Previous Article in Journal
Rethinking Modbus-UDP for Real-Time IIoT Systems
Previous Article in Special Issue
Ensemble Learning Approaches for Multi-Class Intrusion Detection Systems for the Internet of Vehicles (IoV): A Comprehensive Survey
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Interest Flooding Attacks in Named Data Networking and Mitigations: Recent Advances and Challenges

1
Department of Electrical and Computer Engineering, Binghamton University, Binghamton, NY 13902, USA
2
Intelligent Fusion Technology, Inc., Germantown, MD 20874, USA
3
Air Force Research Laboratory, Arlington, VA 22203, USA
*
Author to whom correspondence should be addressed.
Future Internet 2025, 17(8), 357; https://doi.org/10.3390/fi17080357 (registering DOI)
Submission received: 8 July 2025 / Revised: 31 July 2025 / Accepted: 4 August 2025 / Published: 6 August 2025

Abstract

Named Data Networking (NDN) represents a promising Information-Centric Networking architecture that addresses limitations of traditional host-centric Internet protocols by emphasizing content names rather than host addresses for communication. While NDN offers advantages in content distribution, mobility support, and built-in security features, its stateful forwarding plane introduces significant vulnerabilities, particularly Interest Flooding Attacks (IFAs). These IFA attacks exploit the Pending Interest Table (PIT) by injecting malicious interest packets for non-existent or unsatisfiable content, leading to resource exhaustion and denial-of-service attacks against legitimate users. This survey examines research advances in IFA detection and mitigation from 2013 to 2024, analyzing seven relevant published detection and mitigation strategies to provide current insights into this evolving security challenge. We establish a taxonomy of attack variants, including Fake Interest, Unsatisfiable Interest, Interest Loop, and Collusive models, while examining their operational characteristics and network performance impacts. Our analysis categorizes defense mechanisms into five primary approaches: rate-limiting strategies, PIT management techniques, machine learning and artificial intelligence methods, reputation-based systems, and blockchain-enabled solutions. These approaches are evaluated for their effectiveness, computational requirements, and deployment feasibility. The survey extends to domain-specific implementations in resource-constrained environments, examining adaptations for Internet of Things deployments, wireless sensor networks, and high-mobility vehicular scenarios. Five critical research directions are proposed: adaptive defense mechanisms against sophisticated attackers, privacy-preserving detection techniques, real-time optimization for edge computing environments, standardized evaluation frameworks, and hybrid approaches combining multiple mitigation strategies.

1. Introduction

The existing Internet architecture was initially designed as a host-centric communication model, focusing on end-to-end connectivity between specific devices through Internet Protocol (IP) addresses. Although Internet architecture has served well for decades, the explosive growth of content distribution, mobile connectivity, and the emerging Internet of Things (IoT) has created fundamental mismatches between how users consume content and how the underlying network operates [1]. Today’s Internet usage is predominantly centered on content retrieval rather than host-to-host communication, with applications such as video streaming, social networks, and content sharing dominating traffic patterns [2].
To address these challenges, Information-Centric Networking (ICN) has emerged as a promising paradigm for future Internet architecture, shifting focus from “where” content is located to “what” content is requested [3]. ICN moves away from traditional host-to-host communication, instead prioritizing Named Content Retrieval (NCR). NCR allows for in-network caching, faster content delivery, and better support for mobile users [4]. Named Data Networking (NDN) represents one of the most active and mature ICN implementations, designed as a clean-slate approach to revolutionize network architecture by making content names the cornerstone of communication [5,6]. Rather than by IP address, in NDN, users request content by name using interest packets, and the network delivers data packets that carry that content back along the reverse path, regardless of which node provides it [6]. NDN change improves caching, mobility, and security at the data level but brings new risks.
Since the network keeps track of pending requests, attackers can exploit how interest and data packets are processed and forwarded [7]. Interest Flooding Attacks (IFAs) represent a significant threat to distributed denial-of-service (DDoS) attacks in NDN, where adversaries generate a large volume of malicious interest packets to disrupt normal network functions [8]. Since NDN routers maintain a Pending Interest Table (PIT) to track data requests, excessive unsolicited interests can rapidly exhaust memory resources, leading to packet loss and service degradation [7]. In severe cases, legitimate requests are completely blocked, preventing access to valid content.
IFA differs from conventional DoS attacks by targeting the request handling process rather than overwhelming a server with data packets. Attackers inject a substantial number of interest packets for non-existent or unsatisfiable content, causing a continuous expansion of PIT entries that depletes processing capacity [9]. This degradation occurs without requiring high bandwidth, making the attack particularly effective in resource-constrained environments such as the Internet of Things [10]. Various countermeasures have been proposed, including rate limiting, PIT management, and anomaly detection [11]. As NDN architectures gain increasing attention, securing them against IFAs has become a critical area, with many ongoing efforts focused on developing scalable and adaptive defense mechanisms.
Compared to earlier reviews [8,11], which emphasize classification and high-level summaries, this survey offers a more deployment-focused perspective. By examining recent detection strategies through the lens of computational cost, scalability, and adaptability across different application domains, the paper provides a practical reference for researchers aiming to implement or expand IFA defenses in real networks. Its emphasis on domain-specific implementation trade-offs, particularly in IoT and edge computing, distinguishes this work.
This survey provides a comprehensive and up-to-date analysis of IFA in NDN, with a particular focus on research advances over the past five years. Our contributions are as follows.
  • Establishing a comprehensive taxonomy of IFA variants that categorizes attacks in multiple dimensions, including source origin, intensity patterns, and target layers, and examining how attack sophistication has evolved from simple flooding to advanced collusive models over the past five years. This taxonomy framework enables systematic analysis of attack characteristics and facilitates the development of targeted countermeasures for specific threat scenarios.
  • Performing a critical evaluation of the seven detection and mitigation strategies published between 2013 and 2024, organizing these approaches into five primary categories based on their core methodologies. Our analysis goes beyond simple cataloging by assessing the effectiveness, computational overhead, and deployment feasibility of rate-limiting strategies, PIT management techniques, machine learning approaches, reputation systems, and blockchain-based solutions. The evaluation includes performance comparisons where quantitative data is available and identifies the operational trade-offs inherent in each approach.
  • Examining domain-specific adaptations of IFA countermeasures for resource-constrained environments, with particular focus on IoT deployments, wireless sensor networks (WSNs), and vehicular networking scenarios. This analysis addresses the practical challenges of implementing security mechanisms within computational and energy limitations while maintaining real-time performance requirements.
  • Analyzing the evaluation methodologies and performance metrics employed in the reviewed literature, by identifying inconsistencies in benchmarking approaches, and highlighting the need for standardized testing frameworks. Our examination includes the evaluation of simulation environments, experimental parameters, and real-world deployment considerations that affect the practical applicability of the proposed solutions.
  • Identifying five critical research directions that address current limitations in IFA defense mechanisms. These directions encompass the development of adaptive countermeasures against evolving attack strategies, integration of privacy-preserving detection techniques for encrypted content scenarios, optimization for real-time constraints in edge computing environments, establishment of standardized evaluation frameworks for reproducible research, and design of hybrid defense approaches that combine multiple mitigation strategies for enhanced effectiveness.
The remainder of this paper is organized as follows. Section 2 provides background on the NDN architecture and its vulnerability to floods of interest. Section 3 presents a comprehensive taxonomy of the vectors and characteristics of IFAs. Section 4 reviews the latest detection and mitigation strategies. Section 5 examines domain-specific applications and case studies in IoT and vehicular networks. Section 6 identifies open challenges and future research directions. Finally, Section 7 concludes the paper.

