Decoupling malicious Interests from Pending Interest Table to mitigate Interest Flooding Attacks

Named Data Networking (NDN) is a clean slate Internet paradigm that embeds some security primitives in its original design, which is being considered as one of the promising candidates for next-generation Internet architecture. However, it may suffer from some emerging threats such as Interest Flooding Attacks (IFA), which means corresponding security management mechanisms need to be designed to improve its security. In this paper, we focus on the IFA that can severely consume the memory resource for the Pending Interest Table (PIT) of each involved NDN router by flooding large amount of malicious Interests with spoofed names. To loosen the stress of PIT attacked by IFA, we propose an approach called Disabling PIT Exhaustion (DPE) to divert all the malicious Interests out of PIT, by directly recording their state information (e.g., incoming interface) in the name of each malicious Interest rather than PIT, as well as introducing a packet marking scheme to enable Data packet forwarding without the help of PIT. DPE can be considered as a security management mechanism for the emerging NDN architecture, which aims at reducing memory resource consumption for each NDN router. Moreover, we present an in-depth evaluation on DPE, via extensive simulations under realistic users' behavior model. Simulation results show DPE can significantly mitigate the damage effect of IFA on exhausting PIT's memory resource. To the best of our knowledge, DPE is the first attempt to design a security management mechanism embedding with the idea “decoupling malicious Interests from PIT” to counter IFA.