Self-Adjusting Share-Based Countermeasure to Interest Flooding Attack in Named Data Networking

Abstract

Due to the rapid growth of Internet traffic, increasing mobility, and stronger security requirements, today's Internet shows signs of aging. To keep pace with changes and move the Internet into the future, Named Data Networking (NDN), a future Internet architecture, was proposed and has been demonstrated as a viable architecture for content distribution and widely recognized as a promising architecture for future Internet. However, NDN is not originally designed to consider the security requirement for all potential attacks, thus, NDN is vulnerable to a well-known Distributed Denial-of-Service (DDoS) attack that primarily targets service availability by flooding the network and obstructing the service received by legitimate users. In this paper, we propose a self-adjusting share-based countermeasure, also referred to as SSC, against Interest flooding attack in NDN, where the attacker issues an excessive number of non-satisfiable Interest packets to drop legitimate Interest packets by overwhelming Pending Interest Table in NDN routers. In the SSC, each router maintains an Interest unsatisfaction ratio and dynamically adjusts the share of forwarded Interest packets for each incoming interface accordingly. In addition, the Interest packets that pass the assigned share of forwarded Interest packets are used as scouts to investigate unknown paths to complement routing information. We conduct extensive simulation experiments for performance evaluation and comparison with the existing constant share based approach. The simulation results show that the proposed countermeasure can not only improve the Pending Interest Table utilization ratio of legitimate Interest packets, but also reduce the number of accepted malicious Interest packets, indicating a viable approach against Interest flooding attack in NDN.