[Ndn-interest] Largest DDoS attack ever delivered by botnet of hijacked IoT devices

Paul Bellamy paul.a.bellamy at gmail.com
Wed Sep 28 01:55:00 PDT 2016

One the invariants of a DoS is that there are a lot of packets depleting
the resources of a single target physical machine. Which means we can
prevent it in two ways. Given that, there are several potential solutions
which jump to my mind:

1) Reject bad-actors sending lots of packets. Would work against a DoS, but
not a DDos, as each individual actor is sending a reasonable amount of

2) Stop too many packets reaching the single target. During
resource-exhaustion we could purge PIT entries with similar prefixes. The
nature of the flooded interests means they should all have a similar
prefix. We could limit the number of outstanding interests for a given

3) Scale up the target. IMO, one of the big advantages of NDN for
service-operators is that (unlike IP) interests don't have to be answered
by any specific physical machine. If you've designed your application well,
you can easily add more capacity. This is "good enough", until you run into

Of those, a combination of 2 and 3 seem the most practical.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20160928/2b84bbe0/attachment.html>

More information about the Ndn-interest mailing list