Elsevier

Computers & Security

Volume 88, January 2020, 101628
Computers & Security

InterestFence: Simple but efficient way to counter interest flooding attack

https://doi.org/10.1016/j.cose.2019.101628Get rights and content

Abstract

The Interest Flooding Attack (IFA) has been one of the biggest threats to the Named Data Networking (NDN) paradigm. It is easy to launch but very difficult to mitigate. In this paper, a lightweight yet efficient IFA countermeasure, named as InterestFence, is proposed to achieve accurate detection as well as efficient attack-traffic filtering without harming any legitimate Interests. First, InterestFence detects IFAs based on the content servers rather than routers to guarantee accurate detection, since only content servers know exactly IFA’s existence by checking their content index. Second, for each name prefix in every content server, all of the content items with that prefix have a hash-based security label (HSL) to claim their existence. Then an HSL verification method is securely transmitted to the involved routers to help accurately filter IFA traffic, by simply performing HSL verifying operations against malicious name prefixes. Performance evaluation demonstrates that InterestFence can filter 100% IFA traffic at intermediate routers, and keep the same level of service latency for legitimate users, while with a much lower overhead in time consumption compared with cryptographic algorithms.

Introduction

With the significant growth of Internet traffic generated by emerging types of applications, the location-based content-delivering paradigm of the traditional Internet has shown limitations. The key deviation is its attempt to build an efficient content-centric service model over a networking architecture originally designed for host-to-host conversations between remote users (Carofiglio, Morabito, Muscariello, Solis, Varvello, 2013, Zhang, Quan, chieh Chao, Qiao, 2016). To fill this gap, Named Data Networking (NDN) (Jacobson et al., 2012; NDN-NP) argues to evolve the current Internet from host-based IP networks to data-centric inter-networking paradigms, by directly placing content-distribution services at the network-layer (Mangili et al., 2016). NDN has attracted wide research attention (Xylomenos et al., 2014) since it can not only directly connect people with content and information (Kurose, 2014, Posch, Rainer, Hellwagner, 2017), but also facilitate future networking requirements, such as 5G (Zhang et al., 2017), Internet of Things (Hahm et al., 2017), and vehicular networks (Quan, Xu, Guan, Zhang, Grieco, 2014, Su, Hui, Yang, 2017).

As NDN gradually develops and matures, the security concerns become increasingly critical and important. It may significantly thwart the real-world deployment of NDN if not given enough attention (Ngai et al., 2017). NDN embeds some critical security primitives in its original architecture by securing the content (Jacobson et al., 2012), and successfully reduces the impact of the notorious Distributed Denial-of-Service (DDoS) attacks (Liu, Yang, Xia, 2010, Zargar, Joshi, Tipper, 2013) by its receiver-driven data-retrieval model. However, its Pending Interest Table (PIT) component in each router opens up an opportunity for a new type of NDN-specific DDoS attack–the Interest Flooding Attack (IFA). In recent years, IFAs have become one of the most dangerous threats to NDN (Tourani et al., 2017).

PIT is one of the fundamental components of every NDN router. An NDN router records all of the ongoing communication states as its PIT entries, where the names as well as the incoming interfaces of each pending Interest packet are cached, until the requested data packets are returned from corresponding content servers. Under normal conditions, PIT size remains small in typical network settings, even in the absence of NDN data caching or optimal network bandwidth usage, because every pending PIT entry can be eliminated from a router’s memory approximately at the Round-Trip Time (RTT) scale when requested data packets return (Carofiglio et al., 2015). However, if the requested content cannot be found even in content servers located at remote edge networks, its related PIT entry would not be deleted until the Time-To-Live (TTL) of this entry expires. The timescale of TTL is much longer than that of RTT, by up to 3 orders of magnitude (Afanasyev, Moiseenko, Zhang, 2012, Carofiglio, Gallo, Muscariello, Perino, 2011, Mastorakis, Afanasyev, Zhang, 2017, Wang, Chen, Zhou, Qin, Zhang, 2014). If too many fake Interests are issued for non-existent content, they will cause a significant consumption of memory resources of each router along the forwarding path, as well as computation resources of victim content servers.

