Distributed Denial of Service (DDoS) attacks are an ongoing problem in today's Internet, where packets from a large number of compromised hosts thwart the paths to the victim site and/or overload the victim machines. In a newly proposed future Internet architecture, Named Data Networking (NDN), end users request desired data by sending Interest packets, and the network delivers Data packets upon request only, effectively eliminating many existing DDoS attacks. However, an NDN network can be subject to a new type of DDoS attack, namely Interest packet flooding. In this paper we investigate effective solutions to mitigate Interest flooding. We show that NDN's inherent properties of storing per packet state on each router and maintaining flow balance (i.e., one Interest packet retrieves at most one Data packet) provides the basis for effective DDoS mitigation algorithms. Our evaluation through simulations shows that the solution can quickly and effectively respond and mitigate Interest flooding.

https://cial.csie.ncku.edu.tw/presentation/group_pdf/(IFIP%202013)%20Interest%20Flooding%20Attack%20and%20Countermeasures%20in%20Named%20Data%20Networking.pdf

Interest flooding attack and countermeasures in Named Data Networking

is a network or group of networks under a common administration and with common routing policies. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP). Customer networks, such as universities and corporations, usually employ an Interior Gateway Protocol (IGP) such as RIP or OSPF for the exchange of routing information within their networks. Customers connect to ISPs, and ISPs use BGP to exchange customer and ISP routes. When BGP is used between autonomous systems (AS), the protocol is referred to as External BGP (EBGP). If a service provider is using BGP to exchange routes within an AS, then the protocol is referred to as Interior BGP (IBGP).

Border Gateway Protocol

Information-centric networking (ICN) is a new communication paradigm that focuses on content retrieval from a network regardless of the storage location or physical representation of this content. In ICN, securing the content itself is much more important than securing the infrastructure or the endpoints. To achieve the security goals in this new paradigm, it is crucial to have a comprehensive understanding of ICN attacks, their classification, and proposed solutions. In this paper, we provide a survey of attacks unique to ICN architectures and other generic attacks that have an impact on ICN. It also provides a taxonomy of these attacks in ICN, which are classified into four main categories, i.e., naming, routing, caching, and other miscellaneous related attacks. Furthermore, this paper shows the relation between ICN attacks and unique ICN attributes, and that between ICN attacks and security requirements, i.e., confidentiality, integrity, availability, and privacy. Finally, this paper presents the severity levels of ICN attacks and discusses the existing ICN security solutions.

/pdf/a-survey-of-security-attacks-in-information-centric-490ss1ouvo.pdf

A Survey of Security Attacks in Information-Centric Networking

Review: Analyzing well-known countermeasures against distributed denial of service attacks

Secrets and lies.

Denial-of-service (DoS) attacks continue to be a major problem on the Internet. While many defense mechanisms have been created, they all have significant deployment issues. This paper introduces a novel method that overcomes these issues, allowing a small number of deployed DoS defenses to act as secure on-demand shields for any node on the Internet. The proposed method is based on rerouting any packet addressed to a protected autonomous system (AS) through an intermediate filtering node — a shield. In this way, all potentially harmful traffic could be discarded before reaching the destination. The mechanisms for packet rerouting use existing routing techniques and do not require any kind of modification to the deployed protocols or routers. To make the proposed system feasible, from both deployment and usage points of view, traffic rerouting and outsourced filtering could be provided as an insurance-style on-demand service.

https://www.lasr.cs.ucla.edu/reiher/papers/shield.pdf

Shield: DoS filtering using traffic deflecting

Reflector attacks are a variant of denial-of-service attacks that use unwitting, legitimate servers to flood a target. The attacker spoofs the target's address in legitimate service requests, such as TCP SYN packets. The servers, called "reflectors,'' reply to these requests, flooding the target. RAD is a novel defense against reflector attacks. It has two variants -- locally-deployed (L-RAD) and core-deployed (C-RAD). Local RAD uses message authentication codes (MACs) to mark outgoing requests at their source, so the target of a reflector attack can differentiate between replies to legitimate and spoofed requests. MACs can be validated either at the target machine or on a gateway router at the target's network. Core RAD, which is deployed at the AS level, handles larger attacks that overwhelm L-RAD. The source AS marks each packet it sends with a hash message authentication code (HMAC) and core ASes filter packets that carry incorrect HMACs. C-RAD prevents reflector attacks by filtering spoofed requests, rather than filtering reflected replies. We tested both variants using the DETER testbed by replaying backbone traces from the MAWI project archive in a congestion-responsive manner. Our tests show that Local RAD is better than the no-defense case, but gets overwhelmed when the attack exceeds the target's network capacity. Core-deployed RAD successfully handles attacks of all rates.

/pdf/rad-reflector-attack-defense-using-message-authentication-2y6fzju7gw.pdf

RAD: Reflector Attack Defense Using Message Authentication Codes

As threats on the Internet become increasingly sophisticated, we now recognize the value in controlling the routing of data in a manner that ensures security. However, few technical means for achieving this goal exist. In this paper we propose and design a system that allows users to specify regions of the Internet they wish their data to avoid. Using our system, data will either arrive at the destination along a path that avoids the specified regions, or no avoiding path exists. Beyond the design, we discuss the deployment, performance and security issues of this system, along with alternative approaches that could be used.

https://www.nspw.org/papers/2009/nspw2009-kline.pdf

Securing data through avoidance routing

Protecting data from accidental loss or theft is crucial in today's world of mobile computing. Data Tethers provides flexible environmental policies, which can be attached to data, specifying security requirements that must be met before accessing that data. Data Tethers uses fine-grain data flow tracking to maintain these policies on derivative data. This is implemented by dynamic recompilation of legacy applications without the need to recompile from source. We demonstrate the system's feasibility with microbenchmarks that show individual component performance and benchmarks of real user applications like word processors and spreadsheets.

/pdf/data-tethers-preventing-information-leakage-by-enforcing-2f9jgnt34g.pdf

Data Tethers: Preventing information leakage by enforcing environmental data access policies

Cybersecurity Experimentation is often viewed narrowly in terms of a single technology or experiment. This paper reviews the experimentation life-cycle for two large scale research efforts that span multiple technologies. We identify salient aspects of each cybersecurity program, and capture guidelines based on eight years of experience. Extrapolating, we identify four principles for building future experimental infrastructure: 1) Reduce the cognitive burden on experimenters when designing and operating experiments. 2) Allow experimenters to encode their goals and constraints. 3) Provide flexibility in experimental design. 4) Provide multifaceted guidance to help experimenters produce high-quality experiments. By following these principles, future cybersecurity testbeds can enable significantly higherquality experiments.

Erik Kline

Papers

Shield: DoS filtering using traffic deflecting

RAD: Reflector Attack Defense Using Message Authentication Codes

Securing data through avoidance routing

Data Tethers: Preventing information leakage by enforcing environmental data access policies

Cybersecurity Experimentation at Program Scale: Guidelines and Principles for Future Testbeds