Top

International Journal of Information Security

Published in:

08-05-2020 | Regular Contribution

ChoKIFA+: an early detection and mitigation approach against interest flooding attacks in NDN

Authors: Abdelmadjid Benarfa, Muhammad Hassan, Eleonora Losiouk, Alberto Compagno, Mohamed Bachir Yagoubi, Mauro Conti

Published in: International Journal of Information Security | Issue 3/2021

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Several ongoing research efforts aim to design potential Future Internet Architectures, among which Named-Data Networking (NDN) introduces a shift from the existing host-centric Internet Protocol-based Internet infrastructure towards a content-oriented one. However, researchers have identified some design limitations in NDN, among which some enable to build up a new type of Distributed Denial of Service attack, better known as Interest Flooding Attack (IFA). In IFA, an adversary issues not satisfiable requests in the network to saturate the Pending Interest Table (PIT) of NDN routers and prevent them from properly handling the legitimate traffic. Researchers have been trying to mitigate this problem by proposing several detection and reaction mechanisms, but all the mechanisms proposed so far are not highly effective and, on the contrary, heavily damage the legitimate traffic. In this paper, we propose a novel mechanism for IFA detection and mitigation, aimed at decreasing the memory consumption of the PIT by effectively reducing the malicious traffic that passes through each NDN router. In particular, our protocol exploits an effective management strategy on the PIT, through which the Malicious Interest (MIs) already stored in the PIT are removed and the new incoming MIs are dropped. In addition, the proposed countermeasure provides an additional security wall on the edges of the network to detect and mitigate the attack as early as possible and improve the network health, i.e., routers PIT occupancy during IFA. To evaluate the effectiveness of our work, we implemented the proposed countermeasure on the open-source ndnSIM simulator and compared its effectiveness with the state of the art. The results show that our proposed countermeasure effectively reduces the IFA damages both in terms of preserved legitimate traffic and availability of routers PIT. Considering the legitimate traffic, the amount of Benign Interests preserved by our approach increases from 5% to 40% with respect to the preservation guaranteed by the state-of-the-art solutions. Concerning the routers PIT availability, our approach guarantees that the 97% of the PIT size is left free for handling the legitimate traffic.

next article Cyber security in New Space

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

ndnSIM implements the NDN protocol stack on NS-3 simulator.

The NDN traffic flow measurement differs from the IP one and we present the comparison between them in Sect. 5.3.

Recall that unsatisfiable interests refer to non-existing contents and saturate the PIT.

We take the value of maximum probability (\(P_\mathrm{max}\)) to be one.

ndnSIM implements the NDN protocol stack on NS-3 simulator.

https://github.com/cawka/ndnSIM-ddos-interest-flooding.

Afanasyev, A., Moiseenko, I., Zhang, L.: ndnSIM: NDN simulator for NS-3. Technical Report NDN-0005, NDN. http://named-data.net/techreports.html (2012). Accessed Apr 2018

Afanasyev, A., Moiseenko, I., Zhang, L., et al.: ndnsim: Ndn simulator for ns-3. University of California, Los Angeles, Technical Report 4 (2012)

Afanasyev, A., Mahadevan, P., Moiseenko, I., Uzun, E., Zhang, L.: Interest flooding attack and countermeasures in named data networking. In: Ifip Networking Conference, pp. 1–9. IEEE (2013)

Ahlgren, B., Dannewitz, C., Imbrenda, C., Kutscher, D., Ohlman, B.: A survey of information-centric networking. IEEE Commun. Mag. 50(7), 26–36 (2012)CrossRef

Bedi, H., Roy, S., Shiva, S.: Mitigating congestion-based denial of service attacks with active queue management. In: IEEE Global Communications Conference (Globecom), pp. 1440–1445. IEEE (2013)

Bedi, H., Sankardas, R., Sajjan, S.: Mitigating congestion based dos attacks with an enhanced aqm technique. Comput. Commun. 56, 60–73 (2015). https://doi.org/10.1016/j.comcom.2014.09.002CrossRef

Benarfa, A., Hassan, M., Compagno, A., Losiouk, E., Yagoubi, M.B., Conti, M.: Chokifa: A new detection and mitigation approach against interest flooding attacks in ndn. In: International Conference on Wired/Wireless Internet Communication, pp. 53–65. Springer (2019)

Benmoussa, Ahmed, Tahari, A.K., Lagaa, N., Lakas, A., Ahmad, F., Hussain, R., Kerrache, C.A., Kurugollu, F.: A novel congestion-aware interest flooding attacks detection mechanism in named data networking. In: 28th International Conference on Computer Communication and Networks (ICCCN), pp. 1–6. IEEE (2019)

Brownlee, N., Mills, C., Ruth, G.: Traffic flow measurement: architecture (1997)

10.

Chhabra, P., Chuig, S., Goel, A., John, A., Kumar, A., Saran, H., Shorey, R.: Xchoke: malicious source control for congestion avoidance at internet gateways. In: Proceedings. 10th IEEE International Conference on Network Protocols, 2002, pp. 186–187. IEEE (2002)

11.