What is an IFA: An IFA exploits the above NDN PIT features, and aims at achieving denial of service for legitimate users by flooding excessive amount of fake Interests to exhaust critical network resources. These fake Interests can finally reach the victim content servers without any cache hit, and meanwhile the records for them can stay in the router’s PIT until time out since no data returns for them. In this way, an IFA can cause severe consumption of both the memory resources of each involved router and the computing resources of target content servers (Afanasyev, Mahadevan, Moiseenko, Uzun, Zhang, 2013, Whlisch, Schmidt, Vahlenkamp, 2013).

Specifically, as shown in Fig. 1, to guarantee the damage expectation of IFA attackers, the name of each Interest packet is constructed following similar rules: all of the fake Interests should have the same legitimate name prefix (e.g., “/China/Sina/video”) yet varying and forged suffixes (e.g., “/attacks1”, “/attacks2”, etc.). The former guarantees to aggregate as much as malicious traffic, while the latter is to avoid in-network caching hits so that IFA traffic cannot be decreased before they arrive at more victims. For instance, a malicious Interest packet of an IFA with the fake name “/China/Sina/video/attacks1” can be forwarded to the victim Sina video servers without being satisfied by intermediate routers, because the forged suffixes guarantee that no content with such a name was cached along the way. To further amplify the damage effect, the fake suffixes of every Interest can also vary randomly to avoid detection (Tourani et al., 2017). In this way, the PIT of each involved router is continually overflown by fake Interests, and meanwhile the victim server unnecessarily wastes time and computation resources to search for the requested fake content against its content index.

Why an IFA hurts: In contrast to the convenience of launching such an attack, it is very difficult to detect or mitigate an IFA.

First, attacking traffic cannot be accurately identified before it arrives at the victim content servers, because the attacking traffic is indistinguishable for routers with normal ones. In NDN, there is no difference between legitimate and fake Interest packets of IFA except for the existence of their requested content. This feature of each Interest can only be exactly confirmed by the content servers rather than routers, since only the content servers have all the content and thus can check whether they really exist. Therefore, accurate IFA pre-mitigation on routers is difficult to achieve without the help of content servers in NDN.

Second, Interest packets contain no information on the security property of the content name. The name prefix of each Interest does not contain any security property for its existence verification, which makes accurate detection or traffic filtering very difficult to achieve. Even if an Interest packet is successfully identified as fake in the content servers, this fake name is useless for further IFA mitigation, because content names in IFAs are varied all the time during an attack, and every identified fake name may never be used again to avoid mitigation.

Finally, attackers cannot be easily identified or traced to be punished, since Interest packets in NDN do not carry any information about the requester’s identities (Compagno, Conti, Gasti, Tsudik, 2013, Gasti, Tsudik, Uzun, Zhang, 2013) (while in the traditional Internet, the IP address of every content requester is contained in the packet to claim requester’s identification (Feng et al., 2017)), which makes attackers able to easily evade from the IFA detection or tracing.

Although the effectiveness of our previous works on countering IFAs (Wang, Chen, Zhou, Qin, Zhang, 2014, Wang, Zhou, Luo, Guan, Qin, Zhang, 2014, Wang, Zhou, Qin, Chen, Zhang, 2013) has been validated by other parties (Al-Sheikh et al., 2015), we aim here at a further step to achieve a more secure NDN. In this paper, we propose InterestFence, a simple yet efficient IFA countermeasure that involves both accurate detection at content servers and efficient mitigation of malicious traffic at intermediate routers, without harming legitimate Interests. InterestFence filters malicious Interests based on the Hash-based Security Label (HSL) received from content servers. HSL is used to identify whether an Interest packet carries a fake name. Each InterestFence-enabled content server can generate content names following a certain HSL based on some specific algorithms. When an IFA occurs, these content servers determine which name prefix is under attack (denoted Pi as the malicious prefix, meaning Interests with Pi as their name prefix are likely to be fake ones from an IFA), and transmit the Pi and corresponding HSL algorithm parameters to the involved routers through an encrypted alarm message. These routers thus are capable of detecting whether an Interest with a specific Pi is fake or not according to the corresponding HSL, and then take corresponding actions, i.e., to drop or forward the Interest packet to the next hop.

The main contributions of this paper can be summarized as follows.

  • 1.

    The fundamental reasons why an IFA is significantly difficult to detect or mitigate are clearly presented, as well as a comprehensive taxonomy for current IFA countermeasures from the aspects of detection and mitigation.

  • 2.

