ChoKIFA+: an early detection and mitigation approach against interest flooding attacks in NDN

Abstract

Several ongoing research efforts aim to design potential Future Internet Architectures, among which Named-Data Networking (NDN) introduces a shift from the existing host-centric Internet Protocol-based Internet infrastructure towards a content-oriented one. However, researchers have identified some design limitations in NDN, among which some enable to build up a new type of Distributed Denial of Service attack, better known as Interest Flooding Attack (IFA). In IFA, an adversary issues not satisfiable requests in the network to saturate the Pending Interest Table (PIT) of NDN routers and prevent them from properly handling the legitimate traffic. Researchers have been trying to mitigate this problem by proposing several detection and reaction mechanisms, but all the mechanisms proposed so far are not highly effective and, on the contrary, heavily damage the legitimate traffic. In this paper, we propose a novel mechanism for IFA detection and mitigation, aimed at decreasing the memory consumption of the PIT by effectively reducing the malicious traffic that passes through each NDN router. In particular, our protocol exploits an effective management strategy on the PIT, through which the Malicious Interest (MIs) already stored in the PIT are removed and the new incoming MIs are dropped. In addition, the proposed countermeasure provides an additional security wall on the edges of the network to detect and mitigate the attack as early as possible and improve the network health, i.e., routers PIT occupancy during IFA. To evaluate the effectiveness of our work, we implemented the proposed countermeasure on the open-source ndnSIM simulator and compared its effectiveness with the state of the art. The results show that our proposed countermeasure effectively reduces the IFA damages both in terms of preserved legitimate traffic and availability of routers PIT. Considering the legitimate traffic, the amount of Benign Interests preserved by our approach increases from 5% to 40% with respect to the preservation guaranteed by the state-of-the-art solutions. Concerning the routers PIT availability, our approach guarantees that the 97% of the PIT size is left free for handling the legitimate traffic.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18

Notes

  1. 1.

    ndnSIM implements the NDN protocol stack on NS-3 simulator.

  2. 2.

    The NDN traffic flow measurement differs from the IP one and we present the comparison between them in Sect. 5.3.

  3. 3.

    Recall that unsatisfiable interests refer to non-existing contents and saturate the PIT.

  4. 4.

    We take the value of maximum probability (\(P_\mathrm{max}\)) to be one.

  5. 5.

    ndnSIM implements the NDN protocol stack on NS-3 simulator.

  6. 6.

    https://github.com/cawka/ndnSIM-ddos-interest-flooding.

References

  1. 1.

    Afanasyev, A., Moiseenko, I., Zhang, L.: ndnSIM: NDN simulator for NS-3. Technical Report NDN-0005, NDN. http://named-data.net/techreports.html (2012). Accessed Apr 2018

  2. 2.

    Afanasyev, A., Moiseenko, I., Zhang, L., et al.: ndnsim: Ndn simulator for ns-3. University of California, Los Angeles, Technical Report 4 (2012)

  3. 3.

    Afanasyev, A., Mahadevan, P., Moiseenko, I., Uzun, E., Zhang, L.: Interest flooding attack and countermeasures in named data networking. In: Ifip Networking Conference, pp. 1–9. IEEE (2013)

  4. 4.

    Ahlgren, B., Dannewitz, C., Imbrenda, C., Kutscher, D., Ohlman, B.: A survey of information-centric networking. IEEE Commun. Mag. 50(7), 26–36 (2012)

    Article  Google Scholar 

  5. 5.

    Bedi, H., Roy, S., Shiva, S.: Mitigating congestion-based denial of service attacks with active queue management. In: IEEE Global Communications Conference (Globecom), pp. 1440–1445. IEEE (2013)

  6. 6.

    Bedi, H., Sankardas, R., Sajjan, S.: Mitigating congestion based dos attacks with an enhanced aqm technique. Comput. Commun. 56, 60–73 (2015). https://doi.org/10.1016/j.comcom.2014.09.002

    Article  Google Scholar 

  7. 7.