Compagno, A., Conti, M., Hassan, M.: An icn-based authentication protocol for a simplified lte architecture. In: Baldi, M., Quaglia, E.A., Tomasin, S. (eds.). Cham: Springer (2018)

12.

Compagno, A., Conti, M., Gasti, P., Tsudik, G.: Poseidon: mitigating interest flooding ddos attacks in ndn. In: IEEE 38th Conference on Local Computer Networks (lCN), pp. 630–638. IEEE (2013)

13.

Dai, H., Wang, Y., Fan, J., Liu, B.: Mitigate ddos attacks in ndn by interest traceback. In: IEEE Conference on Computer Communications Workshops (Infocom Workshops), pp. 381–386. IEEE (2013)

14.

Dong, J., Wang, K., Lyu, Y., Jiao, L., Yin, H.: Interestfence: countering interest flooding attacks by using hash-based security labels. In: International Conference on Algorithms and Architectures for Parallel Processing, pp. 527–537. Springer (2018)

15.

Feng, W., Kandlur, D.D., Saha, D., Shin, K.G.: Stochastic fair blue: a queue management algorithm for enforcing fairness. In: Infocom 2001. Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE, vol. 3, pp. 1520–1529. IEEE (2001)

16.

Feng, W., Shin, K.G., Kandlur, D.D., Saha, D.: The blue active queue management algorithms. IEEE/ACM Trans. Netw. 10(4), 513–528 (2002)CrossRef

17.

Floyd, S., Jacobson, V.: Random early detection gateways for congestion avoidance. IEEE/ACM Trans. Netw. 1(4), 397–413 (1993)CrossRef

18.

Gasti, P., Tsudik, G., Uzun, E., Zhang, L.: Dos and ddos in named data networking. In: 2013 22nd International Conference on Computer Communication and Networks (ICCCN), pp. 1–7. https://doi.org/10.1109/ICCCN.2013.6614127 (2013a)

19.

Gasti, P., Tsudik, G., Uzun, E., Zhang, L.: Dos and ddos in named data networking. In: 22nd International Conference on Computer Communications and Networks (ICCCN), pp. 1–7. IEEE (2013)

20.

Govindaswamy, V.V., Záruba, G., Balasekaran, G: Rechoke: a scheme for detection, control and punishment of malicious flows in ip networks. In: Global Telecommunications Conference, 2007. Globecom’07, pp. 16–21. IEEE (2007)

21.

Hou, R., Han, M., Chen, J., Wenbin, H., Tan, X., Luo, J., Ma, M.: Theil-based countermeasure against interest flooding attacks for named data networks. IEEE Netw. 33(3), 116–121 (2019)CrossRef

22.

Jacobson, V., et al.: Networking named content. In: ACM International Conference on Emerging Networking Experiments and Technologies, pp. 1–12 (2009)

23.

Jiang, X., Yang, J., Jin, G., Wei, W.: Red-ft: a scalable random early detection scheme with flow trust against dos attacks. IEEE Commun. Lett. 17(5), 1032–1035 (2013). https://doi.org/10.1109/LCOMM.2013.022713.122652CrossRef

24.

Kidambi, J., Ghosal, D., Mukherjee, B.: Dynamic token bucket (dtb): a fair bandwidth allocation algorithm for high-speed networks. J. High Speed Netw. 9(2), 67–87 (2000)

25.

Kunniyur, S.S., Srikant, R.: An adaptive virtual queue (avq) algorithm for active queue management. IEEE/ACM Trans. Netw. 12(2), 286–299 (2004)CrossRef

26.

Lin, D., Morris, R.: Dynamics of random early detection. In: ACM Sigcomm Computer Communication Review, vol. 27, pp. 127–137. ACM (1997)

27.

Liu, G., Quan, W., Cheng, N., Wang, K., Zhang, H.: Accuracy or delay? A game in detecting interest flooding attacks. Internet Technol. Lett. 1(2), 31 (2018)CrossRef

28.

Nguyen, T., Cogranne, R., Doyen, G.: An optimal statistical test for robust detection against interest flooding attacks in ccn. In: Ifip/IEEE International Symposium on Integrated Network Management (IM), pp. 252–260. IEEE (2015)

29.

Nguyen, T., Mai, H.-L., Doyen, G., Cogranne, R., Mallouli, W., Montes, E., de Oca, O.: Festor: a security monitoring plane for named data networking deployment. IEEE Commun. Mag. 56(11), 88–94 (2018)CrossRef

30.

Nguyen, T., Mai, H.-L., Cogranne, R., Doyen, G., Mallouli, W., Nguyen, L., El Aoun, M., Oca, E.M.D., Festor, O.: Reliable detection of interest flooding attack in real deployment of named data networking. IEEE Trans. Inf. Forensics Secur. 14(9), 2470–2485 (2019)CrossRef

31.

Oueslati, S., Roberts, J., Sbihi, N.: Flow-aware traffic control for a content-centric network. In: 2012 Proceedings IEEE Infocom, pp. 2417–2425. https://doi.org/10.1109/INFCOM.2012.6195631 (2012)

32.