    The design detail of InterestFence is given, which enables routers to accurately filter fake Interest packets and directly clean attacking traffic by verifying the HSL of each Interest packet with the infected prefix Pi. Owing to its accurate cleaning capability, not only can intermediate routers along the attacking path be protected from an IFA, but the victim content servers can as well. The fake Interest packets are unable to pass the HSL verification in any InterestFence-enabled routers. In this way, both the computation resources of content servers and the memory resources for PIT in each involved router are protected from potential damage caused by an IFA.

  • 3.

    Extensive experiments on InterestFence were conducted that demonstrates its significant performance and lightweight overhead in accurate IFA detection as well as mitigation. Given the comparative results with state-of-the-art IFA countermeasures, the proposed InterestFence method may be the best one for filtering IFA traffic without harming legitimate requests and content servers.

The rest of the paper is organized as follows. Section 2 provides an overviews of state-of-the-art IFA countermeasures with comprehensive analysis. InterestFence, including its architecture and detailed algorithms, is presented in Section 3. The performance of InterestFence is evaluated in Section 4, and Section 5 concludes this paper.

Section snippets

Related work

In this section, the brief security threats to NDN are first presented, and then the study of IFA countermeasures is given from two aspects: detection and mitigation. The former aims at detecting the existence of an IFA, while the latter aims at degrading its damage on critical network resources.

1) Typical security concerns in NDN: There are mainly six categories of security vulnerabilities in NDN: IFA, Content Poisoning Attack (CPA), content pollution, secure forwarding, application security,

InterestFence

This section provides the detailed design of InterestFence. First, we introduce the attacking model that InterestFence is designed for, and then describe the system architecture as well as the high-level workflow of InterestFence. Then, we describe how each key component works.

Evaluation

In this section, we provide an in-depth evaluation of InterestFence from three aspects. First, we evaluate the efficiency of HSL. Afterwards, we investigate HSL from the perspective of quality of user experience. Finally, we compare HSL implementation with potential substitutes owing to a concern with the trade-off between overhead and security.

Considering that HSL is the core functional module of InterestFence, we use HSL for short to denote InterestFence throughout this section.

Conclusions

In this paper, we presented InterestFence, which is an efficient IFA mitigation framework that can accurately identify fake Interests and efficiently filter attacking traffic at intermediate routers. It has two key contributions: (i) a fast and accurate HSL generating component at content servers, and (ii) a lightweight and accurate name verification component at routers. We performed extensive evaluations for InterestFence using simulations with comprehensive analysis of the results, which

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgments

This work is supported by the National Key Research and Development Program of China (No. 2016YFB1000102), National Natural Science Foundation of China (No. 61702439, 61972222, 61602030), Shandong Provincial Natural Science Foundation of China (No. ZR2017BF018).

References (56)

  • FIA-NP: Collaborative Research: Named Data Networking Next Phase (NDN-NP)....
  • W. Quan et al.

    Social cooperation for information-centric multimedia streaming in highway vanets

    Proceeding of IEEE WoWMoM Workshop

    (2014)
  • A. Afanasyev et al.

    NDNS: a DNS-like name service for NDN

    Proceedings of the 26th International Conference on Computer Communications and Networks (ICCCN)

    (2017)
  • A. Afanasyev et al.

    Interest flooding attack and countermeasures in named data networking

    Proceedings of IFIP Networking

    (2013)
  • A. Afanasyev et al.

    NDNSIM: NDN Simulator for NS-3

    Technical Report NDN-0005

    (2012)
  • S. Al-Sheikh et al.

    Revisiting countermeasures against NDN interest flooding

    Proceedings of the 2nd ACM Conference on Information-Centric Networking (ACM-ICN)

    (2015)
  • A. Alston et al.

    Neutralizing interest flooding attacks in named data networks using cryptographic route tokens

    Proceedings of IEEE 15th International Symposium on Network Computing and Applications (NCA)

    (2016)
  • G. Carofiglio et al.

    Modeling data transfer in content-centric networking

    Proceedings of 23rd International Teletraffic Congress (ITC)

    (2011)
  • G. Carofiglio et al.

    Pending interest table sizing in named data networking

    Proceedings of the 2nd ACM Conference on Information-Centric Networking (ACM-ICN)

    (2015)
  • G. Carofiglio et al.

    From content delivery today to information centric networking

    Comput. Netw.

    (2013)
  • A. Compagno et al.

