第五章 實驗及分析
5.4 隨機 Topology
最後,我們利用 Brite topology generator[30]所產生的隨機 topology 來進行實
驗,我們產生了包含 40 個點、頻寬固定為 100Mbps 並且每個點都至少有兩個連
39
汙染的成效,再者,從圖 23(b)中我們會發現,適應性驗證所產生的每秒驗證次
數是比固定機率(P=1)來得要小,也就是適應性驗證可以耗費較少的路由器負擔
換取相當於固定機率(P=1)的抵禦攻擊成效。此外,圖 23(a)會造成固定機率
(P=1)無法使得 LR 達到 1 的原因是:隨機產生的 topology 以及隨機選取的資料
生產者,可能會使得惡意資料生產者直接與資料要求者連結,如此一來,就無
法藉由路由器幫忙丟棄偽造資料,所以會使得 LR 無法達到 1。
接著,在圖 24(a)中,我們可以看出,適應性驗證依舊能夠達到與固定機率
(P=1)類似的減緩內容汙染攻擊的效果;而圖 24(b)指出,適應性驗證所產生的總
驗證次數不僅遠小於固定機率(P=1),甚至與固定機率(P=0.5)相差不遠,並且在
攻擊停止時,適應性驗證能夠恰當地減少路由器的驗證簽章所產生的負擔,圖
24(a),(b)說明了適應性驗證能夠只耗費固定機率(P=0.5)的驗證次數就達到固定機
率(P=1)抵禦汙染攻擊的成效。
(a) (b)
圖 23:隨機 topology 持續性攻擊之 (a)LR (b)VR
40
(a)
(b)
圖 24:隨機 topology 週期性攻擊之 (a)LR (b)全部路由器總驗證次數
41
的 computation overhead。
此外,從我們的實驗結果也可以得知,在不同的情境下,也就是當網路狀
態有所改變或者攻擊者行為變動時,適應性驗證能夠適時地配合網路狀況,根
據遭受攻擊的程度,來調整防禦機制,不僅僅能夠有效地減緩內容汙染攻擊,
42
更可以避免路由器產生過多的額外負擔,同時,當偽造資料會被路由器先辨別
出並丟棄時,路由器也就省去了需要 cache 該偽造資料的空間,這樣一來,可謂
是減少了路由器的 storage overhead。
然而,適應性驗證雖然可以配合網路狀態改變而調整,但是需要耗費些許
時間去取得網路狀態的資訊,因此當網路中受到突如其來的攻擊時,適應性驗
證無法瞬間做到抵禦攻擊的機制,使得使用者會受到猛烈的攻擊,直到適應性
驗證取得網路狀態資訊後並且加以調整,才能減緩汙染攻擊的影響。
雖然我們提出了有效抵禦內容汙染攻擊的方法,以及利用 ndnSIM 做了許多
的模擬實驗來驗證並測量我們的方法,然而在真實的網路環境中,有更多的變
數存在著,並且攻擊者的行為會更難以預測。因此,在未來我們將會嘗試著利
用 Named Data Networking Forwarding Daemon (NFD)[31]於真實世界的網路中實
際地操作並測量我們所提出的方法,並且,我們會嘗試著利用不同的方法來使
得適應性驗證能夠應對突如其來的攻擊,以避免突如其來的汙染攻擊能夠成功
地影響使用者。
43
參考文獻
[1] Lixia Zhang, Alexander Afanasyev, Jeffrey Burke, Van Jacobson, kc claffy, Patrick Crowley, Christos Papadopoulos, Lan Wang and Beichuan Zhang,
"Named data networking (ndn) project," Technical Report NDN-0001, Xerox Palo Alto Research Center-PARC, 2010.
[2] Jacobson Van, Diana K. Smetters, James D. Thornton, Michael F. Plass, Nicholas H. Briggs and Rebecca L. Braynard, "Networking named content," ACM
International Conference on Emerging Networking Experiments and Technologies, 2009.
[3] Bengt Ahlgren, Christian Dannewitz, Claudio Imbrenda, Dirk Kutscher, and Börje Ohlman, “A survey of information-centric networking,” IEEE Communications Magazine, vol. 50, no. 7, pp. 26-36, 2012.
[4] “Content centric networking (CCNx) project,” http://www.ccnx.org.
[5] Afanasyev Alexander, Ilya Moiseenko, and Lixia Zhang, "ndnSIM: NDN simulator for NS-3," Technical Report NDN-002, University of California, Los Angeles, 2012.
