Decoupling malicious Interests from Pending Interest Table to mitigate Interest Flooding Attacks

Named Data Networking (NDN) is a clean slate Internet paradigm that embeds some security primitives in its original design, which is being considered as one of the promising candidates for next-generation Internet architecture. However, it may suffer from some emerging threats such as Interest Flooding Attacks (IFA), which means corresponding security management mechanisms need to be designed to improve its security. In this paper, we focus on the IFA that can severely consume the memory resource for the Pending Interest Table (PIT) of each involved NDN router by flooding large amount of malicious Interests with spoofed names. To loosen the stress of PIT attacked by IFA, we propose an approach called Disabling PIT Exhaustion (DPE) to divert all the malicious Interests out of PIT, by directly recording their state information (e.g., incoming interface) in the name of each malicious Interest rather than PIT, as well as introducing a packet marking scheme to enable Data packet forwarding without the help of PIT. DPE can be considered as a security management mechanism for the emerging NDN architecture, which aims at reducing memory resource consumption for each NDN router. Moreover, we present an in-depth evaluation on DPE, via extensive simulations under realistic users' behavior model. Simulation results show DPE can significantly mitigate the damage effect of IFA on exhausting PIT's memory resource. To the best of our knowledge, DPE is the first attempt to design a security management mechanism embedding with the idea “decoupling malicious Interests from PIT” to counter IFA.

[1]  Priya Mahadevan,et al.  Interest flooding attack and countermeasures in Named Data Networking , 2013, 2013 IFIP Networking Conference.

[2]  Bin Liu,et al.  Mitigate DDoS attacks in NDN by interest traceback , 2013, 2013 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[3]  Pekka Nikander,et al.  Developing Information Networking Further: From PSIRP to PURSUIT , 2010, BROADNETS.

[4]  Christian Dannewitz,et al.  NetInf: An Information-Centric Design for the Future Internet , 2013 .

[5]  Massimo Gallo,et al.  Bandwidth and storage sharing performance in information centric networking , 2011, ICN '11.

[6]  Gene Tsudik,et al.  DoS & DDoS in Named Data Networking , 2013 .

[7]  Ratul Mahajan,et al.  Measuring ISP topologies with Rocketfuel , 2004, IEEE/ACM Transactions on Networking.

[8]  Massimo Gallo,et al.  Modeling data transfer in content-centric networking , 2011, 2011 23rd International Teletraffic Congress (ITC).

[9]  Thomas C. Schmidt,et al.  Lessons from the past: Why data-driven states harm future information-centric networking , 2013, 2013 IFIP Networking Conference.

[10]  Tobias Lauinger,et al.  Security & Scalability of Content-Centric Networking , 2010 .

[11]  Vyas Sekar,et al.  LADS: Large-scale Automated DDoS Detection System , 2006, USENIX Annual Technical Conference, General Track.

[12]  Van Jacobson,et al.  Networking named content , 2009, CoNEXT '09.

[13]  Hongke Zhang,et al.  Detecting and mitigating interest flooding attacks in content-centric network , 2014, Secur. Commun. Networks.

[14]  Scott Shenker,et al.  A data-oriented (and beyond) network architecture , 2007, SIGCOMM '07.

[15]  Massimo Gallo,et al.  Modeling data transfer in content-centric networking ( extended version ) , 2011 .

[16]  Sasu Tarkoma,et al.  Publish/Subscribe for Internet: PSIRP Perspective , 2010, Future Internet Assembly.

[17]  Sasu Tarkoma,et al.  LANES: an inter-domain data-oriented routing architecture , 2009, ReArch '09.

[18]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[19]  Indra Widjaja,et al.  Towards a flexible resource management system for Content Centric Networking , 2012, 2012 IEEE International Conference on Communications (ICC).