    Poseidon: mitigating interest flooding DDOS attacks in named data networking

    Proceedings of IEEE 38th Conference on Local Computer Networks (LCN)

    (2013)
  • A. Compagno et al.

    To nack or not to nack? Negative acknowledgments in information-centric networking

    Proceedings of the 24th International Conference on Computer Communication and Networks (ICCCN)

    (2015)
  • H. Dai et al.

    Mitigate DDOS attacks in NDN by interest traceback

    Proceedings of IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)

    (2013)
  • J. Dong et al.

    Interestfence: countering interest flooding attacks by using hash-based security labels

    Proceedings of International Conference on Algorithms and Architectures for Parallel Processing (ICA3PP)

    (2018)
  • B. Feng et al.

    Locator/identifier split networking: a promising future internet architecture

    IEEE Commun. Surv. Tut.

    (2017)
  • P. Gasti et al.

    DOS and DDOS in named data networking

    Proceedings of 22nd International Conference on Computer Communication and Networks (ICCCN)

    (2013)
  • Ghali, C., Tsudik, G., Uzun, E., Wood, C. A., 2015. Living in a PIT-less World: A Case Against Stateful Forwarding in...
  • C. Ghasemi et al.

    A fast and memory-efficient trie structure for name-based packet forwarding

    Proceeding of 26th IEEE International Conference on Network Protocols (ICNP 2018)

    (2018)
  • O. Hahm et al.

    Low-power internet of things with NDN & cooperative caching

    Proceedings of the 4th ACM Conference on Information-Centric Networking (ACM-ICN)

    (2017)
  • A.K.M.M. Hoque et al.

    NLSR: named-data link state routing protocol

    Proceedings of the 3rd ACM SIGCOMM Workshop on Information-Centric Networking (ICN 2013)

    (2013)
  • R. Hou et al.

    Theil-based countermeasure against interest flooding attacks for named data networks

    IEEE Netw.

    (2019)
  • V. Jacobson et al.

    Networking named content

    Commun. ACM

    (2012)
  • J. Kurose

    Information-centric networking: the evolution from circuits to packets to content

    Comput. Netw.

    (2014)
  • G. Liu et al.

    Accuracy or delay? A game in detecting interest flooding attacks

    Internet Technol. Lett.

    (2018)
  • X. Liu et al.

    Netfence: preventing internet denial of service from inside out

    Proceedings of ACM SIGCOMM

    (2010)
  • H. Luo et al.

    A DHT-based identifier-to-locator mapping approach for a scalable internet

    IEEE Trans. Parallel Distrib.Syst.

    (2009)
  • J. Ma et al.

    Chinese internet routerlevel hop count measurement and analysis

    Appl. Res. Comput.

    (2008)
  • M. Mangili et al.

    Performance analysis of content-centric and content-delivery networks with evolving object popularity

    Comput. Netw.

    (2016)
  • Cited by (19)

    • LogDoS: A Novel logging-based DDoS prevention mechanism in path identifier-Based information centric networks

      2020, Computers and Security
      Citation Excerpt :

      Poseidon was proposed in Compagno et al. (2013) as a framework for interest flooding attack detection and mitigation by relying on both local metrics and collaborative techniques for early detection of interest flooding attacks. InterestFence was proposed in Dong et al. (2020) as a lightweight IFA detection and filtering mechanism based by the content server rather than routers. In Liu et al. (2018), bloom filters are used to reduce memory cost at NDN routers.

    • A blockchain-based architecture for secure vehicular Named Data Networks

      2020, Computers and Electrical Engineering
      Citation Excerpt :

      Focusing on security and trust management, researchers are trying to solve the aforementioned issues. For instance, works in [14,15] use Interest-rate-based scheme to overcome the Denial of Service (DoS) attack (e.g., Interest flooding). Work in [16] adopts a hope-by-hope data packet signature verification method to tackle the content poisoning attack, while works in [17,18] introduce cache pollution detection mechanisms to overcome the cache pollution attack.

    • Towards Persistent Detection of DDoS Attacks in NDN: A Sketch-Based Approach

      2023, IEEE Transactions on Dependable and Secure Computing
    View all citing articles on Scopus

    An earlier version of the paper (Dong et al., 2018) was presented by the 18th International Conference on Algorithms and Architectures for Parallel Processing (ICA3PP 2018). This version has been extended and enhanced both the key design details and performance evaluation, by at least 50% new content compared with the earlier version in the ICA3PP 2018 conference.

    View full text