[Ndn-interest] Largest DDoS attack ever delivered by botnet of hijacked IoT devices

Tue Sep 27 20:59:10 PDT 2016

Hi Cesar,

If the PIT were to be added to IP then I would agree with what you say 
below. But this is NDN. You cannot just pick on the PIT ignoring the 
rest of the architecture.

Christos.

On 09/27/2016 09:31 PM, Cesar Ghali wrote:
> This is an interesting topic and I'm sure Chris read Luca's message 
> before he responded. Exhausting link bandwidth or computing resource 
> is a problem in today's network, and, as far as I know, all proposed 
> future Internet architectures. Since the PIT is a new player here 
> (this doesn't mean it is the bad guy or the only bad guy) and it 
> introduces a new problem that didn't exist before, it might be helpful 
> to take a step back and reassess design decisions. Especially that 
> proposed countermeasures do not solve the problem and can be bypassed 
> by smart adversaries.
>
> On Tue, Sep 27, 2016 at 7:49 PM, Christos Papadopoulos 
> <christos at colostate.edu <mailto:christos at colostate.edu>> wrote:
>
>
>
>     On 09/27/2016 07:47 PM, christopherwood07 at gmail.com
>     <mailto:christopherwood07 at gmail.com> wrote:
>
>         On September 27, 2016 at 5:14:14 PM, Christos Papadopoulos
>         (christos at colostate.edu <mailto:christos at colostate.edu>) wrote:
>
>
>             On 09/27/2016 04:59 PM, woodc1 at uci.edu
>             <mailto:woodc1 at uci.edu> wrote:
>
>                 To re-iterate Cesar’s point, as of now, there is no
>                 truly effective
>                 interest flooding mitigation. However, one concrete
>                 way to minimize
>                 the attack surface (for routers) is to get rid of the
>                 attack's root
>                 cause: the PIT. (Producers could still be hosed with
>                 bogus interests.)
>                 And since the PIT enables several important functions,
>                 other
>                 architecture changes will probably have to follow in
>                 its wake.
>
>             You start with what I believe to be the wrong premise:
>             protecting the
>             router. In NDN we care about communication, not a single
>             router.
>             Protecting a router is winning the battle but losing the war.
>
>         I respectfully disagree. If the adversary takes out the producer,
>         there is no communication. If the adversary takes out the routers
>         adjacent or otherwise on the path to the producer, there is no
>         communication. Protecting the router(s) is equally important,
>         especially since it may impact more than just a single producer.
>
>
>     You are still thinking in IP terms. In NDN data follows demand;
>     data diffuses in the network pulled by Interests over all
>     available faces. If an attacker manages to attack all available
>     paths to your content without attacking the entire infrastructure,
>     then I claim you deployed a bad defense system.
>
>
>             I don't understand your statement that the root cause of
>             DDoS attacks is
>             the PIT. The root cause of DDoS is resource exhaustion.
>
>         In these attack scenarios, the PIT *is* the resource being
>         exhausted.
>
>
>     Then you are looking at a subset of DDoS attacks. There are others
>     that exhaust link bandwidth or compute resources. Why is the PIT
>     the only bad guy here? 
>
>
>
>
>                 Personally, I don’t think we should settle with an
>                 architectural
>                 element that has a known (and quite severe) weakness
>                 simply because it
>                 enables some nice features in practice. The more
>                 serious design
>                 problems must be dealt with first, not last.
>
>             You are underestimating the importance of the signal the
>             PIT provides.
>             It is an important insight into the status of
>             communication. The PIT
>             does not simply enable some "nice features". Think a bit
>             harder about
>             the things you can do with this signal.
>
>         In most attack scenarios, yes, it tells you when bogus
>         interests are
>         flooding a particular prefix and otherwise when communication is
>         failing. But consider this scenario. Suppose you have a malicious
>         producer cooperating with one or more malicious consumers. The
>         consumers are quickly sending interests to this legitimate
>         producer,
>         who responds with legitimate data. The communication is not
>         failing.
>         Their goal is to do nothing other than saturate the PIT of some
>         intermediate router. Per Spyros’ follow-up suggestion, that router
>         might kick out old, legitimate interests in favor of these
>         malicious
>         ones. Of course, this is fundamentally how we would expect one
>         to deal
>         with and manage a limited resource. So preventing this attack
>         seems
>         difficult for any approach. But the point is that this
>         resource, the
>         PIT, is easily abused in CCN/NDN.
>
>
>     I am not sure where you are going here. All public resources can
>     be abused. The question is how do you build a good resource
>     management system to detect and mitigate resource abuse. Luca put
>     it nicely, i suggest you read his message.
>
>     Christos.
>
>
>
>         Chris
>
>
>     _______________________________________________
>     Ndn-interest mailing list
>     Ndn-interest at lists.cs.ucla.edu <mailto:Ndn-interest at lists.cs.ucla.edu>
>     http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest
>     <http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20160927/da083bdc/attachment.html>