2. NDN Architecture and Vulnerability to Interest Flooding

2.1. NDN Architecture Fundamentals

Named Data Networking (NDN) operates through a fundamentally different paradigm than traditional IP-based networks, using two core packet types to facilitate content-centric communication. As shown in Figure 1, interest packets serve as requests for named content, while data packets deliver the corresponding information back to requesters. The NDN architecture employs three critical data structures (see Figure 1) within each router to manage communication flows effectively. The Forwarding Information Base (FIB) maps content name prefixes to outbound interfaces, enabling routers to direct interest packets toward potential content sources. When content is available in a router’s Content Store (CS), which functions as a cache of previously retrieved data, the router immediately returns the requested information without forwarding the interest further. The Pending Interest Table (PIT) maintains state information for all forwarded interest packets that have not yet received the corresponding data packets, recording content names along with incoming and outgoing interface details to ensure proper routing of the data packet back to the requesters [12,13].
The stateful FIB mechanism supports several advanced networking capabilities, including robust in-network caching, multicast data delivery, and loop prevention. However, the stateful nature of the PIT introduces specific vulnerabilities that distinguish NDN from stateless IP forwarding approaches. The architecture’s reliance on maintaining per-packet state creates attack surfaces that malicious actors can exploit through coordinated flooding strategies. Recent research has focused on optimizing PIT efficiency through improved data structures. The S-PIT system, introduced in 2023, integrates Stable Bloom Filters into the PIT (S-PIT) to verify the existence of a content name without exhaustive searching [14]. Early detection strategies, including HopCount-Based Filtering and adaptive satisfaction rate monitoring, have demonstrated effectiveness in identifying anomalous interest behavior [15]. Simulation studies using NDNSim continue to provide information on how prefix granularity and request volume patterns influence the performance characteristics of PIT [13].

2.2. Interest Flooding Attack Vulnerability Analysis

The architectural features that enable NDN’s content-centric benefits also create specific attack vectors that distinguish Interest Flooding Attacks from traditional denial-of-service methods. Understanding these vulnerabilities requires examination of how NDN’s design principles interact with malicious traffic patterns and resource consumption behaviors.
  • PIT Resource Exhaustion Mechanisms: The finite capacity of PIT represents the main vulnerability target in IFA. Each interest packet consumes a PIT entry until either a corresponding data packet arrives or the entry is canceled due to unfilled requests. Attackers can exploit the PIT consuming mechanism by generating large volumes of interest packets for non-existent or deliberately unsatisfiable content, causing PIT entries to accumulate until router memory resources are exhausted [11,16]. The packet exhaustion prevents legitimate interest packets from receiving PIT entries, effectively denying service to legitimate users without requiring the high bandwidth consumption typically associated with traditional flooding attacks.
  • Pull-Based Communication Exploitation: NDN’s pull-based model ensures that data flows through the network only upon explicit request through interest packets. Although this design improves control over data dissemination and mitigates specific unsolicited data delivery attacks, it creates opportunities for abuse through interest manipulation [17]. Attackers can generate high volumes of interest packets for non-existent or rarely accessed content, knowing these requests cannot be satisfied with existing data packets. The resulting accumulation of unsatisfiable interests leads to resource exhaustion and degraded service for legitimate network users [18].
  • Stateful Forwarding Vulnerabilities: The distinction between NDN’s stateful forwarding and traditional IP routing creates unique attack opportunities. Conventional IP networks maintain minimal per-packet state, making them less susceptible to state exhaustion attacks. NDN routers must maintain detailed information about each forwarded interest packet, including content names and interface mappings, until the corresponding data packet completes the transaction [19,20]. The persistent state maintenance requirement enables attackers to consume router resources through coordinated interest flooding without requiring successful data retrieval or high bandwidth utilization.
Several mitigation approaches have emerged to address these vulnerabilities. Cryptographic route tokens provide mechanisms to validate interest packets and ensure that only legitimate requests consume PIT resources [18]. Advanced detection methods combining Exponential Weighted Moving Average (EWMA) algorithms with logistic regression techniques focus on identifying malicious prefixes while reducing network disruption [21] or reducing memory consumption and preserving legitimate traffic [22]. Real-time detection systems employing Artificial Neural Networks (ANNs) and traceback-based mitigation strategies have demonstrated enhanced network resilience against sophisticated flooding attacks [23].
The effectiveness of these countermeasures depends on their ability to distinguish between legitimate traffic bursts and malicious flooding patterns while maintaining the performance benefits that make NDN attractive for content distribution applications. This pattern discrimination challenge becomes particularly acute in resource-constrained environments, where computational overhead for detection and mitigation must remain minimal to preserve system functionality.

