Poseidon: Mitigating interest flooding DDoS attacks in Named Data Networking

Compagno, Alberto; Conti, Mauro; Gasti, Paolo; Tsudik, Gene

doi:10.1109/lcn.2013.6761300

Cited by 171 publications

(109 citation statements)

References 16 publications

Supporting

Mentioning

107

Contrasting

Unclassified

Order By: Relevance

“…The paper represents a first step into the definition of content/cache poisoning in NDN scenario, but it does not consider the problem of key validity. The papers [13] and [14] analyze the interest flooding-based DDoS over NDN, considering that interests are sent for non-existent contents and obviously fill up the victim's PIT. The authors in [13] propose proactive and reactive countermeasures, but then, they focus on reactive methods for detection of interest flooding via junk interests.…”

Section: Related Workmentioning

confidence: 99%

“…The papers [13] and [14] analyze the interest flooding-based DDoS over NDN, considering that interests are sent for non-existent contents and obviously fill up the victim's PIT. The authors in [13] propose proactive and reactive countermeasures, but then, they focus on reactive methods for detection of interest flooding via junk interests. Moreover, the authors propose a mitigation technique, called Poseidon, which identifies traffic anomalies and keeps several statistics on expired interests.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Up-to-date key retrieval for information centric networking

Mauri

Verticale

2017

Computer Networks

View full text Add to dashboard Cite

Information Centric Networking (ICN) leverages in-network caching to provide efficient data distribution and better performance by replicating contents in multiple nodes to bring content nearer the users. Since contents are stored and replicated into node caches, the content validity must be assured end-toend. Each content object carries a digital signature to provide a proof of its integrity, authenticity, and provenance. However, the use of digital signatures requires a key management infrastructure to manage the key life cycle. To perform a proper signature verification, a node needs to know whether the signing key is valid or it has been revoked. This paper discusses how to retrieve up-todate signing keys in the ICN scenario. In the usual public key infrastructure, the Certificate Revocation Lists (CRL) or the Online Certificate Status Protocol (OCSP) enable applications to obtain the revocation status of a certificate. However, the push-based distribution of Certificate Revocation Lists and the request/response paradigm of Online Certificate Status Protocol should be fit in the mechanism of named-data. We consider three possible approaches to distribute up-to-date keys in a similar way to the current CRL and OCSP. Then, we suggest a fourth protocol leveraging a set of distributed notaries, which naturally fits the ICN scenario. Finally, we evaluate the number and size of exchanged messages of each solution, and then we compare the methods considering the perceived latency by the end nodes and the throughput on the network links.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Up-to-date key retrieval for information centric networking

Mauri

Verticale

2017

Computer Networks

View full text Add to dashboard Cite

show abstract

“…One of the key goals of CCN projects is "security by design" [21]. In contrast to today's Internet, where security problems were identified along the way, the research community stresses both awareness of issues and support for features and countermeasures from the outset.…”

Section: Related Workmentioning

confidence: 99%

Efficient Asymmetric Index Encapsulation Scheme for Anonymous Content Centric Networking

Ma¹,

Cao²,

Wang³

2017

Security and Communication Networks

View full text Add to dashboard Cite

Content Centric Networking (CCN) is an effective communication paradigm that well matches the features of wireless environments. To be considered a viable candidate in the emerging wireless networks, despite the clear benefits of locationindependent security, CCN must at least have parity with existing solutions for confidential and anonymous communication. This paper designs a new cryptographic scheme, called Asymmetric Index Encapsulation (AIE), that enables the router to test whether an encapsulated header matches the token without learning anything else about both of them. We suggest using the AIE as the core protocol of anonymous Content Centric Networking. A construction of AIE which strikes a balance between efficiency and security is given. The scheme is proved to be secure based on the DBDH assumption in the random oracle with tight reduction, while the encapsulated header and the token in our system consist of only three elements.

show abstract

“…Prior work on Denial of Service (DoS) attacks on NDN includes [8] and [2]. Both results addressed a specific DoS attack type -Interest Flooding -based on inundating routers with spurious interest messages.…”

Section: Related Workmentioning

confidence: 99%

“…Scope: as reflected in the title, this paper focuses on networklayer trust issues, motivated by the content poisoning problem. We do not address other NDN security issues, such as interest flooding attacks [8,15,2], cache pollution attacks [10] and routing security [34].…”

Section: Introductionmentioning

confidence: 99%

Network-Layer Trust in Named-Data Networking

Ghali

Tsudik

Uzun

2014

SIGCOMM Comput. Commun. Rev.

Self Cite

View full text Add to dashboard Cite

In contrast to today's IP-based host-oriented Internet architecture, Information-Centric Networking (ICN) emphasizes content by making it directly addressable and routable. Named Data Networking (NDN) architecture is an instance of ICN that is being developed as a candidate next-generation Internet architecture. By opportunistically caching content within the network (in routers), NDN appears to be wellsuited for large-scale content distribution and for meeting the needs of increasingly mobile and bandwidth-hungry applications that dominate today's Internet.One key feature of NDN is the requirement for each content object to be digitally signed by its producer. Thus, NDN should be, in principle, immune to distributing fake (aka "poisoned") content. However, in practice, this poses two challenges for detecting fake content in NDN routers:(1) overhead due to signature verification and certificate chain traversal, and (2) lack of trust context, i.e., determining which public keys are trusted to verify which content. Because of these issues, NDN does not force routers to verify content signatures, which makes the architecture susceptible to content poisoning attacks. This paper explores root causes of, and some cures for, content poisoning attacks in NDN. In the process, it becomes apparent that meaningful mitigation of content poisoning is contingent upon a network-layer trust management architecture, elements of which we construct while carefully justifying specific design choices. This work represents the initial effort towards comprehensive trust management for NDN.

show abstract

Poseidon: Mitigating interest flooding DDoS attacks in Named Data Networking

Cited by 171 publications

References 16 publications

Up-to-date key retrieval for information centric networking

Up-to-date key retrieval for information centric networking

Efficient Asymmetric Index Encapsulation Scheme for Anonymous Content Centric Networking

Network-Layer Trust in Named-Data Networking

Contact Info

Product

Resources

About