Content-Centric Networking (CCN) is an emerging networking paradigm being considered as a possible replacement for the current IP-based host-centric Internet infrastructure. CCN focuses on content distribution, which is arguably not well served by IP. Named-Data Networking (NDN) is an example of CCN. NDN is also an active research project under the NSF Future Internet Architectures (FIA) program. FIA emphasizes security and privacy from the outset and by design. To be a viable Internet architecture, NDN must be resilient against current and emerging threats.This paper focuses on distributed denial-of-service (DDoS) attacks; in particular we address interest flooding, an attack that exploits key architectural features of NDN. We show that an adversary with limited resources can implement such attack, having a significant impact on network performance. We then introduce Poseidon: a framework for detecting and mitigating interest flooding attacks. Finally, we report on results of extensive simulations assessing proposed countermeasure.
The Internet Protocol (IP) is the lifeblood of the modern Internet. Its simplicity and universality have fueled the unprecedented and lasting global success of the current Internet. Nonetheless, some limitations of IP have been emerging in recent years. Its original design envisaged supporting perhaps tens of thousands of static hosts operating in a friendly academic-like setting, mainly in order to facilitate email communication and remote access to scarce computing resources. At present IP interconnects billions of static and mobile devices (ranging from supercomputers to IoT gadgets) with a large and dynamic set of popular applications. Starting in mid-1990s, the advent of mobility, wirelessness and the web substantially shifted Internet usage and communication paradigms. This accentuated longterm concerns about the current Internet architecture and prompted interest in alternative designs.The U.S. National Science Foundation (NSF) has been one of the key supporters of efforts to design a set of candidate next-generation Internet architectures. As a prominent design requirement, NSF emphasized "security and privacy by design" in order to avoid the long and unhappy history of incremental patching and retrofitting that characterizes the current Internet architecture. To this end, as a result of a competitive process, four prominent research projects were funded by the NSF in 2010: Nebula, Named-Data Networking (NDN), MobilityFirst (MF), and Expressive Internet Architecture (XIA). This paper provides a comprehensive and neutral analysis of salient security and privacy features (and issues) in these NSF-funded Future Internet Architectures. It also compares the four candidate designs with the current IP-based architecture and discusses similarities, differences, and possible improvements.
Distance bounding protocols make it possible to determine a trusted upper bound on the distance between two devices. Their key property is to resist reduction attacks, i.e., attacks aimed at reducing the distance measured by the protocol. Recently, researchers have focused also on enlargement attacks, aimed at enlarging the measured distance. Providing security against such attacks is important for secure positioning techniques. The contribution of this paper is to provide a probabilistic model for the success of an enlargement attack against a distance bounding protocol realized with the IEEE 802.15.4a UWB standard. The model captures several variables, like the propagation environment, the signal-to-noise ratio, and the time-of-arrival (TOA) estimation algorithm. We focus on noncoherent receivers, which can be used in low-cost low-power applications.We validate our model by comparison with physicallayer simulations and goodness-of-fit tests. The results show that our probabilistic model is sufficiently realistic to replace physical-layer simulations. Our model can be used to evaluate the security of the ranging/positioning solutions that can be subject to enlargement attacks. We expect that it will significantly facilitate future research on secure ranging and secure positioning
Named Data Networking (NDN) is an instance of informationcentric network architecture designed as a candidate replacement for the current IP-based Internet. It emphasizes efficient content distribution, achieved via in-network caching and collapsing of closely-spaced content requests. NDN also offers strong security and explicitly decouples content from entities that distribute it. NDN is widely assumed to provide better privacy than IP, mainly because NDN packets lack source and destination addresses. In this paper, we show that this assumption does not hold in practice. In particular, we present several algorithms that help locate consumers by taking advantage of NDN router-side content caching. We use simulations to evaluate these algorithms on a large and realistic topology, and validate the results on the official NDN testbed. Beyond locating consumers, proposed techniques can also be used to detect eavesdroppers.
The Command and Control (C&C) channel of modern botnets is migrating from traditional centralized solutions (such as the ones based on Internet Relay Chat and Hyper Text Transfer Protocol), towards new decentralized approaches. As an example, in order to conceal their traffic and avoid blacklisting mechanisms, recent C&C channels use peer-to-peer networks or abuse popular Online Social Networks (OSNs). A key reason for this paradigm shift is that current detection systems become quite effective in detecting centralized C&C. In this paper we propose ELISA (Elusive Social Army), a botnet that conceals C&C information using OSNs accounts of unaware users. In particular, ELISA exploits in a opportunistic way the messages that users exchange through the OSN. Furthermore, we provide our prototype implementation of ELISA. We show that several popular social networks can be maliciously exploited to run this type of botnet, and we discuss why current traffic analysis systems cannot detect ELISA. Finally, we run a thorough set of experiments that confirm the feasibility of our proposal. We have no evidence of any real-world botnets that use our technique to create C&C channels. However, we believe that finding out in advance potential new types of botnets will help to prevent possible future malevolent applications.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.