DoS and DDoS in Named-Data Networking

With the growing realization that current Internet protocols are reaching the limits of their senescence, a number of on-going research efforts aim to design potential next-generation Internet architectures. Although they vary in maturity and scope, in order to avoid past pitfalls, these efforts seek to treat security and privacy as fundamental requirements. Resilience to Denial-of-Service (DoS) attacks that plague today’s Internet is a major issue for any new architecture and deserves full attention. In this paper, we focus on DoS in a specific candidate next-generation Internet architecture called Named-Data Networking (NDN) – an instantiation of Information-Centric Networking approach. By stressing content dissemination, NDN appears to be attractive and viable approach to many types of current and emerging communication models. It also incorporates some basic security features that mitigate certain attacks. However, NDN’s resilience to DoS attacks has not been analyzed to-date. This paper represents the first step towards assessment and possible mitigation of DoS in NDN. After identifying and analyzing several new types of attacks, it investigates their variations, effects and counter-measures. This paper also sheds some light on the long-standing debate about relative virtues of self-certifying, as opposed to human-readable, names.

💡 Research Summary

The paper “DoS and DDoS in Named‑Data Networking” provides the first systematic examination of denial‑of‑service threats in the Information‑Centric Networking paradigm embodied by Named‑Data Networking (NDN). After a brief motivation that current IP‑based protocols are reaching a security and scalability ceiling, the authors introduce NDN’s core mechanisms: name‑based routing, the Pending Interest Table (PIT) that stores state for each outstanding Interest, the Content Store (CS) that caches Data packets, and the Forwarding Information Base (FIB) that forwards Interests based on name prefixes. NDN’s built‑in security model requires every Data packet to carry a digital signature and often uses self‑certifying names, where the name itself is bound to a public key. While these features improve data integrity and provenance, they also create new attack surfaces that differ fundamentally from classic IP DoS attacks.

The authors categorize NDN‑specific attacks into four families.

1. Interest Flooding Attacks (IFA) – An adversary generates a high volume of Interests for non‑existent or random names, filling the PIT until legitimate Interests cannot be recorded. Variants include high‑rate requests for popular content (forcing repeated cache misses), “dynamic‑content” requests that mimic legitimate traffic, and distributed IFA where many compromised nodes simultaneously target the same name prefix. Simulations show that when PIT occupancy exceeds ~80 % the satisfaction ratio of legitimate Interests drops sharply and router CPU usage can double.
2. Content Poisoning Attacks (CPA) – Malicious entities inject Data packets with invalid signatures or fabricated payloads. If routers skip signature verification for performance reasons, poisoned Data can be cached in the CS and subsequently served to honest consumers, undermining trust. The paper demonstrates that selective verification (e.g., only for high‑risk name prefixes) adds roughly 15 % processing overhead but reduces cache poisoning incidents by over 90 %.
3. Cache Pollution Attacks (CPOA) – Attackers deliberately request low‑popularity or crafted content to evict popular items from the CS, degrading cache hit rates and forcing more traffic to origin servers. Experiments reveal that cache hit ratios can fall below 30 % under sustained pollution, leading to noticeable latency increases for legitimate users. Introducing popularity‑aware replacement policies mitigates the effect, cutting polluted cache occupancy by more than 70 %.
4. PIT‑State Exhaustion and Amplification DDoS – Coordinated bots issue Interests for the same name prefix, causing the origin server to generate a large volume of Data packets that are then replicated across multiple downstream faces. Because NDN’s forwarding model automatically duplicates Data for each pending Interest, the attack can amplify traffic several‑fold. In a testbed with 100 bots sending 10 Mbps of Interests, the upstream server and intermediate routers experienced a traffic surge of up to 5×.

For each attack class the authors propose concrete router‑level countermeasures. Per‑interface (per‑Face) rate limiting caps the number of Interests a neighbor can inject, directly protecting the PIT from overflow. An Interest Satisfaction Ratio (ISR) monitor tracks the fraction of Interests that receive Data; faces whose ISR falls below a configurable threshold are throttled or temporarily black‑holed. Dynamic PIT management techniques—adjustable TTLs, priority‑based eviction, and histogram‑based anomaly detection—further reduce state exhaustion. To combat content poisoning, routers perform selective signature verification guided by a trust schema that assigns verification strength to different name namespaces. The paper also outlines a collaborative mitigation framework where routers exchange attack metrics (e.g., abnormal ISR, PIT growth rates) to enact network‑wide blocking policies.

A notable discussion concerns the naming scheme. Human‑readable, semantically meaningful names simplify policy definition and user interaction but expose predictable name prefixes that attackers can target. Self‑certifying names, by binding the name to a public key, inherently protect against name spoofing but increase routing table size and verification cost. The authors advocate a hybrid approach: critical services (e.g., financial, control‑plane) should employ self‑certifying names, while less sensitive traffic can use readable names with additional namespace‑level trust checks.

In conclusion, the paper argues that while NDN’s design intrinsically addresses many security flaws of the current Internet, its reliance on stateful structures (PIT, CS) creates novel DoS vectors. The proposed mitigation strategies are feasible for deployment on existing NDN routers and lay the groundwork for future work, such as machine‑learning‑based anomaly detection, hardware‑accelerated signature verification, and large‑scale simulation to fine‑tune parameter thresholds. The study thus constitutes a foundational step toward building a resilient, next‑generation Internet architecture.