3. Interest Flooding Attack: Concept and Taxonomy

An IFA in NDN represents a significant security challenge, exploiting the unique architecture of NDN to degrade network performance and deny service to legitimate users [18]. Unlike traditional IP-based DDoS attacks that overwhelm targets with excessive data traffic, IFAs manipulate NDN’s stateful forwarding plane by inundating routers with a high volume of interest packets for non-existent or unpopular content. This forwarding exploitation leads to the saturation of PIT in routers, consuming critical resources such as memory and processing power, and ultimately hindering the network’s ability to process legitimate requests [18].
The stateful nature of NDN’s PIT, which records each forwarded interest packet until the corresponding data packet is returned or the request times out, is central to the architecture’s efficient data retrieval [6]. However, this recording feature also introduces vulnerabilities, as malicious actors can exploit it by sending interests that cannot be satisfied, causing the PIT to overflow and legitimate interests to be dropped [8], as shown in Figure 2 where a malicious consumer and a producer collude, bypassing IFA detection by replying to malicious interests, keeping PIT entries occupied. This PIT state contrasts with the stateless forwarding in traditional IP networks, where routers do not maintain such per packet state, making them less susceptible to this specific type of attack [18].
Collusive Interest Flooding Attacks (CIFAs) are a behavior pattern within the broader category of IF, where multiple malicious consumers coordinate their interest traffic to intensify the strain on network components, especially the PIT. CIFAs involve deliberate synchronization among attackers more than IFAs, which stem from isolated or loosely timed flooding attempts. They may request the advertised content of each other or use closely related name prefixes to simulate plausible communication patterns. This coordination enables them to bypass basic rate controls and evade detection methods that rely on isolated traffic anomalies. As shown in Figure 2, CIFAs differ visually from standard IFAs through the presence of multiple interacting sources that form a loop of unresolved interests, rather than a one-directional flood. The taxonomy in Table 1 and Figure 3 accounts for the CIFAs. We do not isolate them as a separate category. Their mitigation shares overlap with existing strategies for distributed IFAs, and treating them as a behavioral variant offers a more practical framework for both detection and response.

3.1. Types of IFAs

IFAs in NDN exploit the network’s unique architecture by overwhelming it with malicious interest packets, leading to resource exhaustion and degraded performance. These attacks can be categorized into several distinct types, each targeting specific vulnerabilities within the NDN framework, as shown in Figure 3.

3.1.1. Fake Interest Attacks

In a Fake Interest Attack (FIA), attackers generate interest packets requesting non-existent or intentionally invalid content. These interests are designed to have no corresponding data packets, causing them to remain unresolved in the PIT of NDN routers until they time out. The accumulation of such unsatisfiable interests can exhaust PIT resources, leading to network congestion and denial of service for legitimate users [24]. The FIA attack exploits the stateful nature of NDN’s forwarding plane, where each interest packet consumes memory resources until satisfied or expired. Mitigation strategies involve monitoring interest patterns to detect anomalies and implementing rate-limiting mechanisms to prevent PIT overflow. However, distinguishing between legitimate and malicious interests remains a significant challenge [11,25].

3.1.2. Unsatisfiable Interests

Unsatisfiable interests involve sending interest packets that are inherently unresolvable due to specific manipulations. Attackers may set fields such as the Exclude filter to exclude all existing content or use random values in the PublisherPublicKeyDigest field, ensuring that no matching data packets can satisfy these interests. These malicious interests persist in the PIT until they expire, consuming memory resources and potentially leading to PIT overflow [26]. The deliberate use of unsatisfiable interests aims to degrade network performance and disrupt legitimate communications. Countermeasures include enhancing routers’ ability to detect and discard such interests promptly and implementing stricter validation of interest packet fields. However, the dynamic nature of content naming and the legitimate use of exclusion filters complicates the identification of malicious patterns [22].

3.1.3. Interest Loops or Aggregation Abuse

Interest loops or aggregation abuse exploits NDN’s mechanisms for interest aggregation and loop prevention. In NDN, when multiple interests for the same content are received, routers aggregate them to reduce redundant transmissions. Attackers can abuse this aggregation feature by crafting interests that create routing loops or by sending interests with names designed to match multiple pending entries, causing routers to aggregate them improperly and forward them in a loop. Incorrect aggregation can lead to excessive resource consumption and network congestion. Mitigation strategies involve implementing loop detection mechanisms and refining interest aggregation policies to prevent abuse. However, ensuring that these measures do not adversely affect the aggregation of legitimate interests remains a complex task [27].

3.2. Taxonomy of IFA

IFAs in NDN can be systematically analyzed through several key dimensions, as seen in Table 1: source of attack, intensity of attack, target layer, and distinction between smart versus naive attackers. This taxonomy helps us to understand the multifaceted nature of IFAs and develop effective mitigation strategies.

3.2.1. Source of the Attack

The origin of IFAs can be categorized according to the number and coordination of attacking entities. In single-source attacks, a lone adversary dispatches a high volume of malicious interest packets, aiming to overwhelm the network’s resources. In contrast, distributed attacks involve multiple compromised nodes, often orchestrated as a botnet, to flood the network from various points. The distributed nature of the botnet makes detection and mitigation more challenging due to the dispersed attack vectors and the increased volume of malicious traffic, which can originate from either single or multiple sources, each presenting unique challenges to network security.
  • Single-Source Attacks: In these scenarios, a single adversary sends a large number of malicious-interest packets with the intent of overconsuming network resources. This method resembles traditional DoS attacks, in which a single system inundates a target with excessive traffic, leading to service degradation or unavailability [18].
  • Distributed Attacks: Distributed attacks involve multiple compromised nodes, often orchestrated as a botnet, to flood the network from various points [28]. The botnet approach mirrors DDoS attacks, where numerous systems coordinate to overwhelm a target, complicating detection and mitigation due to the dispersed nature of attack vectors and the increased volume of malicious traffic [29].

3.2.2. Attack Intensity

Attack intensity refers to the rate at which malicious interest packets are sent. In constant-rate attacks, adversaries maintain a steady stream of interest packets, exerting a predictable but sustained strain on network resources. This intensity attack model has been extensively analyzed in previous studies, such as a study that evaluated the limitations of existing countermeasures against steady-rate attacks [30].
Conversely, variable-rate attacks involve fluctuating the rate of interest packet transmission, potentially to evade detection mechanisms that rely on identifying consistent traffic patterns. Another study discusses how such attack patterns can be effectively analyzed using an SIS epidemic model, considering the impact of Negative Acknowledgement (NACK) mechanisms on IFAs [31]. These variable-rate attacks can be more insidious, as they mimic legitimate traffic bursts, complicating the differentiation between normal and malicious activities. A recent paper further explores statistical abnormality detection mechanisms tailored to variable attack intensities, demonstrating how fluctuations in request rates can bypass traditional IFA detection strategies [32].