[6] Spyridon Mastorakis, Alexander Afanasyev, Ilya Moiseenko and Lixia Zhang,
“ndnSIM 2.0: A new version of the NDN simulator for NS-3,” NDN, Technical Report NDN-0028, University of California, Los Angeles, 2015
[7] Klein Amit, "BIND 8 DNS cache poisoning," 2007.
[8] Antonio Lioy, Fabio Maino, Marius Marian, Daniele Mazzocchi, "DNS security," Terena Networking Conference, 2000.
[9] Naoum Naoumov and Keith Ross, “Exploiting p2p systems for ddos attacks,”
ACM International Conference on Scalable Information Systems, 2006.
[10] Klein Amit, "Web cache poisoning attacks," Encyclopedia of Cryptography and Security, Springer US, pp. 1373-1373, 2011
[11] Guo Fanglu, Jiawu Chen, and Tzi-cker Chiueh, "Spoof detection for preventing dos attacks against dns servers," IEEE International Conference on Distributed Computing Systems, 2006.
[12] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose, “RFC 4033: DNS security introduction and requirements,” 2005.
[13] Jian Liang, Naoum Naoumova and Keith W. Ross, “The Index Poisoning Attack in P2P File Sharing Systems,” IEEE International Conference on Computer Communications (infocom’06), 2006.
[14] Matthias Vallentin and Yahel Ben-David, “Persistent browser cache poisoning,”
2010.
44
[15] Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic and Yan Chen, “Internet cache pollution attacks and countermeasures,” IEEE International Conference on Network Protocols, 2006.
[16] Alberto Compagno, Mauro Conti, Paolo Gasti and Gene Tsudik, “Poseidon:
Mitigating interest flooding DDoS attacks in named data networking.”, IEEE Conference on Local Computer Networks, 2013.
[17] Alexander Afanasyev, Priya Mahadevan, Ilya Moiseenko, Ersin Uzun and Lixia Zhang, “Interest flooding attack and countermeasures in Named Data
Networking,” IFIP Networking Conference, 2013.
[18] Alberto Compagno, Mauro Conti, Paolo Gasti and Gene Tsudik, “NDN interest flooding attacks and countermeasures,” Annual Computer Security Applications Conference, 2012.
[19] Seungoh Choi, Kwangsoo Kim, Seongmin Kim and Byeong-hee Roh, "Threat of DoS by interest flooding attack in content-centric networking." The International Conference on Information Networking, 2013.
[20] Somaya Arianfar, Teemu Koponen, Barath Raghavan and Scott Shenker, “On preserving privacy in content-oriented networks,” ACM SIGCOMM Workshop on Information-Centric Networking, 2011.
[21] Steven DiBenedetto, Paolo Gasti, Gene Tsudik and Ersin Uzun, “ANDaNA:
Anonymous named data networking application.” NDSS, 2011.
[22] Gergely Acs, Mauro Conti, Paolo Gasti, Cesar Ghali and Gene Tsudik, "Cache privacy in named-data networking," IEEE International Conference on Distributed Computing Systems, 2013.
[23] Smetters Diana and Van Jacobson, “Securing network content,” Technical report, PARC, 2009.
[24] Mengjun Xie, Indra Widjaja and Haining Wang, "Enhancing cache robustness for content-centric networking," IEEE International Conference on Computer
Communications (infocom’12), 2012.
[25] Mauro Conti, Paolo Gasti and Marco Teoli, "A lightweight mechanism for detection of cache pollution attacks in Named Data Networking," Computer Networks vol. 57, issue.16, pp. 3178-3191, 2013.
[26] Paolo Gasti, Gene Tsudik, Ersin Uzun and Lixia Zhang, "DoS and DDoS in named data networking," IEEE International Conference on Computer Communication and Networks , 2013.
[27] Igor Ribeiro, Antonio Rocha, Celio Albuquerque and Flavio Guimaraes, “On the possibility of mitigating content pollution in content-centric networking,” IEEE Conference on Local Computer Networks, 2014.
[28] Cesar Ghali, Gene Tsudik and Ersin Uzun, “Needle in a haystack: Mitigating
45
content poisoning in named-data networking,” NDSS Workshop on Security of Emerging Networking Technologies, 2014.
[29] “NS-3 Simulator,” http://www.nsnam.org/
[30] Alberto Medina, Anukool Lakhina, Ibrahim Matta and John Byers, “BRITE: An approach to universal topology generation,” IEEE International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, 2001
[31] “Named Data Networking Forwarding Daemon,” http://named-data.net/doc/NFD/current/