Pan, J., Paul, S., Jain, R.: A survey of the research on future internet architectures. IEEE Commun. Mag. 49(7), 26–36 (2011)CrossRef

33.

Pan, R., Prabhakar, B., Psounis, K.: Choke-a stateless active queue management scheme for approximating fair bandwidth allocation. In: Infocom 2000. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEEE, vol. 2, pp. 942–951. IEEE (2000)

34.

Rai, S., Sharma, K., Dhakal, D.: A survey on detection and mitigation of distributed denial-of-service attack in named data networking. In: Advances in Communication, Cloud, and Big Data, pp. 163–171. Springer (2019)

35.

Salah, H., Wulfheide, J., Strufe, T.: Coordination supports security: a new defence mechanism against interest flooding in ndn. In: 2015 IEEE 40th Conference on Local Computer Networks (ICN), pp. 73–81. https://doi.org/10.1109/LCN.2015.7366285 (2015)

36.

Spring, N., et al.: Measuring ISP topologies with rocketfuel. IEEE/ACM Trans. Netw. 12, 2–16 (2004) CrossRef

37.

Tourani, R., Misra, S., Mick, T., Panwar, G.: Security, privacy, and access control in information-centric networking: a survey. IEEE Commun. Surv. Tutor. 20(1), 566–600 (2017)CrossRef

38.

Vassilakis, V.G., Alohali, B.A., Moscholios, I.D., Logothetis, M.D.: Mitigating distributed denial-of-service attacks in named data networking. In: Proceedings of the 11th Advanced International Conference on Telecommunications (AICT), Brussels, Belgium, pp. 18–23 (2015)

39.

Wang, K., Zhou, H., Qin, Y., Chen, J., Zhang, H.: Decoupling malicious interests from pending interest table to mitigate interest flooding attacks. In: Globecom Workshops (gc wkshps), 2013 IEEE, pp. 963–968. IEEE (2013)

40.

Wang, K., Zhou, H., Luo, H., Guan, J., Qin, Y., Zhang, H.: Detecting and mitigating interest flooding attacks in content-centric network. Secur. Commun. Netw. 7(4), 685–699 (2014)CrossRef

41.

Xylomenos, G., Ververidis, C.N., Siris, V.A., Fotiou, N., Tsilopoulos, C., Vasilakos, X., Katsaros, K.V., Polyzos, G.C.: A survey of information-centric networking research. IEEE Commun. Surv. Tutor. 16(2), 1024–1049 (2014). https://doi.org/10.1109/SURV.2013.070813.00063CrossRef

42.

Zhang, C., Yin, J., Cai, Z., Chen, W.: Rred: robust red algorithm to counter low-rate denial-of-service attacks. IEEE Commun. Lett. 14(5), 489–491 (2010) CrossRef

43.

Zhang, G., Li, Y., Lin, T.: Caching in information centric networking: a survey. Comput. Netw. 57(16), 3128–3141 (2013). https://doi.org/10.1016/j.comnet.2013.07.007CrossRef

44.

Zhang, L., et al.: Named data networking. ACM SIGCOMM CCR 44(3), 66–73 (2014)CrossRef

45.

Zhang, L., Estrin, D., Burke, J., Jacobson, V., Thornton, J.D., Smetters, D.K., Zhang, B., Tsudik, G., Massey, D., Papadopoulos, C., et al.: Named data networking (ndn) project. Relatório Técnico NDN-0001, Xerox Palo Alto Research Center-PARC 157: 158 (2010)

46.

Zhang, L., Afanasyev, A., Burke, J., Jacobson, V., Crowley, P., Papadopoulos, C., Wang, L., Zhang, B., et al.: Named data networking. ACM SIGCOMM Computer Communication Review 44(3), 66–73 (2014)CrossRef

47.

Zhang, X., Li, R.: A charging, rewarding mechanism-based interest flooding attack mitigation strategy in ndn. In: Ifip/IEEE Symposium on Integrated Network and Service Management (IM), pp. 402–407. IEEE (2019)

48.

Zhang, Z., Yu, Y., Zhang, H., Newberry, E., Mastorakis, S., Li, Y., Afanasyev, A., Zhang, L.: Revision 2, April 8, An Overview of Security Support in Named Data Networking (2018)

Title: ChoKIFA+: an early detection and mitigation approach against interest flooding attacks in NDN
Authors: Abdelmadjid Benarfa
Muhammad Hassan
Eleonora Losiouk
Alberto Compagno
Mohamed Bachir Yagoubi
Mauro Conti
Publication date: 08-05-2020
Publisher: Springer Berlin Heidelberg
Published in: International Journal of Information Security / Issue 3/2021
Print ISSN: 1615-5262
Electronic ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-020-00500-z

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 3/2021

A wrinkle in time: a case study in DNS poisoning

A novel scalable intrusion detection system based on deep learning

Evaluating visualization approaches to detect abnormal activities in network traffic data

Anti-BlUFf: towards counterfeit mitigation in IC supply chains using blockchain and PUF

Efficient attribute-based encryption with repeated attributes optimization

MalFamAware: automatic family identification and malware classification through online clustering

Premium Partner