[Ndn-interest] Largest DDoS attack ever delivered by botnet of hijacked IoT devices
Christos Papadopoulos
christos at colostate.edu
Mon Sep 26 12:39:55 PDT 2016
Cedric,
There are more expanded published versions of my answer below, but let
me try to hit the highlights.
NDN has a few advantages over IP when it comes to DDoS. More
specifically, even if attackers request unique objects, path symmetry
allows a router to estimate the rate if un-answered interests coming
from a particular face and impose rate limits or even cutoff traffic
from that face completely. In IP you cannot do that because of
asymmetric routing.
As you said, a DDoS attack of this type would have to use unique names.
I have not done the analysis, but if those unique names are generated by
an algorithm (or are random), then they are subject to lexicographic
analysis. A similar scenario is bots that use DGA (domain generated
algorithms) to rendezvous with C&C servers. I suspect that a similar
analysis is possible.
I am not sure I understand the scenario of a congested caching
infrastructure. In NDN data can be cached in all routers, meaning that
many DDoS Interests may not even leave the local network. In terms of
blocking DDoS attacks this is probably as good as you can get. I would
even say that in NDN a DDoS attack that requests the same content is
unlikely to be successful, it will do more harm the local network.
Christos.
On 09/26/2016 12:43 PM, Cedric Westphal wrote:
> That's very interesting. But since it's sent on this mailing list: would NDN be an answer to this? If the millions of IoT devices involved in the attack request a distinct object under the attacked page's prefix, it would happen exactly the same way, wouldn't it? And if all requests are for the same name, then it's the caching infrastructure of the high degree nodes that becomes attacked and shifting the attack target from akamai to a highly connected router is not a good trade-off.
>
> C.
>
> -----Original Message-----
> From: Ndn-interest [mailto:ndn-interest-bounces at lists.cs.ucla.edu] On Behalf Of Christos Papadopoulos
> Sent: Sunday, September 25, 2016 6:04 PM
> To: ndn-interest at lists.cs.ucla.edu
> Subject: [Ndn-interest] Largest DDoS attack ever delivered by botnet of hijacked IoT devices
>
> http://www.networkworld.com/article/3123672/security/largest-ddos-attack-ever-delivered-by-botnet-of-hijacked-iot-devices.html
>
> Apologies if you have seen this already, but 600+Gbps DDoS attack from
> IoT devices is truly remarkable. Moreover, it was *not* and reflection
> attack! The target was protected by Akamai, who had to drop them (it was
> hosted pro-bono) after a few days of sustained attack because it was
> costing too much.
>
> There are a few elements that might make this event a game changer. (a)
> from now on, people may want to always talk about security in IoT, (b)
> it raises questions about protecting the little guy from DDoS, the
> customer here found a home at Google's Project Shield, but obviously
> this is not scalable, and (c) cloud protection from DDoS is not a
> general solution despite what cloud providers will have you believe.
>
> To me such events bring to focus the weaknesses and fragility of the IP
> architecture. With billions of IoT devices projected in the future, even
> one packet/second (or even per minute) from a fraction of these devices
> would be enough to cause real damage. We all know about the code quality
> and ease of patching of IoT devices, this will not change.
>
> Maybe Bruce Schneier 's near-apocalyptic thoughts are not too far off.
>
> https://www.schneier.com/crypto-gram/archives/2016/0915.html#2
>
> Christos.
>
>
> _______________________________________________
> Ndn-interest mailing list
> Ndn-interest at lists.cs.ucla.edu
> http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest
More information about the Ndn-interest
mailing list