Abstract
Several ongoing research efforts aim to design potential Future Internet Architectures, among which Named-Data Networking (NDN) introduces a shift from the existing host-centric Internet Protocol-based Internet infrastructure towards a content-oriented one. However, researchers have identified some design limitations in NDN, among which some enable to build up a new type of Distributed Denial of Service attack, better known as Interest Flooding Attack (IFA). In IFA, an adversary issues not satisfiable requests in the network to saturate the Pending Interest Table (PIT) of NDN routers and prevent them from properly handling the legitimate traffic. Researchers have been trying to mitigate this problem by proposing several detection and reaction mechanisms, but all the mechanisms proposed so far are not highly effective and, on the contrary, heavily damage the legitimate traffic. In this paper, we propose a novel mechanism for IFA detection and mitigation, aimed at decreasing the memory consumption of the PIT by effectively reducing the malicious traffic that passes through each NDN router. In particular, our protocol exploits an effective management strategy on the PIT, through which the Malicious Interest (MIs) already stored in the PIT are removed and the new incoming MIs are dropped. In addition, the proposed countermeasure provides an additional security wall on the edges of the network to detect and mitigate the attack as early as possible and improve the network health, i.e., routers PIT occupancy during IFA. To evaluate the effectiveness of our work, we implemented the proposed countermeasure on the open-source ndnSIM simulator and compared its effectiveness with the state of the art. The results show that our proposed countermeasure effectively reduces the IFA damages both in terms of preserved legitimate traffic and availability of routers PIT. Considering the legitimate traffic, the amount of Benign Interests preserved by our approach increases from 5% to 40% with respect to the preservation guaranteed by the state-of-the-art solutions. Concerning the routers PIT availability, our approach guarantees that the 97% of the PIT size is left free for handling the legitimate traffic.
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig1_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig2_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig3_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig4_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig5_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig6_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig7_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig8_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig9_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig10_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig11_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig12_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig13_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig14_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig15_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig16_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig17_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10207-020-00500-z/MediaObjects/10207_2020_500_Fig18_HTML.png)
Similar content being viewed by others
Notes
ndnSIM implements the NDN protocol stack on NS-3 simulator.
The NDN traffic flow measurement differs from the IP one and we present the comparison between them in Sect. 5.3.
Recall that unsatisfiable interests refer to non-existing contents and saturate the PIT.
We take the value of maximum probability (\(P_\mathrm{max}\)) to be one.
ndnSIM implements the NDN protocol stack on NS-3 simulator.
References
Afanasyev, A., Moiseenko, I., Zhang, L.: ndnSIM: NDN simulator for NS-3. Technical Report NDN-0005, NDN. http://named-data.net/techreports.html (2012). Accessed Apr 2018
Afanasyev, A., Moiseenko, I., Zhang, L., et al.: ndnsim: Ndn simulator for ns-3. University of California, Los Angeles, Technical Report 4 (2012)
Afanasyev, A., Mahadevan, P., Moiseenko, I., Uzun, E., Zhang, L.: Interest flooding attack and countermeasures in named data networking. In: Ifip Networking Conference, pp. 1–9. IEEE (2013)
Ahlgren, B., Dannewitz, C., Imbrenda, C., Kutscher, D., Ohlman, B.: A survey of information-centric networking. IEEE Commun. Mag. 50(7), 26–36 (2012)
Bedi, H., Roy, S., Shiva, S.: Mitigating congestion-based denial of service attacks with active queue management. In: IEEE Global Communications Conference (Globecom), pp. 1440–1445. IEEE (2013)