    Benarfa, A., Hassan, M., Compagno, A., Losiouk, E., Yagoubi, M.B., Conti, M.: Chokifa: A new detection and mitigation approach against interest flooding attacks in ndn. In: International Conference on Wired/Wireless Internet Communication, pp. 53–65. Springer (2019)

  8. 8.

    Benmoussa, Ahmed, Tahari, A.K., Lagaa, N., Lakas, A., Ahmad, F., Hussain, R., Kerrache, C.A., Kurugollu, F.: A novel congestion-aware interest flooding attacks detection mechanism in named data networking. In: 28th International Conference on Computer Communication and Networks (ICCCN), pp. 1–6. IEEE (2019)

  9. 9.

    Brownlee, N., Mills, C., Ruth, G.: Traffic flow measurement: architecture (1997)

  10. 10.

    Chhabra, P., Chuig, S., Goel, A., John, A., Kumar, A., Saran, H., Shorey, R.: Xchoke: malicious source control for congestion avoidance at internet gateways. In: Proceedings. 10th IEEE International Conference on Network Protocols, 2002, pp. 186–187. IEEE (2002)

  11. 11.

    Compagno, A., Conti, M., Hassan, M.: An icn-based authentication protocol for a simplified lte architecture. In: Baldi, M., Quaglia, E.A., Tomasin, S. (eds.). Cham: Springer (2018)

  12. 12.

    Compagno, A., Conti, M., Gasti, P., Tsudik, G.: Poseidon: mitigating interest flooding ddos attacks in ndn. In: IEEE 38th Conference on Local Computer Networks (lCN), pp. 630–638. IEEE (2013)

  13. 13.

    Dai, H., Wang, Y., Fan, J., Liu, B.: Mitigate ddos attacks in ndn by interest traceback. In: IEEE Conference on Computer Communications Workshops (Infocom Workshops), pp. 381–386. IEEE (2013)

  14. 14.

    Dong, J., Wang, K., Lyu, Y., Jiao, L., Yin, H.: Interestfence: countering interest flooding attacks by using hash-based security labels. In: International Conference on Algorithms and Architectures for Parallel Processing, pp. 527–537. Springer (2018)

  15. 15.

    Feng, W., Kandlur, D.D., Saha, D., Shin, K.G.: Stochastic fair blue: a queue management algorithm for enforcing fairness. In: Infocom 2001. Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE, vol. 3, pp. 1520–1529. IEEE (2001)

  16. 16.

    Feng, W., Shin, K.G., Kandlur, D.D., Saha, D.: The blue active queue management algorithms. IEEE/ACM Trans. Netw. 10(4), 513–528 (2002)

    Article  Google Scholar 

  17. 17.

    Floyd, S., Jacobson, V.: Random early detection gateways for congestion avoidance. IEEE/ACM Trans. Netw. 1(4), 397–413 (1993)

    Article  Google Scholar 

  18. 18.

    Gasti, P., Tsudik, G., Uzun, E., Zhang, L.: Dos and ddos in named data networking. In: 2013 22nd International Conference on Computer Communication and Networks (ICCCN), pp. 1–7. https://doi.org/10.1109/ICCCN.2013.6614127 (2013a)

  19. 19.

    Gasti, P., Tsudik, G., Uzun, E., Zhang, L.: Dos and ddos in named data networking. In: 22nd International Conference on Computer Communications and Networks (ICCCN), pp. 1–7. IEEE (2013)

  20. 20.

    Govindaswamy, V.V., Záruba, G., Balasekaran, G: Rechoke: a scheme for detection, control and punishment of malicious flows in ip networks. In: Global Telecommunications Conference, 2007. Globecom’07, pp. 16–21. IEEE (2007)

  21. 21.

    Hou, R., Han, M., Chen, J., Wenbin, H., Tan, X., Luo, J., Ma, M.: Theil-based countermeasure against interest flooding attacks for named data networks. IEEE Netw. 33(3), 116–121 (2019)

    Article  Google Scholar 

  22. 22.

    Jacobson, V., et al.: Networking named content. In: ACM International Conference on Emerging Networking Experiments and Technologies, pp. 1–12 (2009)

  23. 23.

