[Ndn-interest] Largest DDoS attack ever delivered by botnet of hijacked IoT devices

[Christos Papadopoulos]

On 09/27/2016 07:47 PM, christopherwood07 at gmail.com wrote:
> On September 27, 2016 at 5:14:14 PM, Christos Papadopoulos
> (christos at colostate.edu) wrote:
>>
>> On 09/27/2016 04:59 PM, woodc1 at uci.edu wrote:
>>> To re-iterate Cesar’s point, as of now, there is no truly effective
>>> interest flooding mitigation. However, one concrete way to minimize
>>> the attack surface (for routers) is to get rid of the attack's root
>>> cause: the PIT. (Producers could still be hosed with bogus interests.)
>>> And since the PIT enables several important functions, other
>>> architecture changes will probably have to follow in its wake.
>> You start with what I believe to be the wrong premise: protecting the
>> router. In NDN we care about communication, not a single router.
>> Protecting a router is winning the battle but losing the war.
> I respectfully disagree. If the adversary takes out the producer,
> there is no communication. If the adversary takes out the routers
> adjacent or otherwise on the path to the producer, there is no
> communication. Protecting the router(s) is equally important,
> especially since it may impact more than just a single producer.

You are still thinking in IP terms. In NDN data follows demand; data 
diffuses in the network pulled by Interests over all available faces. If 
an attacker manages to attack all available paths to your content 
without attacking the entire infrastructure, then I claim you deployed a 
bad defense system.

>
>> I don't understand your statement that the root cause of DDoS attacks is
>> the PIT. The root cause of DDoS is resource exhaustion.
> In these attack scenarios, the PIT *is* the resource being exhausted.

Then you are looking at a subset of DDoS attacks. There are others that 
exhaust link bandwidth or compute resources. Why is the PIT the only bad 
guy here?

>
>>> Personally, I don’t think we should settle with an architectural
>>> element that has a known (and quite severe) weakness simply because it
>>> enables some nice features in practice. The more serious design
>>> problems must be dealt with first, not last.
>> You are underestimating the importance of the signal the PIT provides.
>> It is an important insight into the status of communication. The PIT
>> does not simply enable some "nice features". Think a bit harder about
>> the things you can do with this signal.
> In most attack scenarios, yes, it tells you when bogus interests are
> flooding a particular prefix and otherwise when communication is
> failing. But consider this scenario. Suppose you have a malicious
> producer cooperating with one or more malicious consumers. The
> consumers are quickly sending interests to this legitimate producer,
> who responds with legitimate data. The communication is not failing.
> Their goal is to do nothing other than saturate the PIT of some
> intermediate router. Per Spyros’ follow-up suggestion, that router
> might kick out old, legitimate interests in favor of these malicious
> ones. Of course, this is fundamentally how we would expect one to deal
> with and manage a limited resource. So preventing this attack seems
> difficult for any approach. But the point is that this resource, the
> PIT, is easily abused in CCN/NDN.

I am not sure where you are going here. All public resources can be 
abused. The question is how do you build a good resource management 
system to detect and mitigate resource abuse. Luca put it nicely, i 
suggest you read his message.

Christos.

>
> Chris