The original architecture of content-centric network (CCN) may suffer from interest flooding attacks. In this paper, we focus on one type of interest flooding attacks called denial of service against content source (DACS attack). To damage CCN, it floods a large number of malicious interests requesting content that does not exist, which guarantees that no cache hit can occur at routers until these malicious interests reach the target content source. Thus, it can directly exhaust the resource of the victim. To counter it, we propose a threshold-based detecting and mitigating (TDM) scheme. The basic idea is to detect DACS attack on the basis of the frequency that pending interest table items in CCN routers expire (recording this frequency by introducing two counters with their corresponding thresholds and one indicator for counter mode) and to mitigate it by implementing the rate limiter in each router. From the viewpoint of a CCN router, we analyze the performance of TDM in terms of detection ability and effect on mitigating malicious traffic. In addition, we briefly analyze the overhead of TDM. The results show that TDM achieves high detection ability and good effect on mitigating malicious traffic while bringing in small overhead on countering DACS attack. To the best of our knowledge, this is the first attempt to design a detailed scheme embedded with corresponding algorithms on countering this attack.
SUMMARYNamed data networking (NDN) has attracted much attention on the design for next generation Internet architecture. Although it embeds some security primitives in its original architecture, it may suffer from denial-of-service (DoS) attacks. In this paper, we model one representative type of NDN-specific DoS attacks named DoS against pending interest table (PIT), or DoS-PIT, which floods malicious Interests that request nonexistent content to bypass cached content at routers and to exhaust the memory resource for PIT, bringing in severe service degradation. In our proposed analytical model, the closed-form expressions for the DoS probability for users suffering DoS-PIT are derived, while considering several important factors of NDN networks such as PIT size, time-to-live of each PIT entry, popularity of content, and cache size. Moreover, extensive simulation experiments demonstrate the accuracy of the proposed model on evaluating the damage effect of DoS-PIT. In addition, the proposed model can be chosen to guide designing effective countermeasures for DoS-PIT (or attacks with similar way to harm NDN) by properly setting the values of some parameters (e.g., cache size) of each NDN router.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.