    Jiang, X., Yang, J., Jin, G., Wei, W.: Red-ft: a scalable random early detection scheme with flow trust against dos attacks. IEEE Commun. Lett. 17(5), 1032–1035 (2013). https://doi.org/10.1109/LCOMM.2013.022713.122652

    Article  Google Scholar 

  24. 24.

    Kidambi, J., Ghosal, D., Mukherjee, B.: Dynamic token bucket (dtb): a fair bandwidth allocation algorithm for high-speed networks. J. High Speed Netw. 9(2), 67–87 (2000)

    Google Scholar 

  25. 25.

    Kunniyur, S.S., Srikant, R.: An adaptive virtual queue (avq) algorithm for active queue management. IEEE/ACM Trans. Netw. 12(2), 286–299 (2004)

    Article  Google Scholar 

  26. 26.

    Lin, D., Morris, R.: Dynamics of random early detection. In: ACM Sigcomm Computer Communication Review, vol. 27, pp. 127–137. ACM (1997)

  27. 27.

    Liu, G., Quan, W., Cheng, N., Wang, K., Zhang, H.: Accuracy or delay? A game in detecting interest flooding attacks. Internet Technol. Lett. 1(2), 31 (2018)

    Article  Google Scholar 

  28. 28.

    Nguyen, T., Cogranne, R., Doyen, G.: An optimal statistical test for robust detection against interest flooding attacks in ccn. In: Ifip/IEEE International Symposium on Integrated Network Management (IM), pp. 252–260. IEEE (2015)

  29. 29.

    Nguyen, T., Mai, H.-L., Doyen, G., Cogranne, R., Mallouli, W., Montes, E., de Oca, O.: Festor: a security monitoring plane for named data networking deployment. IEEE Commun. Mag. 56(11), 88–94 (2018)

    Article  Google Scholar 

  30. 30.

    Nguyen, T., Mai, H.-L., Cogranne, R., Doyen, G., Mallouli, W., Nguyen, L., El Aoun, M., Oca, E.M.D., Festor, O.: Reliable detection of interest flooding attack in real deployment of named data networking. IEEE Trans. Inf. Forensics Secur. 14(9), 2470–2485 (2019)

    Article  Google Scholar 

  31. 31.

    Oueslati, S., Roberts, J., Sbihi, N.: Flow-aware traffic control for a content-centric network. In: 2012 Proceedings IEEE Infocom, pp. 2417–2425. https://doi.org/10.1109/INFCOM.2012.6195631 (2012)

  32. 32.

    Pan, J., Paul, S., Jain, R.: A survey of the research on future internet architectures. IEEE Commun. Mag. 49(7), 26–36 (2011)

    Article  Google Scholar 

  33. 33.

    Pan, R., Prabhakar, B., Psounis, K.: Choke-a stateless active queue management scheme for approximating fair bandwidth allocation. In: Infocom 2000. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEEE, vol. 2, pp. 942–951. IEEE (2000)

  34. 34.

    Rai, S., Sharma, K., Dhakal, D.: A survey on detection and mitigation of distributed denial-of-service attack in named data networking. In: Advances in Communication, Cloud, and Big Data, pp. 163–171. Springer (2019)

  35. 35.

    Salah, H., Wulfheide, J., Strufe, T.: Coordination supports security: a new defence mechanism against interest flooding in ndn. In: 2015 IEEE 40th Conference on Local Computer Networks (ICN), pp. 73–81. https://doi.org/10.1109/LCN.2015.7366285 (2015)

  36. 36.

    Spring, N., et al.: Measuring ISP topologies with rocketfuel. IEEE/ACM Trans. Netw. 12, 2–16 (2004)

    Article  Google Scholar 

  37. 37.

    Tourani, R., Misra, S., Mick, T., Panwar, G.: Security, privacy, and access control in information-centric networking: a survey. IEEE Commun. Surv. Tutor. 20(1), 566–600 (2017)

    Article  Google Scholar 

  38. 38.

