InterestFence: Simple but efficient way to counter interest flooding attack☆
Introduction
With the significant growth of Internet traffic generated by emerging types of applications, the location-based content-delivering paradigm of the traditional Internet has shown limitations. The key deviation is its attempt to build an efficient content-centric service model over a networking architecture originally designed for host-to-host conversations between remote users (Carofiglio, Morabito, Muscariello, Solis, Varvello, 2013, Zhang, Quan, chieh Chao, Qiao, 2016). To fill this gap, Named Data Networking (NDN) (Jacobson et al., 2012; NDN-NP) argues to evolve the current Internet from host-based IP networks to data-centric inter-networking paradigms, by directly placing content-distribution services at the network-layer (Mangili et al., 2016). NDN has attracted wide research attention (Xylomenos et al., 2014) since it can not only directly connect people with content and information (Kurose, 2014, Posch, Rainer, Hellwagner, 2017), but also facilitate future networking requirements, such as 5G (Zhang et al., 2017), Internet of Things (Hahm et al., 2017), and vehicular networks (Quan, Xu, Guan, Zhang, Grieco, 2014, Su, Hui, Yang, 2017).
As NDN gradually develops and matures, the security concerns become increasingly critical and important. It may significantly thwart the real-world deployment of NDN if not given enough attention (Ngai et al., 2017). NDN embeds some critical security primitives in its original architecture by securing the content (Jacobson et al., 2012), and successfully reduces the impact of the notorious Distributed Denial-of-Service (DDoS) attacks (Liu, Yang, Xia, 2010, Zargar, Joshi, Tipper, 2013) by its receiver-driven data-retrieval model. However, its Pending Interest Table (PIT) component in each router opens up an opportunity for a new type of NDN-specific DDoS attack–the Interest Flooding Attack (IFA). In recent years, IFAs have become one of the most dangerous threats to NDN (Tourani et al., 2017).
PIT is one of the fundamental components of every NDN router. An NDN router records all of the ongoing communication states as its PIT entries, where the names as well as the incoming interfaces of each pending Interest packet are cached, until the requested data packets are returned from corresponding content servers. Under normal conditions, PIT size remains small in typical network settings, even in the absence of NDN data caching or optimal network bandwidth usage, because every pending PIT entry can be eliminated from a router’s memory approximately at the Round-Trip Time (RTT) scale when requested data packets return (Carofiglio et al., 2015). However, if the requested content cannot be found even in content servers located at remote edge networks, its related PIT entry would not be deleted until the Time-To-Live (TTL) of this entry expires. The timescale of TTL is much longer than that of RTT, by up to 3 orders of magnitude (Afanasyev, Moiseenko, Zhang, 2012, Carofiglio, Gallo, Muscariello, Perino, 2011, Mastorakis, Afanasyev, Zhang, 2017, Wang, Chen, Zhou, Qin, Zhang, 2014). If too many fake Interests are issued for non-existent content, they will cause a significant consumption of memory resources of each router along the forwarding path, as well as computation resources of victim content servers.
What is an IFA: An IFA exploits the above NDN PIT features, and aims at achieving denial of service for legitimate users by flooding excessive amount of fake Interests to exhaust critical network resources. These fake Interests can finally reach the victim content servers without any cache hit, and meanwhile the records for them can stay in the router’s PIT until time out since no data returns for them. In this way, an IFA can cause severe consumption of both the memory resources of each involved router and the computing resources of target content servers (Afanasyev, Mahadevan, Moiseenko, Uzun, Zhang, 2013, Whlisch, Schmidt, Vahlenkamp, 2013).
Specifically, as shown in Fig. 1, to guarantee the damage expectation of IFA attackers, the name of each Interest packet is constructed following similar rules: all of the fake Interests should have the same legitimate name prefix (e.g., “/China/Sina/video”) yet varying and forged suffixes (e.g., “/attacks1”, “/attacks2”, etc.). The former guarantees to aggregate as much as malicious traffic, while the latter is to avoid in-network caching hits so that IFA traffic cannot be decreased before they arrive at more victims. For instance, a malicious Interest packet of an IFA with the fake name “/China/Sina/video/attacks1” can be forwarded to the victim Sina video servers without being satisfied by intermediate routers, because the forged suffixes guarantee that no content with such a name was cached along the way. To further amplify the damage effect, the fake suffixes of every Interest can also vary randomly to avoid detection (Tourani et al., 2017). In this way, the PIT of each involved router is continually overflown by fake Interests, and meanwhile the victim server unnecessarily wastes time and computation resources to search for the requested fake content against its content index.
Why an IFA hurts: In contrast to the convenience of launching such an attack, it is very difficult to detect or mitigate an IFA.
First, attacking traffic cannot be accurately identified before it arrives at the victim content servers, because the attacking traffic is indistinguishable for routers with normal ones. In NDN, there is no difference between legitimate and fake Interest packets of IFA except for the existence of their requested content. This feature of each Interest can only be exactly confirmed by the content servers rather than routers, since only the content servers have all the content and thus can check whether they really exist. Therefore, accurate IFA pre-mitigation on routers is difficult to achieve without the help of content servers in NDN.