3.2.3. Target Layer

IFAs in NDN can target various layers within the architecture, each with distinct vulnerabilities and consequences. An IP DDoS that targets specific hosts, where an IFA exploits NDN’s stateful forwarding, as each router maintains a PIT entry for every pending request. Excessive malicious interests can congest network links and exhaust router PIT memory [18,33], leading to the loss of legitimate requests. IFAs can manifest at different layers of the NDN architecture, mainly the network layer (forwarding plane) and the application layer (content producers), each with distinct attack strategies, impacts, and countermeasures. Next, we detail the vulnerabilities at each layer, how attacks are conducted, and the consequences, followed by mitigation approaches tailored to those layers later.
  • Network-Layer IFAs (PIT Exhaustion Attacks): NDN routers maintain per-packet state in the PIT, which records each unsatisfied interest’s name and incoming interface until a matching data is returned. This stateful design, while enabling robust multipath forwarding and loop prevention, is a double-edged sword: the PIT has a finite size and can be overwhelmed. Attackers exploit this by sending spoofed interests for non-existent content names (or otherwise unsatisfiable requests) at high rates, filling PIT entries and consuming bandwidth [33], while enabling robust multipath forwarding and loop prevention. As a result, the router’s memory is exhausted, and new interests (even from legitimate users) cannot be added to the PIT. In essence, the PIT exhaustion attack targets the availability of the network layer by incapacitating the ability of the routers to forward requests [18,33]. The malicious consumers flood the network with unsatisfiable interest packets, exhausting router resources. Attackers request non-existing content, causing PITs to fill up, leading to packet drops and service disruptions. Distributed and slow-start IFAs worsen detection challenges, severely degrading NDN performance.
  • Application Layer (Producer-Targeted Attacks): Traditional IFAs primarily target routers; however, attackers can also exploit the application layer by overwhelming content producers. In NDN, producers generate data packets upon receiving interest requests. Attackers flood a producer with interests, exhausting its computational and storage resources. Even if PITs remain stable, excessive processing loads can cause service disruption [8,34]. Two primary vulnerabilities facilitate producer-targeted IFAs:
    • Computational Overhead: Every data packet requires cryptographic signing, making dynamic content especially vulnerable.
    • Cache Bypassing: Attackers manipulate interest names to prevent caching, forcing producers to serve every request. An attacker can append random components to a popular content name (e.g., /news/video.mp4?session=XYZ), ensuring each request reaches the producer instead of being satisfied by caches.
Application-layer IFAs resemble HTTP GET (request) floods but leverage NDN interests. The Collusive IFA (CIFA) involves a rogue producer collaborating with an attacker. Normally, routers detect IFAs by tracking unsatisfied interests. However, in CIFA, the malicious producer fabricates data responses, preventing detection while still straining network resources. Some rogue producers deliberately delay responses, prolonging PIT occupancy without triggering alarms [35].
The consequences of producer-targeted IFAs are severe. Under high interest loads, producers may experience CPU and memory exhaustion, leading to crashes or denial of service. Cache pollution may also occur if malicious data fills storage, reducing the availability of legitimate content. Furthermore, producer failures can shift demand to alternative servers, propagating service degradation across the network [36].
While Table 1 describes the operational characteristics of different types of IFAs, their relationships are more clearly illustrated through a structured taxonomy. Figure 3 presents a hierarchical classification that categorizes IFAs based on the intent of the attack, the method of network exploitation, the traffic behavior, and the layers of affected protocols. This organization highlights the layered complexity of IFA threats, showing how attacks can be located within broader behavioral patterns. Unsatisfiable and fake interest attacks are categorized under semantic manipulation, whereas loop-based variants reflect forwarding path exploitation. Together with Table 1, this taxonomy offers a structural lens for understanding diversity and overlap between IFA techniques.

4. State of the Art Detection and Mitigation Strategies

IFA countermeasures in NDN can be classified into several categories based on their core approach. We discuss each category, (1) rate limiting, (2) PIT management, (3) ML/AI based, (4) reputation/trust systems, and (5) blockchain based, outlining their key ideas, representative proposals, strengths and weaknesses, and performance evaluation as shown in Table 2.

4.1. Rate-Limiting Strategies

Rate-limiting approaches restrict the rate of incoming interest packets deemed malicious to protect router resources. The simplest form is to throttle an interface or sender if it issues too many unsatisfied interests. Routers may monitor the Interest Satisfaction Ratio (ISR) per interface (the fraction of interests that successfully return data), and if the ISR drops below a threshold, the router slows or stops forwarding from that interface [37]. Other schemes apply rate limits on a name prefix basis, detecting a prefix under attack and throttling all interests for that content prefix. Additionally, a router may limit an interface to only certain name prefixes if that combination is deemed malicious. Rate limiting is straightforward to implement and can immediately reduce load on the Pending Interest Table (PIT) and downstream links. It requires only local monitoring and simple threshold-based decisions, making it lightweight.

4.2. PIT Management Strategies

Pending Interest Table (PIT) management (or “Interest-PIT decoupling”) strategies aim to prevent an IFA from filling up the PIT by altering how the pending state is handled. One approach is decoupling pending states from the PIT for suspect interests, effectively not storing per-interest state for them. A DPE (Decoupling Pending Entries), which appends an interface list into the interest packet itself instead of creating a PIT entry, was proposed [38]. This way, routers do not allocate PIT memory for those interests; the interface list in the packet serves to route the returning data. Similarly, a cryptographic route token, which encodes the path or incoming interface in a verifiable token, was introduced in each interest. With a route token, a router can forward the data back without storing a PIT entry since the token helps it identify the origin interface [39].
In addition, architectural modifications were introduced to operate the NDN in a PIT-less mode for certain traffic [40]. Another line of PIT management involves purging or controlling PIT entries during an aggressive attack. For instance, an approach might detect a surge of timed-out entries and respond by flushing those entries and temporarily not admitting new interests for the offending prefix/interface. The ChoKIFA+ system uses an Active Queue Management technique (CHOKe) at the router to selectively drop pending interests that appear malicious, freeing PIT space. In ChoKIFA, when the PIT is under stress, the router randomly drops some incoming malicious interests and simultaneously evicts matching pending entries from the PIT, thus cleaning up the state associated with the attack traffic [22].
PIT management solutions directly address the root cause of DoS, PIT exhaustion. By not storing (or quickly removing) state for bogus requests, they preserve memory for legitimate interests. Approaches such as route tokens and DPE show that it is possible to maintain NDN’s data return functionality without per interest state, thereby making routers much less vulnerable to flooding. Schemes that remove malicious entries can rapidly reclaim resources once an attack is detected and can restore service to legitimate users.