    Vassilakis, V.G., Alohali, B.A., Moscholios, I.D., Logothetis, M.D.: Mitigating distributed denial-of-service attacks in named data networking. In: Proceedings of the 11th Advanced International Conference on Telecommunications (AICT), Brussels, Belgium, pp. 18–23 (2015)

  39. 39.

    Wang, K., Zhou, H., Qin, Y., Chen, J., Zhang, H.: Decoupling malicious interests from pending interest table to mitigate interest flooding attacks. In: Globecom Workshops (gc wkshps), 2013 IEEE, pp. 963–968. IEEE (2013)

  40. 40.

    Wang, K., Zhou, H., Luo, H., Guan, J., Qin, Y., Zhang, H.: Detecting and mitigating interest flooding attacks in content-centric network. Secur. Commun. Netw. 7(4), 685–699 (2014)

    Article  Google Scholar 

  41. 41.

    Xylomenos, G., Ververidis, C.N., Siris, V.A., Fotiou, N., Tsilopoulos, C., Vasilakos, X., Katsaros, K.V., Polyzos, G.C.: A survey of information-centric networking research. IEEE Commun. Surv. Tutor. 16(2), 1024–1049 (2014). https://doi.org/10.1109/SURV.2013.070813.00063

    Article  Google Scholar 

  42. 42.

    Zhang, C., Yin, J., Cai, Z., Chen, W.: Rred: robust red algorithm to counter low-rate denial-of-service attacks. IEEE Commun. Lett. 14(5), 489–491 (2010)

    Article  Google Scholar 

  43. 43.

    Zhang, G., Li, Y., Lin, T.: Caching in information centric networking: a survey. Comput. Netw. 57(16), 3128–3141 (2013). https://doi.org/10.1016/j.comnet.2013.07.007

    Article  Google Scholar 

  44. 44.

    Zhang, L., et al.: Named data networking. ACM SIGCOMM CCR 44(3), 66–73 (2014)

    Article  Google Scholar 

  45. 45.

    Zhang, L., Estrin, D., Burke, J., Jacobson, V., Thornton, J.D., Smetters, D.K., Zhang, B., Tsudik, G., Massey, D., Papadopoulos, C., et al.: Named data networking (ndn) project. Relatório Técnico NDN-0001, Xerox Palo Alto Research Center-PARC 157: 158 (2010)

  46. 46.

    Zhang, L., Afanasyev, A., Burke, J., Jacobson, V., Crowley, P., Papadopoulos, C., Wang, L., Zhang, B., et al.: Named data networking. ACM SIGCOMM Computer Communication Review 44(3), 66–73 (2014)

    Article  Google Scholar 

  47. 47.

    Zhang, X., Li, R.: A charging, rewarding mechanism-based interest flooding attack mitigation strategy in ndn. In: Ifip/IEEE Symposium on Integrated Network and Service Management (IM), pp. 402–407. IEEE (2019)

  48. 48.

    Zhang, Z., Yu, Y., Zhang, H., Newberry, E., Mastorakis, S., Li, Y., Afanasyev, A., Zhang, L.: Revision 2, April 8, An Overview of Security Support in Named Data Networking (2018)

Download references

Funding

This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the LOCARD project (Grant Agreement No. 832735).

Author information

Affiliations

Authors

Corresponding author

Correspondence to Abdelmadjid Benarfa.

Ethics declarations

Conflict of interest

Abdelmadjid Benarfa declares that he has no conflict of interest. Muhammad Hassan declares that he has no conflict of interest. Eleonora Losiouk declares that she has no conflict of interest. Alberto Compagno declares that he has no conflict of interest. Mohamed bachir Yagoubi declares that he has no conflict of interest. Mauro Conti declares that he has no conflict of interest.

Ethical approval

This article does not contain any study with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Benarfa, A., Hassan, M., Losiouk, E. et al. ChoKIFA+: an early detection and mitigation approach against interest flooding attacks in NDN. Int. J. Inf. Secur. (2020). https://doi.org/10.1007/s10207-020-00500-z

Download citation

Keywords

  • NDN
  • DDoS attack
  • IFA
  • Congestion
  • PIT management