by Zhiyi Zhang, Vishrant Vasavada, Jonathan Lin, Siva Kesava Reddy K, Peter Reiher, and Lixia Zhang
NDN, Technical Report NDN-0065, Revision 1, Aug 8, 2018.
Distributed Denial-of-Service (DDoS) attacks on the Internet have caused serious problems for many years and have become more severe over time. The difficulty in mitigating DDoS attacks comes from the architectural shortcomings of IP which make it easy to attack any IP node from anywhere. Named Data Networking (NDN), a proposed new Internet architecture, changes the basic network communication model from IP’s address-based push to name-based data pull. In this paper, we comprehensively examine the basic properties of the NDN architecture and describe how they make the launch of DDoS attacks more difficult and the attacks less effective. We further make use of NDN’s architectural properties to develop a new DDoS mitigation solution – Producer-assisted Pushback, called PAP. PAP pushes back DDoS traffic to misbehaving entities, at a much finer granularity than existing DDoS defense mechanisms in IP networks. We have evaluated the performance of PAP through extensive simulations and our results show that PAP can effectively push back attack traffic within a few seconds, and ensure over 99% of an attack target’s incoming traffic is from legitimate clients.