4.3. Machine Learning and AI-Based Techniques

ML/AI-based IFA defenses leverage pattern recognition and learning algorithms to detect attacks more adaptively. Instead of fixed thresholds, these methods train on traffic features to distinguish normal vs. attack behavior. Standard features include interest sending rate, PIT usage patterns, temporal correlation of requests, or entropy of interest names [37]. Supervised learning has been applied: a binary classifier at NDN routers in a vehicular scenario to detect attacker vehicles was deployed [41]. The study evaluated multiple classifiers (logistic regression, decision tree, K Nearest Neighbor (kNN), random forest, etc.) at roadside units and found that machine learning (ML) could reliably separate legitimate traffic from flooding attacks with high accuracy. Other works have explored deep learning or ensemble methods. Unsupervised anomaly detection has also been studied, e.g., using clustering or outlier detection on traffic statistics to flag abnormal surges of unsatisfied interests. A reconstruction error-based approach (using techniques such as auto-encoders or isolation forests) can identify unusual traffic of interest that does not match the normal patterns learned. Researchers have even proposed graph-based learning: treating the NDN forwarding nodes and traffic flows as a graph and using Graph Neural Networks to spot suspicious patterns in interest propagation [42].
ML-based detectors can recognize complex or subtle attack patterns that evade simple rules. ML classifiers can be trained to detect advanced IFAs (e.g., low rate or periodic pulses) by learning the differences from normal usage. Once trained, a lightweight classifier can potentially make decisions quickly (e.g., a decision tree or neural network forward pass per packet). Such systems also offer the ability to continuously improve, where retraining on new data allow for adaptation to evolving attacker strategies. In evaluations, AI-based approaches (or deep learning) often report high detection rates (e.g., >95% true positive) with manageable false positive rates under various attack intensities. TAI/ML detectors can also combine multiple features (rates, entropy, PIT occupancy, etc.) to improve accuracy beyond any single metric [43].

4.4. Reputation and Trust-Based Systems

Reputation-based IFA defenses assign trust scores or reputations to consumers (or prefixes) and use these scores to throttle or filter traffic. The intuition is that legitimate users will mostly fetch existing content (earning a good reputation), while attackers who constantly request bogus names will accumulate a bad reputation [44]. One representative example is the combination of the Interest Satisfaction Ratio with a user reputation score: if a user’s interests result in very few data returns, their reputation decreases, causing the network to limit the subsequent request rate of that user.
The Poseidon framework combines ISR with per interface state to isolate and penalize malicious interfaces in the network. The router dynamically updates a “goodness score” for each interface based on ISR and PIT occupancy to throttle or block misbehaving traffic sources [28]. In addition, a more intelligent approach using a hybrid radial basis function neural network optimized by particle swarm optimization (RBF-PSO) was introduced. Their model evaluates the trustworthiness of traffic sources based on several features, including ISR, name entropy, and request timing. This scoring informs a real-time mitigation strategy that outperformed traditional rule-based systems in simulation [34].
A credit-based accounting model was proposed that assigns virtual “tokens” to each consumer. Consumers gain or refund tokens when interests are satisfied, and they lose tokens when interests time out. Once a consumer exhausts its token balance, its interests are deprioritized or blocked. This approach mimics economic deterrents and has shown success in preserving PIT space under attack [40].
In distributed scenarios, trust scores can be shared among routers or managed by a central authority, forming a collaborative trust system. The paper further extended this by incorporating Cumulative Sum (CUSUM)-based anomaly detection into trust scoring, demonstrating resilience against traditional and collusive IFAs in IoT environments [9], while some proposals employed fuzzy logic or Bayesian inference to smooth reputation changes over time and reduce false positives due to transient network issues or bursty traffic.

4.5. Blockchain-Based Approaches

Blockchain-based defenses against IFAs in NDN are an emerging area of research that uses the decentralized and tamper-proof nature of blockchain to improve trust and coordination among network entities [45,46]. The core idea involves using blockchain to maintain a secure, immutable ledger of network activities or reputation data, enabling NDN routers to make informed decisions about traffic management.
In an IoT-based NDN scenario, a blockchain (REF) could be employed to record the behavior of nodes, effectively creating a shared "blacklist" or reputation ledger accessible to all network participants. A data-driven trust mechanism was produced in which trust values of the IoT sensor nodes are stored on a blockchain [47], which facilitates the detection and mitigation of attacks, including IFAs. In this framework, sensors and NDN forwarders can update the ledger with evidence of malicious activity, and the consensus mechanism ensures that no single compromised node can falsely accuse others without collective agreement.
Smart contracts, self-executing contracts with terms directly written in code, can be utilized to automate mitigation actions (REF). For example, a smart contract could be programmed to trigger specific responses, such as instructing edge routers to block a particular consumer identity, once predefined conditions are met, like multiple routers reporting an abnormally high rate of unsatisfied interests from that identity. A smart contract approach ensures timely and coordinated responses to potential threats.

4.6. Performance Evaluation

Despite the wide range of detection and mitigation strategies surveyed, a consistent limitation in the literature is the lack of standardized benchmarking frameworks. Most studies evaluate their proposed methods in isolated environments, using various metrics, traffic patterns, and network configurations. As a result, direct comparisons of detection accuracy, latency, and scalability remain largely qualitative. For example, while ML-based approaches frequently report high true positive rates (above 95%) [43], these evaluations are often based on synthetic datasets or restricted simulations, limiting generalizability. Similarly, blockchain-enabled strategies highlight trust and decentralization benefits but seldom quantify the impact on packet forwarding delay or computational overhead [47]. PIT management techniques, such as ChoKIFA+ [22], report effective state cleanup but do not continuously evaluate performance in real-time or mobile scenarios.
This inconsistency in performance evaluation presents a barrier to identifying the most practical defenses for specific deployment contexts, particularly in resource-constrained IoT or edge computing environments. Future work should prioritize the creation of a reproducible benchmarking environment, preferably with shared datasets, simulation configurations, and agreed-upon evaluation metrics, to enable head-to-head comparisons across mitigation strategies. Until such standards are established, the absence of quantitative parity between studies remains a critical limitation in evaluating the operational trade-offs of IFA countermeasures [8,33].

