[Ndn-interest] Largest DDoS attack ever delivered by botnet of hijacked IoT devices

christopherwood07 at gmail.com christopherwood07 at gmail.com
Tue Sep 27 18:47:29 PDT 2016


On September 27, 2016 at 5:14:14 PM, Christos Papadopoulos
(christos at colostate.edu) wrote:
>
>
> On 09/27/2016 04:59 PM, woodc1 at uci.edu wrote:
> > To re-iterate Cesar’s point, as of now, there is no truly effective
> > interest flooding mitigation. However, one concrete way to minimize
> > the attack surface (for routers) is to get rid of the attack's root
> > cause: the PIT. (Producers could still be hosed with bogus interests.)
> > And since the PIT enables several important functions, other
> > architecture changes will probably have to follow in its wake.
>
> You start with what I believe to be the wrong premise: protecting the
> router. In NDN we care about communication, not a single router.
> Protecting a router is winning the battle but losing the war.

I respectfully disagree. If the adversary takes out the producer,
there is no communication. If the adversary takes out the routers
adjacent or otherwise on the path to the producer, there is no
communication. Protecting the router(s) is equally important,
especially since it may impact more than just a single producer.

>
> I don't understand your statement that the root cause of DDoS attacks is
> the PIT. The root cause of DDoS is resource exhaustion.

In these attack scenarios, the PIT *is* the resource being exhausted.

>
> >
> > Personally, I don’t think we should settle with an architectural
> > element that has a known (and quite severe) weakness simply because it
> > enables some nice features in practice. The more serious design
> > problems must be dealt with first, not last.
>
> You are underestimating the importance of the signal the PIT provides.
> It is an important insight into the status of communication. The PIT
> does not simply enable some "nice features". Think a bit harder about
> the things you can do with this signal.

In most attack scenarios, yes, it tells you when bogus interests are
flooding a particular prefix and otherwise when communication is
failing. But consider this scenario. Suppose you have a malicious
producer cooperating with one or more malicious consumers. The
consumers are quickly sending interests to this legitimate producer,
who responds with legitimate data. The communication is not failing.
Their goal is to do nothing other than saturate the PIT of some
intermediate router. Per Spyros’ follow-up suggestion, that router
might kick out old, legitimate interests in favor of these malicious
ones. Of course, this is fundamentally how we would expect one to deal
with and manage a limited resource. So preventing this attack seems
difficult for any approach. But the point is that this resource, the
PIT, is easily abused in CCN/NDN.

Chris




More information about the Ndn-interest mailing list