Bedi, H., Sankardas, R., Sajjan, S.: Mitigating congestion based dos attacks with an enhanced aqm technique. Comput. Commun. 56, 60–73 (2015). https://doi.org/10.1016/j.comcom.2014.09.002
Benarfa, A., Hassan, M., Compagno, A., Losiouk, E., Yagoubi, M.B., Conti, M.: Chokifa: A new detection and mitigation approach against interest flooding attacks in ndn. In: International Conference on Wired/Wireless Internet Communication, pp. 53–65. Springer (2019)
Benmoussa, Ahmed, Tahari, A.K., Lagaa, N., Lakas, A., Ahmad, F., Hussain, R., Kerrache, C.A., Kurugollu, F.: A novel congestion-aware interest flooding attacks detection mechanism in named data networking. In: 28th International Conference on Computer Communication and Networks (ICCCN), pp. 1–6. IEEE (2019)
Brownlee, N., Mills, C., Ruth, G.: Traffic flow measurement: architecture (1997)
Chhabra, P., Chuig, S., Goel, A., John, A., Kumar, A., Saran, H., Shorey, R.: Xchoke: malicious source control for congestion avoidance at internet gateways. In: Proceedings. 10th IEEE International Conference on Network Protocols, 2002, pp. 186–187. IEEE (2002)
Compagno, A., Conti, M., Hassan, M.: An icn-based authentication protocol for a simplified lte architecture. In: Baldi, M., Quaglia, E.A., Tomasin, S. (eds.). Cham: Springer (2018)
Compagno, A., Conti, M., Gasti, P., Tsudik, G.: Poseidon: mitigating interest flooding ddos attacks in ndn. In: IEEE 38th Conference on Local Computer Networks (lCN), pp. 630–638. IEEE (2013)
Dai, H., Wang, Y., Fan, J., Liu, B.: Mitigate ddos attacks in ndn by interest traceback. In: IEEE Conference on Computer Communications Workshops (Infocom Workshops), pp. 381–386. IEEE (2013)
Dong, J., Wang, K., Lyu, Y., Jiao, L., Yin, H.: Interestfence: countering interest flooding attacks by using hash-based security labels. In: International Conference on Algorithms and Architectures for Parallel Processing, pp. 527–537. Springer (2018)
Feng, W., Kandlur, D.D., Saha, D., Shin, K.G.: Stochastic fair blue: a queue management algorithm for enforcing fairness. In: Infocom 2001. Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE, vol. 3, pp. 1520–1529. IEEE (2001)
Feng, W., Shin, K.G., Kandlur, D.D., Saha, D.: The blue active queue management algorithms. IEEE/ACM Trans. Netw. 10(4), 513–528 (2002)
Floyd, S., Jacobson, V.: Random early detection gateways for congestion avoidance. IEEE/ACM Trans. Netw. 1(4), 397–413 (1993)
Gasti, P., Tsudik, G., Uzun, E., Zhang, L.: Dos and ddos in named data networking. In: 2013 22nd International Conference on Computer Communication and Networks (ICCCN), pp. 1–7. https://doi.org/10.1109/ICCCN.2013.6614127 (2013a)
Gasti, P., Tsudik, G., Uzun, E., Zhang, L.: Dos and ddos in named data networking. In: 22nd International Conference on Computer Communications and Networks (ICCCN), pp. 1–7. IEEE (2013)
Govindaswamy, V.V., Záruba, G., Balasekaran, G: Rechoke: a scheme for detection, control and punishment of malicious flows in ip networks. In: Global Telecommunications Conference, 2007. Globecom’07, pp. 16–21. IEEE (2007)
Hou, R., Han, M., Chen, J., Wenbin, H., Tan, X., Luo, J., Ma, M.: Theil-based countermeasure against interest flooding attacks for named data networks. IEEE Netw. 33(3), 116–121 (2019)
Jacobson, V., et al.: Networking named content. In: ACM International Conference on Emerging Networking Experiments and Technologies, pp. 1–12 (2009)
Jiang, X., Yang, J., Jin, G., Wei, W.: Red-ft: a scalable random early detection scheme with flow trust against dos attacks. IEEE Commun. Lett. 17(5), 1032–1035 (2013). https://doi.org/10.1109/LCOMM.2013.022713.122652
Kidambi, J., Ghosal, D., Mukherjee, B.: Dynamic token bucket (dtb): a fair bandwidth allocation algorithm for high-speed networks. J. High Speed Netw. 9(2), 67–87 (2000)
Kunniyur, S.S., Srikant, R.: An adaptive virtual queue (avq) algorithm for active queue management. IEEE/ACM Trans. Netw. 12(2), 286–299 (2004)
Lin, D., Morris, R.: Dynamics of random early detection. In: ACM Sigcomm Computer Communication Review, vol. 27, pp. 127–137. ACM (1997)
Liu, G., Quan, W., Cheng, N., Wang, K., Zhang, H.: Accuracy or delay? A game in detecting interest flooding attacks. Internet Technol. Lett. 1(2), 31 (2018)
Nguyen, T., Cogranne, R., Doyen, G.: An optimal statistical test for robust detection against interest flooding attacks in ccn. In: Ifip/IEEE International Symposium on Integrated Network Management (IM), pp. 252–260. IEEE (2015)
Nguyen, T., Mai, H.-L., Doyen, G., Cogranne, R., Mallouli, W., Montes, E., de Oca, O.: Festor: a security monitoring plane for named data networking deployment. IEEE Commun. Mag. 56(11), 88–94 (2018)