Second, Interest packets contain no information on the security property of the content name. The name prefix of each Interest does not contain any security property for its existence verification, which makes accurate detection or traffic filtering very difficult to achieve. Even if an Interest packet is successfully identified as fake in the content servers, this fake name is useless for further IFA mitigation, because content names in IFAs are varied all the time during an attack, and every identified fake name may never be used again to avoid mitigation.
Finally, attackers cannot be easily identified or traced to be punished, since Interest packets in NDN do not carry any information about the requester’s identities (Compagno, Conti, Gasti, Tsudik, 2013, Gasti, Tsudik, Uzun, Zhang, 2013) (while in the traditional Internet, the IP address of every content requester is contained in the packet to claim requester’s identification (Feng et al., 2017)), which makes attackers able to easily evade from the IFA detection or tracing.
Although the effectiveness of our previous works on countering IFAs (Wang, Chen, Zhou, Qin, Zhang, 2014, Wang, Zhou, Luo, Guan, Qin, Zhang, 2014, Wang, Zhou, Qin, Chen, Zhang, 2013) has been validated by other parties (Al-Sheikh et al., 2015), we aim here at a further step to achieve a more secure NDN. In this paper, we propose InterestFence, a simple yet efficient IFA countermeasure that involves both accurate detection at content servers and efficient mitigation of malicious traffic at intermediate routers, without harming legitimate Interests. InterestFence filters malicious Interests based on the Hash-based Security Label (HSL) received from content servers. HSL is used to identify whether an Interest packet carries a fake name. Each InterestFence-enabled content server can generate content names following a certain HSL based on some specific algorithms. When an IFA occurs, these content servers determine which name prefix is under attack (denoted Pi as the malicious prefix, meaning Interests with Pi as their name prefix are likely to be fake ones from an IFA), and transmit the Pi and corresponding HSL algorithm parameters to the involved routers through an encrypted alarm message. These routers thus are capable of detecting whether an Interest with a specific Pi is fake or not according to the corresponding HSL, and then take corresponding actions, i.e., to drop or forward the Interest packet to the next hop.
The main contributions of this paper can be summarized as follows.
- 1.
The fundamental reasons why an IFA is significantly difficult to detect or mitigate are clearly presented, as well as a comprehensive taxonomy for current IFA countermeasures from the aspects of detection and mitigation.
- 2.
The design detail of InterestFence is given, which enables routers to accurately filter fake Interest packets and directly clean attacking traffic by verifying the HSL of each Interest packet with the infected prefix Pi. Owing to its accurate cleaning capability, not only can intermediate routers along the attacking path be protected from an IFA, but the victim content servers can as well. The fake Interest packets are unable to pass the HSL verification in any InterestFence-enabled routers. In this way, both the computation resources of content servers and the memory resources for PIT in each involved router are protected from potential damage caused by an IFA.
- 3.
Extensive experiments on InterestFence were conducted that demonstrates its significant performance and lightweight overhead in accurate IFA detection as well as mitigation. Given the comparative results with state-of-the-art IFA countermeasures, the proposed InterestFence method may be the best one for filtering IFA traffic without harming legitimate requests and content servers.
The rest of the paper is organized as follows. Section 2 provides an overviews of state-of-the-art IFA countermeasures with comprehensive analysis. InterestFence, including its architecture and detailed algorithms, is presented in Section 3. The performance of InterestFence is evaluated in Section 4, and Section 5 concludes this paper.
Section snippets
Related work
In this section, the brief security threats to NDN are first presented, and then the study of IFA countermeasures is given from two aspects: detection and mitigation. The former aims at detecting the existence of an IFA, while the latter aims at degrading its damage on critical network resources.
1) Typical security concerns in NDN: There are mainly six categories of security vulnerabilities in NDN: IFA, Content Poisoning Attack (CPA), content pollution, secure forwarding, application security,
InterestFence
This section provides the detailed design of InterestFence. First, we introduce the attacking model that InterestFence is designed for, and then describe the system architecture as well as the high-level workflow of InterestFence. Then, we describe how each key component works.
Evaluation
In this section, we provide an in-depth evaluation of InterestFence from three aspects. First, we evaluate the efficiency of HSL. Afterwards, we investigate HSL from the perspective of quality of user experience. Finally, we compare HSL implementation with potential substitutes owing to a concern with the trade-off between overhead and security.
Considering that HSL is the core functional module of InterestFence, we use HSL for short to denote InterestFence throughout this section.
Conclusions
In this paper, we presented InterestFence, which is an efficient IFA mitigation framework that can accurately identify fake Interests and efficiently filter attacking traffic at intermediate routers. It has two key contributions: (i) a fast and accurate HSL generating component at content servers, and (ii) a lightweight and accurate name verification component at routers. We performed extensive evaluations for InterestFence using simulations with comprehensive analysis of the results, which
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgments
This work is supported by the National Key Research and Development Program of China (No. 2016YFB1000102), National Natural Science Foundation of China (No. 61702439, 61972222, 61602030), Shandong Provincial Natural Science Foundation of China (No. ZR2017BF018).
