[Ndn-interest] Largest DDoS attack ever delivered by botnet of hijacked IoT devices

GTS gts at ics.uci.edu
Mon Sep 26 22:31:59 PDT 2016

Hi Christos,

indeed, there's (expected) equilibrium in CCN.
A PIT overflow implies failure of this equilibrium. However, an attack 
is not the
only potential cause for a PIT overflow, right? Telling the difference 
seems very hard.

Coming back to the specific large-scale DoS issue, you originally cited 
the recent attack where
IP-enabled IoT devices acted as attack sources (zombies). I claim this 
is possible in CCN
if malware gets in before deployment; in that case, a CCN-enabled IoT 
device can become a
DoS *source*.

The real difference I see is this:  a CCN-enabled IoT device that never 
publishes anything (e.g., a pure actuator)
can not be a DoS *target*.


Gene Tsudik
Chancellor's Professor of Computer Science
University of California, Irvine

On 9/26/16 8:36 PM, Christos Papadopoulos wrote:
> Hi Gene,
> In NDN, with symmetric traffic and the PIT state, there is an 
> equilibrium imposed (an Interest must be followed by a response) and 
> more importantly, can be verified (expired or overflowed PIT state 
> means failure of the equilibrium).
> The point is there is a signal available in NDN (failure in the 
> equilibrium) that is not available in IP. There are very interesting 
> research questions about how to use this signal.
> IP tried to do something similar with pushback. One problem with it 
> was the coordination required between the routers to make pushback 
> effective. Imagine for example, how hard it would be to coordinate at 
> the interdomain level. In NDN a disturbance in the equilibrium can be 
> detected locally.
> Christos.
> On 09/26/2016 02:34 PM, GTS wrote:
>> I generally agree with Cedric. In CCN (i.e., NDN & CCNx), the 
>> so-called "attack surface"
>> will change shape but it's area will remain almost the same. In 
>> particular, attacks
>> such as the one Christos mentions, where IoT devices act as 
>> mini-zombies (DoS attack sources),
>> are unfortunately still possible. Just not in the same way...
>> One notable item in the shifting attack surface is this: in CCN, an 
>> end-entity (e.g., an IoT
>> device) that only acts as a consumer (never produces anything), can 
>> not be DoS-attacked
>> in the usual manner, since the only way it can be "reached" is by 
>> content that *it*
>> has actually requested. In IP, that's certainly not the case.
>> But, if an end-entity can request content, it can in principle be 
>> infected by malware.^$
>> Thus, it can still be turned into a mini-zombie. :-)
>> Cheers,
>> Gene
>> $ Or, it can be infected prior to being put in service.
>> ======================
>> Gene Tsudik
>> Chancellor's Professor of Computer Science
>> University of California, Irvine
>> On 9/26/16 11:43 AM, Cedric Westphal wrote:
>>> That's very interesting. But since it's sent on this mailing list: would NDN be an answer to this? If the millions of IoT devices involved in the attack request a distinct object under the attacked page's prefix, it would happen exactly the same way, wouldn't it? And if all requests are for the same name, then it's the caching infrastructure of the high degree nodes that becomes attacked and shifting the attack target from akamai to a highly connected router is not a good trade-off.
>>> C.
>>> -----Original Message-----
>>> From: Ndn-interest [mailto:ndn-interest-bounces at lists.cs.ucla.edu] On Behalf Of Christos Papadopoulos
>>> Sent: Sunday, September 25, 2016 6:04 PM
>>> To:ndn-interest at lists.cs.ucla.edu
>>> Subject: [Ndn-interest] Largest DDoS attack ever delivered by botnet of hijacked IoT devices
>>> http://www.networkworld.com/article/3123672/security/largest-ddos-attack-ever-delivered-by-botnet-of-hijacked-iot-devices.html
>>> Apologies if you have seen this already, but 600+Gbps DDoS attack from
>>> IoT devices is truly remarkable. Moreover, it was *not* and reflection
>>> attack! The target was protected by Akamai, who had to drop them (it was
>>> hosted pro-bono) after a few days of sustained attack because it was
>>> costing too much.
>>> There are a few elements that might make this event a game changer. (a)
>>> from now on, people may want to always talk about security in IoT, (b)
>>> it raises questions about protecting the little guy from DDoS, the
>>> customer here found a home at Google's Project Shield, but obviously
>>> this is not scalable, and (c) cloud protection from DDoS is not a
>>> general solution despite what cloud providers will have you believe.
>>> To me such events bring to focus the weaknesses and fragility of the IP
>>> architecture. With billions of IoT devices projected in the future, even
>>> one packet/second (or even per minute) from a fraction of these devices
>>> would be enough to cause real damage. We all know about the code quality
>>> and ease of patching of IoT devices, this will not change.
>>> Maybe Bruce Schneier 's near-apocalyptic thoughts are not too far off.
>>> https://www.schneier.com/crypto-gram/archives/2016/0915.html#2
>>> Christos.
>>> _______________________________________________
>>> Ndn-interest mailing list
>>> Ndn-interest at lists.cs.ucla.edu
>>> http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest
>>> _______________________________________________
>>> Ndn-interest mailing list
>>> Ndn-interest at lists.cs.ucla.edu
>>> http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest
>>> .

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20160926/dc68ad77/attachment.html>

More information about the Ndn-interest mailing list