[Ndn-interest] Largest DDoS attack ever delivered by botnet of hijacked IoT devices

Cesar Ghali cghali at uci.edu
Tue Sep 27 13:49:20 PDT 2016

The PIT may very well serve a useful purpose in NDN/CCN. However, it creates
well-known security problems (interest flooding is trivial) and it’s highly
doubtful that a deterministic solution is possible. However, the CCN model
of communication is possible without PITs. See, e.g., [1] and [2].

[1] Content-Centric Networking Using Anonymous Datagrams: http://arxiv.org/
[2] Living in a PIT-less World: A Case Against Stateful Forwarding in
Content-Centric Networking: https://arxiv.org/abs/1512.07755.


On Tue, Sep 27, 2016 at 10:13 AM, Lixia Zhang <lixia at cs.ucla.edu> wrote:

> thanks Christos for sharing this interesting news, that triggered
> interesting discussion. I'm trying to summarize up the exchanges in my 2
> cents (not in original order), so if I missed/misinterpreted anything:
> - non data producer devices dont attract attacks
> - there is no reflect attack in NDN network since interest/data myst take
> symmetric path
> - brute force interest flood need to generate random names to get sent
> forward, because caching dumps those attack interest with known names of
> existing data
> - the above suggests (anyone see a whole here?) that DDoD by interesting
> flooding has a unique mark of leaving in each router PIT unsatisfied PIT
> entries after normally expected RTT time, so this seems leaving a few
> things to investigate towards DDoD mitigation
> a) one should constantly watch out unsatisfied PIT entries (not wait till
> PIT overflows)
> b) one can observe the arriving patterns of these PIT entries (speed, from
> where)
> c) one can slow down the downstream that seem only/mostly supply bad PIT,
> to protect other interest going through the same forwarder...
> I woke up mid of night to catch up email, although the brain is cloudy,
> one thing still seems clear: IP router has hard time because its stateless
> data plate.
> NDN routers, thanks to PIT, knows everything going on -- this seems "the
> real difference" from IP case, a great enabler for us to develop smart
> detection and mitigations...
> and BTW the PIT was set up to serve many purposes, just "happen" to be
> useful for DDoS mitigation as well
> this is in contrast to all other proposed IP DDoD imitation solutions that
> need to install *new* state into routers (and that state is only useful for
> DDoS but nothing else)
> > On Sep 25, 2016, at 6:04 PM, Christos Papadopoulos <
> christos at colostate.edu> wrote:
> >
> > http://www.networkworld.com/article/3123672/security/
> largest-ddos-attack-ever-delivered-by-botnet-of-hijacked-iot-devices.html
> >
> > Apologies if you have seen this already, but 600+Gbps DDoS attack from
> IoT devices is truly remarkable. Moreover, it was *not* and reflection
> attack! The target was protected by Akamai, who had to drop them (it was
> hosted pro-bono) after a few days of sustained attack because it was
> costing too much.
> >
> > There are a few elements that might make this event a game changer. (a)
> from now on, people may want to always talk about security in IoT, (b) it
> raises questions about protecting the little guy from DDoS, the customer
> here found a home at Google's Project Shield, but obviously this is not
> scalable, and (c) cloud protection from DDoS is not a general solution
> despite what cloud providers will have you believe.
> >
> > To me such events bring to focus the weaknesses and fragility of the IP
> architecture. With billions of IoT devices projected in the future, even
> one packet/second (or even per minute) from a fraction of these devices
> would be enough to cause real damage. We all know about the code quality
> and ease of patching of IoT devices, this will not change.
> >
> > Maybe Bruce Schneier 's near-apocalyptic thoughts are not too far off.
> >
> > https://www.schneier.com/crypto-gram/archives/2016/0915.html#2
> >
> > Christos.
> > _______________________________________________
> > Ndn-interest mailing list
> > Ndn-interest at lists.cs.ucla.edu
> > http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest
> _______________________________________________
> Ndn-interest mailing list
> Ndn-interest at lists.cs.ucla.edu
> http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20160927/ddd30e29/attachment.html>

More information about the Ndn-interest mailing list