[Ndn-interest] Largest DDoS attack ever delivered by botnet of hijacked IoT devices

[Paul Bellamy]

One the invariants of a DoS is that there are a lot of packets depleting
the resources of a single target physical machine. Which means we can
prevent it in two ways. Given that, there are several potential solutions
which jump to my mind:

1) Reject bad-actors sending lots of packets. Would work against a DoS, but
not a DDos, as each individual actor is sending a reasonable amount of
packets.

2) Stop too many packets reaching the single target. During
resource-exhaustion we could purge PIT entries with similar prefixes. The
nature of the flooded interests means they should all have a similar
prefix. We could limit the number of outstanding interests for a given
prefix.

3) Scale up the target. IMO, one of the big advantages of NDN for
service-operators is that (unlike IP) interests don't have to be answered
by any specific physical machine. If you've designed your application well,
you can easily add more capacity. This is "good enough", until you run into
cost-constraints.

Of those, a combination of 2 and 3 seem the most practical.

Regards,
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20160928/2b84bbe0/attachment.html>