest packet with spoofed name.
Existing Prefix Forged Suffix
13/36
Single-target DDoS Attacks (3/4)
• The attacking process.
Victims
Spoofed Interest packet No content returned!
14/36
Single-target DDoS Attacks (4/4)
• • • • Victims: Content Provider (CP), Routers.
Content Provider: – DDoS may “lock” its memory and computing resource; –
Can block attacks by using Bloom filters.
Routers: – The unsatisfiable Interest packets stay in PIT; – A PIT with huge size and high CPU utilization; – “lock” and even exhaust memory and computing resources on routers.
Incurs extra load on both end hosts and routers, but the
routers
suffer much more!
15/36
Interest Flooding Attack (1/2)
• • • • • Flooding Interest packets with
full forged
names by distributed compromised systems; Interest packets cannot match any FIB entry in routers –
broadcast
or
discarded
; Assume that the un-matched packets will be broadcast (special bit to indicate); Forged Interest packets: – duplicated and propagated throughout the network; – reach the hosts at the edge of the network.
No corresponding content returned.
16/36
Interest Flooding Attack (2/2)
• The attacking process.
Broadcast point Broadcast point
Spoofed Interest packet
Broadcast point
17/36
Outline
• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 18/36
Counter Measures to NDN DDoS
• • First look at counter measures against IP DDoS: – Resource management: helpful for hosts in NDN, but a simple filter can help to block the attacks; – IP filtering: not applicable, Interest packets have no information about the source; – Packet traceback: difficult in IP, easy in NDN.
NDN Interest traceback:
– PIT keeps track of unresponded Interest packets – “bread crumb”; – Use “bread crumb” to trace back to the attackers.
19/36
NDN Interest traceback (1/4)
• • • •
Step1
: Trigger Interest traceback process while PIT size increases at an alarming rate or exceeds a threshold;
Step2
PIT; : Router generates
spoofed Data packets
to satisfy the long-unsatisfied Interest packets in the
Step3
: Spoofed Data packets are forwarded back to the originator by looking up the PIT in intermediate routers;
Step4
: Dampen the originator (e.g. rate limiting).
20/36
NDN Interest traceback (2/4)
• • Spoofed Data packets are filled with the same forged names as in the Interest packets; Match the Un-responded Interest packet in the PIT, i.e. trace back along the “bread crumb”.
Existing Prefix Forged Suffix
21/36
NDN Interest traceback (3/4)
• Against Single-target DDoS Attacks spoofed Data packet 22/36
NDN Interest traceback (4/4)
• Against Interest Flooding Attack spoofed Data packet 23/36
Outline
• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 24/36
Evaluation (1/7)
• • • Two parts: – Harmful consequences of the DDoS attacks; – Effects of the counter measure.
Platform – Xeon E5500 CPU, 2.27GHz, 15.9G RAM.
Topology – sub-topology from EBONE – the Rocketfuel topology for EBONE (AS1755), consisting of 172 routers and 763 edges. (Randomly chosen.) 25/36
Evaluation (2/7)
• • Single-target DDoS Attacks – 100 attackers; – Interest packets sending rate: 1,000 per second.
– Spoofed names = existing prefix + forged suffixes, around 1,000 bytes.
Evaluation Goals ( on edge routers ) – Number of PIT entries; – Memory consumption of PIT; – CPU cycles on the edge router due to DDoS attack.
26/36
Evaluation (3/7)
Figure: Increased # of PIT entries due to DDoS attacks.
Figure: Increased memory consumption of PIT due to DDoS attacks.
27/36
Evaluation (4/7)
Figure: Router’s CPU cycles consumed per second under DDoS attacks.
28/36
Evaluation (5/7)
• • Interest Flooding Attack – Similar results as Single-target DDoS router .
on each Effect of
Interest Traceback
, goals: – Number of identified attackers; – Extra # of PIT entries due to DDoS attacks after Interest traceback begins; – CPU cycles consumed per second decline after Interest traceback begins.
29/36
Evaluation (6/7)
Figure: number of identified attackers over time
30/36
Evaluation (7/7)
5 5x10 5 4x10 5 3x10 5 2x10 5 1x10 0 Traceback begins timeout = 1s timeout = 2s timeout = 4s 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 simulated time (s) 9 7x10 9 6x10 9 5x10 9 4x10 9 3x10 9 2x10 9 1x10 0 0 2 4 Traceback begins timeout = 1s timeout = 2s timeout = 4s 6 8 10 12 14 16 18 20 22 24 26 28 simulated time (s)
Figure: number of PIT entries decreases as more and more attackers are detected.
Figure: consumed CPU cycles decrease as more and more attackers are detected.
31/36
Outline
• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 32/36
Related Work (1/2)
• • [1] T. Lauinger, – Security & scalability of content centric networking , Master’s Thesis, Technischeat Universit Darmstadt, 2010.
Come up with the idea that DoS can use PIT to fill up available memory in a router; – Some preliminary ideas of counter measures.
[2] Y. Chung, Distributed denial of service is a scalability problem , ACM SIGCOMM CCR, 2012.
– Identify that broadcasting Interest packets can overfill the PIT in a router; – No counter measure proposed.
33/36
Related Work (2/2)
• • [3] [Technical Report] M. Wahlisch, T. C. Schmidt, and M. Vahlenkamp, Backscatter from the data plane – threats to stability and security in information-centric networking, – massive requests for locally unavailable content; 2012.
– No counter measure proposed.
[4] [Technical Report] P. Gasti, G. Tsudik, E. Uzun, and L. Zhang, Dos & ddos in named-data networking , 2012.
– Aware of the Interest Flooding attack (one of the two basic DDoS categories in our paper) as we do; – a Tentative Countermeasure – Push-back Mechanism, different from out Traceback method; – no assessment or evaluation.
34/36
Outline
• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 35/36
Conclusion
• • • • • Present a specific and concrete scenario of DDoS attacks in NDN; Demonstrate the possibility of NDN DDoS attacks; Identify the Pending Interest Table as the largest victim of NDN DDoS; Propose a counter measures called Interest traceback against NDN DDoS; Verify the effectiveness of Interest traceback.
36/36
THANK YOU!
QUESTIONS PLEASE
36/37