5. Applications and Use Cases of NDN

Different NDN application domains, such as IoT deployments, wireless sensor networks (WSNs), and other constrained environments, face unique IFA challenges and have inspired specialized defense strategies. Here, we examine how IFA defenses are applied or adapted in IoT (including smart homes, healthcare, and industrial IoT) and WSNs.

5.1. IFA Defense in IoT Networks (NDN of Things)

The IoT domain often involves numerous low-power devices (sensors/actuators) that use NDN to fetch commands or report data. These devices (and their gateways) usually have limited memory (small PIT size) and processing capability, making them even more vulnerable to PIT exhaustion. At the same time, introducing heavy defense algorithms can be impractical. One notable effort to target this domain is the NDN of Things (NDNoT) framework and the IfNoT mechanism. IfNoT is an IFA mitigation approach specifically designed for NDNoT environments [48]. Identify attacker nodes within the IoT network and filter out their interest traffic before it can propagate widely. The IfNoT mechanism monitors the interest behavior of IoT nodes and pinpoints those that send suspiciously large numbers of unsatisfied interests. Once identified, requests for these nodes are curtailed. IfNoT essentially pushes detection to the network edge; by quickly detecting malicious IoT devices, the gateway can cut off their traffic, protecting both the local network resources and the rest of the NDN infrastructure.

5.1.1. Smart Home

In smart home NDN scenarios, an attacker might compromise an IoT device (smart light) and flood the interests, potentially blocking the home NDN hub so that other devices (door locks, sensors) cannot get data through. A solution like IfNoT would detect misbehaving light and isolate it, ensuring that the security camera feed or the data from the medical sensor in the home continue to flow [32].

5.1.2. Healthcare IoT

In healthcare IoT (e.g., body sensor networks reporting patient data via NDN), an IFA could be life-threatening if it delays critical telemetry. Thus, IoT-oriented defenses prioritize low false positives, and they are not allowed to block the legitimate traffic of an insulin pump accidentally. Many IoT defenses employ lightweight statistical checks (such as a moving average of the satisfaction rate) due to limited CPU resources, and often assume a simple network topology (one or two hops to a gateway) [8].

5.1.3. Industrial IoT (IIoT)

In Industrial Internet of Things (IIOT) settings, such as smart factories that use NDN for sensor/actuator communication, these networks might be targeted by attackers to disrupt operations. Industrial NDN deployments sometimes incorporate additional safeguards [49]. Some IIoT proposals suggest segmenting the network, where the NDN traffic of each machine is isolated, so that an attack from one segment cannot clog the PIT of routers serving another segment. It introduced a behavior auditing scheme using blockchain for industrial NDN, primarily to detect misbehavior (including flooding) and record it as immutable [49], in line with the blockchain approaches discussed earlier. Industrial environments may have more computing resources at gateways, allowing for the use of slightly heavier detection algorithms, but the required response time is also tight (to avoid downtime).

5.2. Wireless Sensor Networks and NDN

WSNs (a subset of IoT) often involve multi-hop low-power networks. NDN has been adapted to WSNs for efficient data collection. In such networks, an IFA could originate from a compromised sensor node or an external attacker spoofing interests over the wireless channel. One characteristic of WSNs is that nodes often know their immediate neighbors and parent node (in a tree), so some defenses leverage local monitoring: if a child node sends way more interests upstream than usual, the parent can suspect an attack [50]. Techniques such as rate policing have been employed at cluster heads or parent nodes in a sensor tree. These act similarly to interface rate limiting, but here the “interface” is a single-child sensor. Because WSN nodes have limited PIT space, a few dozen malicious interests could already cause drops, so WSN-focused schemes are very aggressive in filtering [51].
Another technique in WSN/IoT is to utilize the knowledge of the central base station. Often, the IoT/WSN has a base station or gateway to which all data ultimately flows. This gateway can maintain a global view of the content names (similar to the InterestFence content awareness idea) and inform the network of fake interests. In essence, the base station can play the role of the content producer (for data collected in the network) and can quickly recognize if an interest is asking for non-existent data. The base station can then send a command to the sensors to drop interests with that name [52]. The recognition of interests is analogous to the InterestFence HSL concept but tailored to WSN: the base station could send a short “do not forward Interests for X” message if X is malicious. Although the specific literature on WSN-targeted IFA defense is not abundant, these principles are discussed in IoT security contexts.
To contextualize mitigation strategies within practical deployment settings, Table 3 associates each category with a relevant application domain. Domains such as Smart Homes, Healthcare IoT, Industrial IoT, NDNoT, and Wireless Sensor Networks each impose limitations and expose resources to threats. Smart Home systems often emphasize low energy usage and reduced latency, which favors approaches like PIT management and rate limiting over computationally demanding methods such as blockchain-based validation. On the other hand, NDNoT deployments involving various edge devices may benefit more from hybrid techniques that integrate lightweight machine learning with caching or trust-based filtering.

6. Open Challenges and Future Research Directions

Despite significant advances in understanding and mitigating Interest Flooding Attacks (IFAs), several open challenges remain. We highlight key gaps and future directions: from the need for standardized evaluation and reduction of false positives to handling new threat scenarios such as encrypted traffic, real-time IoT constraints, and cross-layer defense integration, as shown in Table 4.

6.1. High False Positive Rates

A persistent issue for many defenses is the difficulty of distinguishing malicious interests from legitimate but unsatisfied interests. Current solutions, especially those using simple heuristics or even some ML, can still misidentify bursts of valid traffic as attacks. Misclassification leads to false positives, which result in legitimate requests being throttled or dropped, effectively causing a denial of service to honest users, the very thing we want to avoid. Future research is needed to reduce these false positives, which might involve developing more nuanced detection that considers context (e.g., recognizing a genuine flash crowd vs. a botnet) or dynamically adjusting thresholds based on network conditions. Techniques like adaptive baselines (where normal behavior is continuously learned and the system flags deviations that are statistically significant) could help [33].

