InterestFence: Countering Interest Flooding Attacks by Using Hash-Based Security Labels
Interest Flooding Attack (IFA) has been one of the biggest threats for the Named Data Networking (NDN) paradigm, while it is very easy to launch but very difficult to mitigate. In this paper, we propose the InterestFence, which is a simple, direct, lightweight yet efficient IFA countermeasure, and the first one to achieve fast detection meanwhile accurate and efficient attacking traffic filtering without harming any legitimate Interests. InterestFence detects IFA based on content servers rather than routers to guarantee accurate detection. All content items with the same prefix within a content server have a hash-based security label (HSL) to claim their existence, and a HSL verification method is securely transmitted to related routers to help filtering and cleaning IFA traffic in transit networks accurately and efficiently. Performance analysis demonstrates the effectiveness of InterestFence on mitigating IFA and its lightweight feature due to the limited overhead involved.
KeywordsInterest Flooding Attack Named Data Networking Security
This work is supported by China Postdoctoral Science Foundation (No. 2017M620786), Shandong Provincial Natural Science Foundation, China (No. ZR2017BF018), National Natural Science Foundation of China (NSFC) (No. 61702439, 61502410, 61602399, 61672318, 61631013), Shandong Province Higher Educational Science and Technology Program (No. J16LN17) and National Key Research and Development Program (No. 2016YFB1000102).
- 1.Afanasyev, A., et al.: NDNS: a DNS-like name service for NDN. In: Proceedings of the 26th International Conference on Computer Communications and Networks (ICCCN), Vancouver, BC, Canada, pp. 1–9, July 2017Google Scholar
- 2.Al-Sheikh, S., Wählisch, M., Schmidt, T.C.: Revisiting countermeasures against NDN interest flooding, San Francisco, CA, USA, pp. 195–196, September 2015Google Scholar
- 3.Compagno, A., Conti, M., Gasti, P., Tsudik, G.: Poseidon: mitigating interest flooding DDoS attacks in named data networking, Sydney, NSW, Australia, pp. 630–638, October 2013Google Scholar
- 4.Compagno, A., Conti, M., Ghali, C., Tsudik, G.: To NACK or not to NACK? Negative acknowledgments in information-centric networking, Las Vegas, NV, USA, pp. 1–10, August 2015Google Scholar
- 5.Gasti, P., Tsudik, G., Uzun, E., Zhang, L.: DoS and DDoS in named data networking. In: Proceedings of 22nd International Conference on Computer Communication and Networks (ICCCN), Nassau, Bahamas, pp. 1–7, October 2013Google Scholar
- 10.Nguyen, T., Cogranne, R., Doyen, G.: An optimal statistical test for robust detection against interest flooding attacks in CCN, Ottawa, ON, Canada, pp. 252–260, May 2015Google Scholar
- 11.Salah, H., Wulfheide, J., Strufe, T.: Lightweight coordinated defence against interest flooding attacks in NDN, Hong Kong, China, pp. 103–104, April 2015Google Scholar
- 13.Wang, K., Zhou, H., Qin, Y., Chen, J., Zhang, H.: Decoupling malicious interests from pending interest table to mitigate interest flooding attacks. In: Proceedings of IEEE Globecom Workshops (GC Wkshps). Atlanta, GA, USA, pp. 963–968, December 2013Google Scholar