ppt slides

Download Report

Transcript ppt slides

Mitigate DDoS Attacks in NDN by Interest Traceback

Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China

1

Outline

• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 2/36

Outline

• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 3/36

Background of NDN

• • • • Newly proposed clean-slate network architecture; Embraces Internet’s function transition from host-to-host communication to content dissemination; Routes and forwards packets by content names; Request-driven communication model (pull): – Request: – Response: Interest packet Data packet 4/36

Outline

• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 5/36

Pending Interest Table (PIT)

• A special table in NDN and no equivalent in IP; • Keeps track of the Interest packets that are received but yet un-responded; •

[foreshadowing] PIT – victim of

DDoS attack.

– communication without the knowledge of host locations; – loop and packet loss detection; – multipath routing support; etc.

6/36

Outline

• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 7/36

DDoS in IP

• • • • Multiple compromised systems send out numerous packets targeting a single system; Spoofed source IP addresses; Consume the resources of a remote host or network; Easy to launch, hard to prevent, and difficult to trace back.

8/36

DDoS in NDN (1/2)

• • Is DDoS attack possible in NDN?

YES

How to launch?

– Compromised systems, – Numerous Interest packets with

spoofed names

, – Make evil use of forwarding rule.

9/36

DDoS in NDN (2/2)

• Results: – Interest packets solicit

inexistent

content; – Therefore, cannot be satisfied; – Stay in PIT forever or expire; – Exhaust the router’s computing and memory resources – like DDoS in IP does; – Two categories of NDN DDoS attack: • •

Single-target DDoS Attacks Interest Flooding Attack

10/36

Outline

• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Two Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 11/36

Single-target DDoS Attacks (1/4)

• • • • • • Resembles IP DDoS – can be viewed as replay of IP DDoS in NDN; make use of the Longest Prefix Match rule while looking up Interest names in the FIB; Spoofed name composition:

existing prefix + forged suffix;

Encapsulate spoofed name in Interest packets; Interest packets forwarded to the destination content provider corresponding to the name prefix.

No corresponding content returned.

12/36

Single-target DDoS Attacks (2/4)

• Interest packet with spoofed name.

Existing Prefix Forged Suffix

13/36

Single-target DDoS Attacks (3/4)

• The attacking process.

Victims

Spoofed Interest packet No content returned!

14/36

Single-target DDoS Attacks (4/4)

• • • • Victims: Content Provider (CP), Routers.

Content Provider: – DDoS may “lock” its memory and computing resource; –

Can block attacks by using Bloom filters.

Routers: – The unsatisfiable Interest packets stay in PIT; – A PIT with huge size and high CPU utilization; – “lock” and even exhaust memory and computing resources on routers.

Incurs extra load on both end hosts and routers, but the

routers

suffer much more!

15/36

Interest Flooding Attack (1/2)

• • • • • Flooding Interest packets with

full forged

names by distributed compromised systems; Interest packets cannot match any FIB entry in routers –

broadcast

or

discarded

; Assume that the un-matched packets will be broadcast (special bit to indicate); Forged Interest packets: – duplicated and propagated throughout the network; – reach the hosts at the edge of the network.

No corresponding content returned.

16/36

Interest Flooding Attack (2/2)

• The attacking process.

Broadcast point Broadcast point

Spoofed Interest packet

Broadcast point

17/36

Outline

• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 18/36

Counter Measures to NDN DDoS

• • First look at counter measures against IP DDoS: – Resource management: helpful for hosts in NDN, but a simple filter can help to block the attacks; – IP filtering: not applicable, Interest packets have no information about the source; – Packet traceback: difficult in IP, easy in NDN.

NDN Interest traceback:

– PIT keeps track of unresponded Interest packets – “bread crumb”; – Use “bread crumb” to trace back to the attackers.

19/36

NDN Interest traceback (1/4)

• • • •

Step1

: Trigger Interest traceback process while PIT size increases at an alarming rate or exceeds a threshold;

Step2

PIT; : Router generates

spoofed Data packets

to satisfy the long-unsatisfied Interest packets in the

Step3

: Spoofed Data packets are forwarded back to the originator by looking up the PIT in intermediate routers;

Step4

: Dampen the originator (e.g. rate limiting).