6.2. NDN Privacy

In NDN, the encryption or obfuscation of content names enhances privacy by preventing eavesdroppers and even routers from discerning requested content. However, this practice complicates the detection of IFAs, as traditional defense mechanisms rely on identifying specific name prefixes associated with malicious interests. When content names are encrypted or hashed, routers perceive only opaque identifiers, hindering their ability to distinguish between legitimate and malicious requests. This challenge is further exacerbated in IoT environments where gateways aggregate requests or function as proxies, resulting in composite traffic that obscures the attribution of requests to individual devices [8].
Addressing these detection challenges requires content-agnostic methodologies. An approach involves analyzing traffic patterns by monitoring metrics such as PIT utilization and satisfaction ratios; significant deviations in these metrics may signal the presence of an IFA, enabling detection without reliance on content name semantics [23]. Cryptographic techniques like zero-knowledge proofs could allow routers to verify the validity of interest packets without accessing plaintext content names, thereby preserving privacy while authenticating requests. Similarly, employing data structures like Bloom filters enables producers to disseminate representations of valid content names, allowing routers to probabilistically determine the legitimacy of content requests without decrypting them. These strategies aim to balance the imperative for robust security measures with the preservation of user privacy in NDN architectures [23].

6.3. Real-Time Constraints in IoT and Edge Computing

In IoT and edge computing environments, real-time constraints require that detection mechanisms operate within strict timing and resource limitations. Sensor nodes in these networks often operate on microcontrollers with limited computational power and energy reserves, frequently entering sleep modes to conserve energy [53]. Detection algorithms that are computationally intensive or have prolonged execution times are impractical, as they could prevent timely responses to threats like IFAs and deplete the nodes’ limited resources. The integration of detection mechanisms must be carefully managed to avoid interfering with the primary functions of the nodes, ensuring that critical tasks are not delayed or missed due to the overhead introduced by security processes [53].
To address these challenges, future research should focus on developing lightweight, online algorithms optimized for microcontroller-based implementations. Lightweight solutions may involve simplifying existing detection methods or designing new algorithms with low computational complexity from the ground up. Implementing interrupt-driven detection mechanisms can provide rapid responses to potential attacks; when a node’s PIT reaches a predefined threshold, an interrupt could trigger immediate mitigation actions, thereby preventing PIT overflow and maintaining network stability. Testing and designing these detection systems within Real-Time Operating Systems (RTOSs) is crucial. These RTOS platforms are designed for embedded systems, offering features that support real-time constraints and efficient resource management, making them suitable environments for deploying and evaluating IFA defense mechanisms in IoT contexts [48].

6.4. Resource Constraints of IoT Devices

One primary challenge is the resource constraints of IoT devices [54], which make it difficult for them to perform essential NDN functions such as maintaining FIB and PIT entries, especially in mobile scenarios where devices frequently change locations. The heterogeneity of IoT devices and their mobility complicate reliable data delivery, as broken reverse paths and limited processing capabilities hinder efficient communication. Several open challenges have been identified in the deployment of NDN in IoT environments [55]. The heterogeneity of IoT devices and their mobility complicate the delivery of reliable data, as broken reverse paths and limited processing capabilities hinder efficient communication [56,57]. To address these issues, an edge-assisted NDN-based IoT framework (ENIPC) has been suggested that takes advantage of edge devices with abundant resources to handle routing, caching, and forwarding functions [54]. This hierarchical architecture enables IoT devices to offload resource-intensive tasks to edge nodes, supporting mobility and multiple data retrievals through dynamic name sets and edge-based FIB management [54].

6.5. Energy-Efficient

The achievement of energy-efficient data transmission while maintaining scalability and security is another major challenge facing the NDN [58]. Previous methodologies and strategies often lead to excessive energy consumption and vulnerability to attacks such as APTs and side-channel exploits. This challenge was addressed by proposing, for example, the RLEAFS (reinforcement learning-based energy-aware forwarding strategy) protocol, which intelligently selects energy-aware paths and incorporates adaptive sleep modes [58]. The RLEAFS approach reduces energy consumption and prolongs network lifetime, and also enhances security by making the network more resilient to attacks through optimized routing and resource management [59]. The protocol incorporates adaptive sleep modes, where non-essential nodes estimate their hop distance to the sink and enter sleep states to conserve energy, waking periodically to check for ongoing transmissions.
By combining reinforcement learning, energy-sensitive routing, and sleep mechanisms, RLEAFS offers a robust, efficient, and secure framework for the dissemination of IoT data, ensuring sustainable operation in resource-constrained environments while maintaining high performance and data integrity [59].

7. Conclusions

This survey examined IFAs, a persistent threat to DoS in NDN. We explored how NDN’s stateful forwarding and pull-based communication model make it uniquely vulnerable to such attacks, particularly through PIT misuse. A taxonomy of IFA variants, including fake, unsatisfiable, and collusive attacks, was discussed alongside their operational characteristics. The paper reviews recent detection and mitigation strategies by grouping them into five categories: rate limiting, PIT management, ML/AI-based techniques, reputation/trust systems, and blockchain-based approaches. Rate limiting controls traffic volume but may reduce legitimate requests during high load. PIT management adjusts interest handling to block attacks at the forwarding layer, though it may disrupt normal routing. ML/AI-based methods adaptively detect anomalies using traffic features, but can be resource-intensive. Reputation systems score nodes based on behavior, helping with gradual mitigation, but face cold-start and collusion issues. Blockchain-based approaches offer decentralized trust and accountability at the cost of increased latency and complexity. Each category has its strengths and limitations, particularly when evaluated in terms of metrics such as scalability, detection accuracy, overhead, and adaptability.
Although progress is evident, challenges remain. Real-time detection with low false positives, content-agnostic filtering that preserves privacy, and evaluation frameworks that ensure reproducibility are still lacking. Applications in NDNoT, smart homes, and industrial networks demand lightweight, adaptive defenses.
To guide future innovation, this survey discusses five main research directions: development of mitigation strategies that combine multiple defense layers, privacy-preserving detection mechanisms suited for encrypted or obfuscated content names, real-time optimization for edge and IoT environments, standardized benchmarking frameworks for reproducibility and cross-study comparison, and adaptive systems capable of learning and evolving with new attack patterns.
Future work should focus on hybrid models that blend statistical learning with decentralized validation, ensuring security without sacrificing efficiency. Addressing these challenges will be the key to realizing the promise of NDN as a future secure and scalable Internet architecture.