Nguyen, T., Mai, H.-L., Cogranne, R., Doyen, G., Mallouli, W., Nguyen, L., El Aoun, M., Oca, E.M.D., Festor, O.: Reliable detection of interest flooding attack in real deployment of named data networking. IEEE Trans. Inf. Forensics Secur. 14(9), 2470–2485 (2019)
Oueslati, S., Roberts, J., Sbihi, N.: Flow-aware traffic control for a content-centric network. In: 2012 Proceedings IEEE Infocom, pp. 2417–2425. https://doi.org/10.1109/INFCOM.2012.6195631 (2012)
Pan, J., Paul, S., Jain, R.: A survey of the research on future internet architectures. IEEE Commun. Mag. 49(7), 26–36 (2011)
Pan, R., Prabhakar, B., Psounis, K.: Choke-a stateless active queue management scheme for approximating fair bandwidth allocation. In: Infocom 2000. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEEE, vol. 2, pp. 942–951. IEEE (2000)
Rai, S., Sharma, K., Dhakal, D.: A survey on detection and mitigation of distributed denial-of-service attack in named data networking. In: Advances in Communication, Cloud, and Big Data, pp. 163–171. Springer (2019)
Salah, H., Wulfheide, J., Strufe, T.: Coordination supports security: a new defence mechanism against interest flooding in ndn. In: 2015 IEEE 40th Conference on Local Computer Networks (ICN), pp. 73–81. https://doi.org/10.1109/LCN.2015.7366285 (2015)
Spring, N., et al.: Measuring ISP topologies with rocketfuel. IEEE/ACM Trans. Netw. 12, 2–16 (2004)
Tourani, R., Misra, S., Mick, T., Panwar, G.: Security, privacy, and access control in information-centric networking: a survey. IEEE Commun. Surv. Tutor. 20(1), 566–600 (2017)
Vassilakis, V.G., Alohali, B.A., Moscholios, I.D., Logothetis, M.D.: Mitigating distributed denial-of-service attacks in named data networking. In: Proceedings of the 11th Advanced International Conference on Telecommunications (AICT), Brussels, Belgium, pp. 18–23 (2015)
Wang, K., Zhou, H., Qin, Y., Chen, J., Zhang, H.: Decoupling malicious interests from pending interest table to mitigate interest flooding attacks. In: Globecom Workshops (gc wkshps), 2013 IEEE, pp. 963–968. IEEE (2013)
Wang, K., Zhou, H., Luo, H., Guan, J., Qin, Y., Zhang, H.: Detecting and mitigating interest flooding attacks in content-centric network. Secur. Commun. Netw. 7(4), 685–699 (2014)
Xylomenos, G., Ververidis, C.N., Siris, V.A., Fotiou, N., Tsilopoulos, C., Vasilakos, X., Katsaros, K.V., Polyzos, G.C.: A survey of information-centric networking research. IEEE Commun. Surv. Tutor. 16(2), 1024–1049 (2014). https://doi.org/10.1109/SURV.2013.070813.00063
Zhang, C., Yin, J., Cai, Z., Chen, W.: Rred: robust red algorithm to counter low-rate denial-of-service attacks. IEEE Commun. Lett. 14(5), 489–491 (2010)
Zhang, G., Li, Y., Lin, T.: Caching in information centric networking: a survey. Comput. Netw. 57(16), 3128–3141 (2013). https://doi.org/10.1016/j.comnet.2013.07.007
Zhang, L., et al.: Named data networking. ACM SIGCOMM CCR 44(3), 66–73 (2014)
Zhang, L., Estrin, D., Burke, J., Jacobson, V., Thornton, J.D., Smetters, D.K., Zhang, B., Tsudik, G., Massey, D., Papadopoulos, C., et al.: Named data networking (ndn) project. Relatório Técnico NDN-0001, Xerox Palo Alto Research Center-PARC 157: 158 (2010)
Zhang, L., Afanasyev, A., Burke, J., Jacobson, V., Crowley, P., Papadopoulos, C., Wang, L., Zhang, B., et al.: Named data networking. ACM SIGCOMM Computer Communication Review 44(3), 66–73 (2014)
Zhang, X., Li, R.: A charging, rewarding mechanism-based interest flooding attack mitigation strategy in ndn. In: Ifip/IEEE Symposium on Integrated Network and Service Management (IM), pp. 402–407. IEEE (2019)
Zhang, Z., Yu, Y., Zhang, H., Newberry, E., Mastorakis, S., Li, Y., Afanasyev, A., Zhang, L.: Revision 2, April 8, An Overview of Security Support in Named Data Networking (2018)
Funding
This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the LOCARD project (Grant Agreement No. 832735).
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
Abdelmadjid Benarfa declares that he has no conflict of interest. Muhammad Hassan declares that he has no conflict of interest. Eleonora Losiouk declares that she has no conflict of interest. Alberto Compagno declares that he has no conflict of interest. Mohamed bachir Yagoubi declares that he has no conflict of interest. Mauro Conti declares that he has no conflict of interest.
Ethical approval
This article does not contain any study with human participants or animals performed by any of the authors.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Benarfa, A., Hassan, M., Losiouk, E. et al. ChoKIFA+: an early detection and mitigation approach against interest flooding attacks in NDN. Int. J. Inf. Secur. 20, 269–285 (2021). https://doi.org/10.1007/s10207-020-00500-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-020-00500-z