Content-oriented Networking Platform

Download Report

Transcript Content-oriented Networking Platform

Content-oriented Networking Platform:
A Focus on DDoS Countermeasure
(In incremental deployment perspective)
Authors:
Junho Suh, Hoon-gyu Choi,
Wonjun Yoon
@Seoul National University
Outline
• Introduction
• Content-oriented Networking
Architecture
– Communication Procedure
– Main components
– Scenario
• Summary
2
Change in Communication Paradigm
• Move to Content-oriented Network
– Internet traffic is already content-oriented
• CDN, multimedia, P2P…
– Users/applications care “what to receive”
• They don’t care “from whom”
• Host based communication model is outdated
3
IP networking vs. Content networking
• IP networking
– Lookup-by-name
• Indirection (from name to locator)
– Availability concerned
• Locators can be aggregated
– Achieving routing scalability
• Content-oriented networking
– Route-by-name
• No indirection
– Better availability
• Scalability issue
– Content name is flat
• No backward compatibility
4
Content networking under IP network
• Observations
– Current IP networking leverages network prefixes in routing
• Routing scalability is good
– Content-oriented networking is not good for routing, but
good for availability
• Huge scaling burden
– No backward compatibility in content-oriented networking
• Content routing and IP routing should be combined
• We propose a grassroots approach
– Some popular contents will be cached
– Routing info. for those contents can be propagated in local
and best-effort manner
5
Content-oriented networking platform
• Objectives
– Exploit content networking to adopt
current Internet
• New entities
– Content-aware Agent
• Interact content based network and IP network
• Achievements
– Security, accountability, incremental
deployment to the current Internet
6
Content Request
• IP-less communication
• Assumption
– Lookup “Content Name” by web search
– Content Name
• URI form
• http://youtube.com/south-afreeca-worldcup-2010.avi
• Communication inside domain
– Requests are relayed to CAA by L2 forwarding
– CAA contacts DNS
– Consumer cannot contact server directly
1: I want a particular content (e.g. HTTP URI)
internet
consumer
2: Here you are
CAA
7
Content Distribution
• Registers its domain name in DNS
– Agent’s IP address (of the egress link)
1: a request for your content
internet
publisher
2: here you are
CAA
8
Content-Aware Agent (CAA)
• Proxy for interacting with IP network
– Handle content requests/response
• FQDN to obtain IP address for publisher’s CAA
– Authority content server’s CAA
– Caching the requested contents
• Gateway for heterogeneous networks
– Protocol translate or Tunneling
– Relay contents in inter-domain environment
9
General Architecture
Content based Communication
IP based Communication
DNS
Agent’s IP address
Content request
Content Distribution
Content distribution
Gateway A
Agent
host
Agent
Publisher
Gateway B
Domain Name System
Content-Aware Agent (CAA)
Content-Aware Router (CAR)
10
Scenario
• DDoS can happen by requesting content
(using HTTP URIs)
– Many hosts across multiple ISPs
• Agent of the publisher detects first
– Informs the all the gateways of this event
– To request countermeasure
• A gateway solicits other gateway to
reduce the content request rate to the
publisher under attack
* DDoS might not be activated by some admission control
11
Implementation
2. Monitoring
Requested contents
3. Accounting flow
4. Make decision
whether DDoS or not
Software
nf2c0
nf2c1
nf2c2
nf2c3
CPU CPU
RxQ TxQ
CPU CPU
RxQ TxQ
ioctl
PCI Bus
CPU CPU
RxQ TxQ
CPU CPU
RxQ TxQ
NetFPGA-Openflow
1. Capture URI/URL
nf2_reg_grp
user data path
MAC MAC
TxQ RxQ
MAC MAC
TxQ RxQ
MAC MAC
TxQ RxQ
Ethernet
MAC MAC
TxQ RxQ
12
Implementation
– In the header parser http_get messages are
captured, and then forwarded to the nc2c0
– Otherwise, the module bypasses normal
packets
13
Implementation
• Controller
– Each agent solicits other agents to reduce
the content request rate to the publisher
under attack via controller
• To all connected Agent
• Agent
– Checks and limits the rate (if # of request >
threshold)
14
Scenario Example
controller
HTTP GET
TCP flow
Control flow
Attacker
Content
Server
Regular
host
Agent
Attacker
15
Summary
• Grassroots approach
• Content-oriented Networking Platform
– Content-Aware Agent (CAA)
16