Interest Flooding Attack in Named Data Networking: A Survey

Named Data Networking (NDN) is based on the principle of Content-Centric Networking (CCN) that aims to overcome the weaknesses of the current host-based Internet architecture. Like traditional networks, it is identified that NDN is also vulnerable to many security threats including denial-of-service (DoS) or distributed DoS (DDoS) and might offer avenues for new DoS/DDoS attacks. DDoS attacks can be triggered in NDN to exhaust resources within an NDN router or the content producer(s). This survey paper focuses on different types of possible distributed denial-ofservice (DDoS) attacks; in particular, we address Interest flooding, where an adversary with limited resources can implement this attack and significantly impact thenetwork performance and their proposed countermeasures.Keywords:Named Data Networking, Interest flooding, denial-of-service

DoS and DDoS attacks in Named Data Networking

La nascita di Internet ha portato benefici senza precedenti in termini sociali ed economici. Le tecnologie e i protocolli inizialmente adottati andavano a risolvere i problemi causati dall’inaffidabilità della preesistente linea telefonica e nel corso dei vari decenni hanno garantito il funzionamento delle comunicazioni globali. Tuttavia ci si pone delle domande sulla necessità di un nuovo cambio di paradigma che risponda alle nuove esigenze riscontrate nell’evoluzione di Internet stesso e dei servizi offerti. Named Data Networking, come progetto della famiglia delle Future Internet Architectures, propone una visione di Internet rinnovata in cui l’entità fondamentale scambiata è il Nome. L’attenzione viene posta sul cosa i nodi richiedono alla rete e non sul dove reperiscono le informazioni. Come nuova architettura, NDN propone approcci innovativi sui fronti dell’inoltro e dell’instradamento dei pacchetti nella rete e garantisce l’implementazione di diversi aspetti di sicurezza by design. Ciò non è però sufficiente a proteggere da tutte le minacce della rete, tra cui gli attacchi DDoS che costituiscono ancora oggi un rischio importante per i fornitori di servizi in Internet. Sono quindi necessari ulteriori sforzi per partorire un’architettura che risponda a requisiti di efficienza e sicurezza

Poseidon: Mitigating Interest Flooding DDoS Attacks in Named Data Networking

Content-Centric Networking (CCN) is an emerging networking paradigm being considered as a possible replacement for the current IP-based host-centric Internet infrastructure. In CCN, named content becomes a first-class entity. CCN focuses on content distribution, which dominates current Internet traffic and is arguably not well served by IP. Named-Data Networking (NDN) is an example of CCN. NDN is also an active research project under the NSF Future Internet Architectures (FIA) program. FIA emphasizes security and privacy from the outset and by design. To be a viable Internet architecture, NDN must be resilient against current and emerging threats. This paper focuses on distributed denial-of-service (DDoS) attacks; in particular we address interest flooding, an attack that exploits key architectural features of NDN. We show that an adversary with limited resources can implement such attack, having a significant impact on network performance. We then introduce Poseidon: a framework for detecting and mitigating interest flooding attacks. Finally, we report on results of extensive simulations assessing proposed countermeasure.Comment: The IEEE Conference on Local Computer Networks (LCN 2013

Proactive detection of DDOS attacks in Publish-Subscribe networks

Information centric networking (ICN) using architectures such as Publish-Subscribe Internet Routing Paradigm (PSIRP) or Publish-Subscribe Internet Technology (PURSUIT) has been proposed as an important candidate for the Internet of the future. ICN is an emerging research area that proposes a transformation of the current host centric Internet architecture into an architecture where information items are of primary importance. This change allows network functions such as routing and locating to be optimized based on the information items themselves. The Bloom filter based content delivery is a source routing scheme that is used in the PSIRP/PURSUIT architectures. Although this mechanism solves many issues of today’s Internet such as the growth of the routing table and the scalability problems, it is vulnerable to distributed denial-of-service (DDoS) attacks. In this paper, we present a new content delivery scheme that has the advantages of Bloom filter based approach while at the same time being able to prevent DDoS attacks on the forwarding mechanism. Our security analysis suggests that with the proposed approach, the forwarding plane is able to resist attacks such as DDoS with very high probabilit

Security for the Industrial IoT: The Case for Information-Centric Networking

Industrial production plants traditionally include sensors for monitoring or documenting processes, and actuators for enabling corrective actions in cases of misconfigurations, failures, or dangerous events. With the advent of the IoT, embedded controllers link these `things' to local networks that often are of low power wireless kind, and are interconnected via gateways to some cloud from the global Internet. Inter-networked sensors and actuators in the industrial IoT form a critical subsystem while frequently operating under harsh conditions. It is currently under debate how to approach inter-networking of critical industrial components in a safe and secure manner. In this paper, we analyze the potentials of ICN for providing a secure and robust networking solution for constrained controllers in industrial safety systems. We showcase hazardous gas sensing in widespread industrial environments, such as refineries, and compare with IP-based approaches such as CoAP and MQTT. Our findings indicate that the content-centric security model, as well as enhanced DoS resistance are important arguments for deploying Information Centric Networking in a safety-critical industrial IoT. Evaluation of the crypto efforts on the RIOT operating system for content security reveal its feasibility for common deployment scenarios.Comment: To be published at IEEE WF-IoT 201

Defending Against Denial of Service

Civil Society currently faces significant cyber threats. At the top of the list of those threats are Denial of Service (DoS) attacks. The websites of many organizations and individuals have already come under such attacks, and the frequency of those attacks are on the rise. Civil Society frequently does not have the kinds of resources or technical know-how that is available to commercial enterprise and government websites, and often have to exist in adverse political environments where every avenue available, both legal and illegal, is used against them. Therefore, the threat of DoS attacks is unlikely to go away any time soon.A Denial of Service (DoS) attack is any attack that overwhelms a website, causing the content normally provided by that website to no longer be available to regular visitors of the website. Distributed Denial of Service (DDoS) attacks are traffic volumebased attacks originating from a large number of computers, which are usually compromised workstations. These workstations, known as 'zombies', form a widely distributed attack network called a 'botnet'. While many modern Denial of Service attacks are Distributed Denial of Service attacks, this is certainly not true for all denials of service experienced by websites. Therefore, when users first start experiencing difficulty in getting to the website content, it should not be assumed that the site is under a DDoS attack. Many forms of DoS are far easier to implement than DDoS, and so these attacks are still used by parties with malicious intent. Many such DoS attacks are easier to defend against once the mechanism used to cause the denial of service is known. Therefore, it is paramount to do proper analysis of attack traffic when a site becomes unable to perform its normal function. There are two parts to this guide. The first part outlines preparatory steps that can be taken by Civil Society organizations to improve their website's resilience, should it come under attack. However, we do understand that most Civil Society organizations' first introduction to DoS attacks comes when they suddenly find themselves the victim of an attack. The second part of this guide provides a step-by-step process to assist the staff of NGOs to efficiently deal with that stressful situation