Several ongoing research efforts aim to design potential Future Internet Architectures, among which Named-Data Networking (NDN) introduces a shift from the existing host-centric Internet Protocol-based Internet infrastructure towards a content-oriented one. However, researchers have identified some design limitations in NDN, among which some enable to build up a new type of Distributed Denial of Service attack, better known as Interest Flooding Attack (IFA). In IFA, an adversary issues not satisfiable requests in the network to saturate the Pending Interest Table (PIT) of NDN routers and prevent them from properly handling the legitimate traffic. Researchers have been trying to mitigate this problem by proposing several detection and reaction mechanisms, but all the mechanisms proposed so far are not highly effective and, on the contrary, heavily damage the legitimate traffic. In this paper, we propose a novel mechanism for IFA detection and mitigation, aimed at decreasing the memory consumption of the PIT by effectively reducing the malicious traffic that passes through each NDN router. In particular, our protocol exploits an effective management strategy on the PIT, through which the Malicious Interest (MIs) already stored in the PIT are removed and the new incoming MIs are dropped. In addition, the proposed countermeasure provides an additional security wall on the edges of the network to detect and mitigate the attack as early as possible and improve the network health, i.e., routers PIT occupancy during IFA. To evaluate the effectiveness of our work, we implemented the proposed countermeasure on the open-source ndnSIM simulator and compared its effectiveness with the state of the art. The results show that our proposed countermeasure effectively reduces the IFA damages both in terms of preserved legitimate traffic and availability of routers PIT. Considering the legitimate traffic, the amount of Benign Interests preserved by our approach increases from 5% to 40% with respect to the preservation guaranteed by the state-of-the-art solutions. Concerning the routers PIT availability, our approach guarantees that the 97% of the PIT size is left free for handling the legitimate traffic.

正在进行的一些研究旨在设计潜在的未来Internet体系结构，其中命名数据网络（NDN）引入了从现有的以主机为中心的基于Internet协议的Internet基础架构向面向内容的基础架构的转变。但是，研究人员已经确定了NDN中的一些设计局限性，其中一些局限性使得能够建立一种新型的分布式拒绝服务攻击，即众所周知的兴趣泛滥攻击（IFA）。在IFA中，攻击者会发出网络中无法满足的使NDN路由器的未决兴趣表（PIT）饱和并阻止其正确处理合法流量的请求。研究人员一直在尝试通过提出几种检测和反应机制来缓解这一问题，但是迄今为止提出的所有机制都不是很有效，相反，严重损害了合法流量。在本文中，我们提出了一种用于IFA检测和缓解的新颖机制，旨在通过有效地减少通过每个NDN路由器的恶意流量来减少PIT的内存消耗。特别是，我们的协议在PIT上采用了有效的管理策略，通过该策略可以删除PIT中已经存储的恶意（MI），并丢弃新的传入MI。另外，所提出的对策在网络边缘上提供了额外的安全墙，以尽早检测和减轻攻击并改善网络运行状况，即在IFA期间路由器PIT占用率。为了评估我们工作的有效性，我们在开源ndnSIM模拟器上实施了建议的对策，并将其有效性与最新技术进行了比较。结果表明，我们提出的对策可以从保留合法流量和路由器PIT可用性两方面有效减少IFA损害。考虑到合法流量，相对于最新解决方案所保证的保留，我们的方法所保留的良性利益从5％增加到40％。关于路由器PIT的可用性，我们的方法可确保将97％的PIT大小留给处理合法流量。相对于最新解决方案所保证的保存，我们的方法所保存的良性权益的数量从5％增加到40％。关于路由器PIT的可用性，我们的方法可确保将97％的PIT大小留给处理合法流量。相对于最新解决方案所保证的保存，我们的方法所保存的良性权益的数量从5％增加到40％。关于路由器PIT的可用性，我们的方法可以保证将97％的PIT大小留给处理合法流量。