References (56)
- FIA-NP: Collaborative Research: Named Data Networking Next Phase (NDN-NP)....
- et al.
Social cooperation for information-centric multimedia streaming in highway vanets
Proceeding of IEEE WoWMoM Workshop
(2014) - et al.
NDNS: a DNS-like name service for NDN
Proceedings of the 26th International Conference on Computer Communications and Networks (ICCCN)
(2017) - et al.
Interest flooding attack and countermeasures in named data networking
Proceedings of IFIP Networking
(2013) - et al.
NDNSIM: NDN Simulator for NS-3
Technical Report NDN-0005
(2012) - et al.
Revisiting countermeasures against NDN interest flooding
Proceedings of the 2nd ACM Conference on Information-Centric Networking (ACM-ICN)
(2015) - et al.
Neutralizing interest flooding attacks in named data networks using cryptographic route tokens
Proceedings of IEEE 15th International Symposium on Network Computing and Applications (NCA)
(2016) - et al.
Modeling data transfer in content-centric networking
Proceedings of 23rd International Teletraffic Congress (ITC)
(2011) - et al.
Pending interest table sizing in named data networking
Proceedings of the 2nd ACM Conference on Information-Centric Networking (ACM-ICN)
(2015) - et al.
From content delivery today to information centric networking
Comput. Netw.
(2013)
Poseidon: mitigating interest flooding DDOS attacks in named data networking
Proceedings of IEEE 38th Conference on Local Computer Networks (LCN)
To nack or not to nack? Negative acknowledgments in information-centric networking
Proceedings of the 24th International Conference on Computer Communication and Networks (ICCCN)
Mitigate DDOS attacks in NDN by interest traceback
Proceedings of IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)
Interestfence: countering interest flooding attacks by using hash-based security labels
Proceedings of International Conference on Algorithms and Architectures for Parallel Processing (ICA3PP)
Locator/identifier split networking: a promising future internet architecture
IEEE Commun. Surv. Tut.
DOS and DDOS in named data networking
Proceedings of 22nd International Conference on Computer Communication and Networks (ICCCN)
A fast and memory-efficient trie structure for name-based packet forwarding
Proceeding of 26th IEEE International Conference on Network Protocols (ICNP 2018)
Low-power internet of things with NDN & cooperative caching
Proceedings of the 4th ACM Conference on Information-Centric Networking (ACM-ICN)
NLSR: named-data link state routing protocol
Proceedings of the 3rd ACM SIGCOMM Workshop on Information-Centric Networking (ICN 2013)
Theil-based countermeasure against interest flooding attacks for named data networks
IEEE Netw.
Networking named content
Commun. ACM
Information-centric networking: the evolution from circuits to packets to content
Comput. Netw.
Accuracy or delay? A game in detecting interest flooding attacks
Internet Technol. Lett.
Netfence: preventing internet denial of service from inside out
Proceedings of ACM SIGCOMM
A DHT-based identifier-to-locator mapping approach for a scalable internet
IEEE Trans. Parallel Distrib.Syst.
Chinese internet routerlevel hop count measurement and analysis
Appl. Res. Comput.
Performance analysis of content-centric and content-delivery networks with evolving object popularity
Comput. Netw.
Cited by (19)
LogDoS: A Novel logging-based DDoS prevention mechanism in path identifier-Based information centric networks
2020, Computers and SecurityCitation Excerpt :Poseidon was proposed in Compagno et al. (2013) as a framework for interest flooding attack detection and mitigation by relying on both local metrics and collaborative techniques for early detection of interest flooding attacks. InterestFence was proposed in Dong et al. (2020) as a lightweight IFA detection and filtering mechanism based by the content server rather than routers. In Liu et al. (2018), bloom filters are used to reduce memory cost at NDN routers.
A blockchain-based architecture for secure vehicular Named Data Networks
2020, Computers and Electrical EngineeringCitation Excerpt :Focusing on security and trust management, researchers are trying to solve the aforementioned issues. For instance, works in [14,15] use Interest-rate-based scheme to overcome the Denial of Service (DoS) attack (e.g., Interest flooding). Work in [16] adopts a hope-by-hope data packet signature verification method to tackle the content poisoning attack, while works in [17,18] introduce cache pollution detection mechanisms to overcome the cache pollution attack.
TSWA: a unique approach to overcome interest flooding attacks in the cloud using a combination of TSW and attack detection
2024, Multimedia Tools and ApplicationsEvaluating pending interest table performance under the collusive interest flooding attack in named data networks
2024, Annales des Telecommunications/Annals of TelecommunicationsA Multicriteria-Based Forwarding Strategy for Interest Flooding Mitigation on Named Data Wireless Networking
2023, IEEE Transactions on Mobile ComputingTowards Persistent Detection of DDoS Attacks in NDN: A Sketch-Based Approach
2023, IEEE Transactions on Dependable and Secure Computing
- ☆
An earlier version of the paper (Dong et al., 2018) was presented by the 18th International Conference on Algorithms and Architectures for Parallel Processing (ICA3PP 2018). This version has been extended and enhanced both the key design details and performance evaluation, by at least 50% new content compared with the earlier version in the ICA3PP 2018 conference.