20/36

NDN Interest traceback (2/4)

• • Spoofed Data packets are filled with the same forged names as in the Interest packets; Match the Un-responded Interest packet in the PIT, i.e. trace back along the “bread crumb”.

Existing Prefix Forged Suffix

21/36

NDN Interest traceback (3/4)

• Against Single-target DDoS Attacks spoofed Data packet 22/36

NDN Interest traceback (4/4)

• Against Interest Flooding Attack spoofed Data packet 23/36

Outline

• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 24/36

Evaluation (1/7)

• • • Two parts: – Harmful consequences of the DDoS attacks; – Effects of the counter measure.

Platform – Xeon E5500 CPU, 2.27GHz, 15.9G RAM.

Topology – sub-topology from EBONE – the Rocketfuel topology for EBONE (AS1755), consisting of 172 routers and 763 edges. (Randomly chosen.) 25/36

Evaluation (2/7)

• • Single-target DDoS Attacks – 100 attackers; – Interest packets sending rate: 1,000 per second.

– Spoofed names = existing prefix + forged suffixes, around 1,000 bytes.

Evaluation Goals ( on edge routers ) – Number of PIT entries; – Memory consumption of PIT; – CPU cycles on the edge router due to DDoS attack.

26/36

Evaluation (3/7)

Figure: Increased # of PIT entries due to DDoS attacks.

Figure: Increased memory consumption of PIT due to DDoS attacks.

27/36

Evaluation (4/7)

Figure: Router’s CPU cycles consumed per second under DDoS attacks.

28/36

Evaluation (5/7)

• • Interest Flooding Attack – Similar results as Single-target DDoS router .

on each Effect of

Interest Traceback

, goals: – Number of identified attackers; – Extra # of PIT entries due to DDoS attacks after Interest traceback begins; – CPU cycles consumed per second decline after Interest traceback begins.

29/36

Evaluation (6/7)

Figure: number of identified attackers over time

30/36

Evaluation (7/7)

5 5x10 5 4x10 5 3x10 5 2x10 5 1x10 0 Traceback begins timeout = 1s timeout = 2s timeout = 4s 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 simulated time (s) 9 7x10 9 6x10 9 5x10 9 4x10 9 3x10 9 2x10 9 1x10 0 0 2 4 Traceback begins timeout = 1s timeout = 2s timeout = 4s 6 8 10 12 14 16 18 20 22 24 26 28 simulated time (s)

Figure: number of PIT entries decreases as more and more attackers are detected.

Figure: consumed CPU cycles decrease as more and more attackers are detected.

31/36

Outline

• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 32/36

Related Work (1/2)

• • [1] T. Lauinger, – Security & scalability of content centric networking , Master’s Thesis, Technischeat Universit Darmstadt, 2010.

Come up with the idea that DoS can use PIT to fill up available memory in a router; – Some preliminary ideas of counter measures.

[2] Y. Chung, Distributed denial of service is a scalability problem , ACM SIGCOMM CCR, 2012.

– Identify that broadcasting Interest packets can overfill the PIT in a router; – No counter measure proposed.

33/36

Related Work (2/2)

• • [3] [Technical Report] M. Wahlisch, T. C. Schmidt, and M. Vahlenkamp, Backscatter from the data plane – threats to stability and security in information-centric networking, – massive requests for locally unavailable content; 2012.

– No counter measure proposed.

[4] [Technical Report] P. Gasti, G. Tsudik, E. Uzun, and L. Zhang, Dos & ddos in named-data networking , 2012.

– Aware of the Interest Flooding attack (one of the two basic DDoS categories in our paper) as we do; – a Tentative Countermeasure – Push-back Mechanism, different from out Traceback method; – no assessment or evaluation.

34/36

Outline

• • • • • • • • Background of Named Data Networking (NDN) Pending Interest Table (PIT) DDoS in IP & NDN Concrete Scenarios of DDoS attack Counter Measures to NDN DDoS attack Evaluation Related Work Conclusion 35/36

Conclusion

• • • • • Present a specific and concrete scenario of DDoS attacks in NDN; Demonstrate the possibility of NDN DDoS attacks; Identify the Pending Interest Table as the largest victim of NDN DDoS; Propose a counter measures called Interest traceback against NDN DDoS; Verify the effectiveness of Interest traceback.

36/36

THANK YOU!

QUESTIONS PLEASE

 36/37