Author Contributions

Conceptualization, S.O. and Q.Z.; methodology, S.O.; software, S.O.; validation, Y.C., G.C. and E.B.; formal analysis, S.O., Q.Z., D.N. and S.W.; investigation, Y.C. and G.C.; resources, Y.C. and G.C.; data curation, S.O.; writing—original draft preparation, S.O. and Y.C.; writing—review and editing, Q.Z., D.N., S.W., G.C. and E.B.; visualization, S.O.; supervision, Y.C. and E.B.; project administration, G.C.; funding acquisition, Y.C. and G.C. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by the Navy through grant number N68335-25-C-0232, from 26 February 2025 to 18 July 2025.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Data are contained within the article.

Conflicts of Interest

Authors Qi Zhao, Deeraj Nagothu, Sixiao Wei and Genshe Chen were employed by the company Intelligent Fusion Technology, Inc. The remaining authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
AIArtificial Intelligence
ANNArtificial Neural Network
CHOKeCHOose and Keep for responsive flows
CSContent Store
CUSUMCumulative Sum
DoSDenial of Service
DDoSDistributed Denial of Service
DPEDecoupling Pending Entries
EWMAExponential Weighted Moving Average
FIBForwarding Information Base
GNNGraph Neural Network
HSLHash-based Security Label
ICNInformation-Centric Networking
IFAInterest Flooding Attack
IfNoTInterest flooding mitigation for NDNoT
IIoTIndustrial Internet of Things
IoTInternet of Things
ISRInterest Satisfaction Ratio
MLMachine Learning
NACKNegative Acknowledgment
NCRNamed Content Retrieval
NDNNamed Data Networking
NDNoTNamed Data Networking of Things
PITPending Interest Table
PSOParticle Swarm Optimization
RBFRadial Basis Function
RTOSReal-Time Operating System
SBFStable Bloom Filter
S-PITStable Bloom Filter–enhanced PIT
WSNWireless Sensor Network

References

  1. Ahlgren, B.; Dannewitz, C.; Imbrenda, C.; Kutscher, D.; Ohlman, B. A survey of information-centric networking. IEEE Commun. Mag. 2012, 50, 26–36. [Google Scholar] [CrossRef]
  2. Cisco. Cisco Annual Internet Report (2018–2023) White Paper; Cisco: San Jose, CA, USA, 2020; Volume 10, pp. 1–35. [Google Scholar]
  3. Xylomenos, G.; Ververidis, C.N.; Siris, V.A.; Fotiou, N.; Tsilopoulos, C.; Vasilakos, X.; Katsaros, K.V.; Polyzos, G.C. A survey of information-centric networking research. IEEE Commun. Surv. Tutor. 2013, 16, 1024–1049. [Google Scholar] [CrossRef]
  4. Baccelli, E.; Mehlis, C.; Hahm, O.; Schmidt, T.C.; Wählisch, M. Information centric networking in the IoT: Experiments with NDN in the wild. In Proceedings of the 1st ACM Conference on Information-Centric Networking, Paris, France, 24–26 September 2014; pp. 77–86. [Google Scholar]
  5. Jacobson, V.; Smetters, D.K.; Thornton, J.D.; Plass, M.F.; Briggs, N.H.; Braynard, R.L. Networking named content. In Proceedings of the 5th International Conference on Emerging Networking Experiments and Technologies, Rome, Italy, 1–4 December 2009; pp. 1–12. [Google Scholar]
  6. Zhang, L.; Afanasyev, A.; Burke, J.; Jacobson, V.; Claffy, K.; Crowley, P.; Papadopoulos, C.; Wang, L.; Zhang, B. Named data networking. ACM SIGCOMM Comput. Commun. Rev. 2014, 44, 66–73. [Google Scholar] [CrossRef]
  7. Zhu, K.; Chen, Z.; Yan, W.; Zhang, L. Security attacks in named data networking of things and a blockchain solution. IEEE Internet Things J. 2018, 6, 4733–4741. [Google Scholar] [CrossRef]
  8. Benmoussa, A.; Kerrache, C.A.; Lagraa, N.; Mastorakis, S.; Lakas, A.; Tahari, A.E.K. Interest flooding attacks in named data networking: Survey of existing solutions, open issues, requirements, and future directions. ACM Comput. Surv. 2022, 55, 1–37. [Google Scholar] [CrossRef]
  9. Al-Share, R.A.; Shatnawi, A.S.; Al-Duwairi, B. Detecting and mitigating collusive interest flooding attacks in named data networking. IEEE Access 2022, 10, 65996–66017. [Google Scholar] [CrossRef]
  10. Pu, C.; Zhu, P. Defending against flooding attacks in the internet of drones environment. In Proceedings of the 2021 IEEE Global Communications Conference (GLOBECOM), Madrid, Spain, 7–11 December 2021; pp. 1–6. [Google Scholar]
  11. Lee, R.T.; Leau, Y.B.; Park, Y.J.; Anbar, M. A survey of interest flooding attack in named-data networking: Taxonomy, performance and future research challenges. IETE Tech. Rev. 2022, 39, 1027–1045. [Google Scholar] [CrossRef]
  12. Alubady, R.; Hassan, S.; Habbal, A. Pending interest table control management in Named Data Network. J. Netw. Comput. Appl. 2018, 111, 99–116. [Google Scholar] [CrossRef]
  13. Sucipto, A.; Ahdan, S.; Syambas, N.R. PIT Performance Measurement using NFD Pipeline Parameters in Named Data Networking (NDN). In Proceedings of the 2024 10th International Conference on Wireless and Telematics (ICWT), Batam, Indonesia, 4–5 July 2024; pp. 1–5. [Google Scholar]
  14. Kaur, R.; Singh, A.; Singh, A.; Goyal, A.; Singh, A.; Batra, S. An efficient pending interest table content search in NDN through stable bloom filter. Comput. J. 2024, 67, 941–946. [Google Scholar] [CrossRef]
  15. Khelifi, H.; Luo, S.; Nour, B.; Shah, S.C. Security and privacy issues in vehicular named data networks: An overview. Mob. Inf. Syst. 2018, 2018, 5672154. [Google Scholar] [CrossRef]
  16. Jeet, R.; Arun Raj Kumar, P. A survey on interest packet flooding attacks and its countermeasures in named data networking. Int. J. Inf. Secur. 2022, 21, 1163–1187. [Google Scholar] [CrossRef]
  17. Ullah, S.S.; Hussain, S.; Ali, I.; Khattak, H.; Mastorakis, S. Mitigating content poisoning attacks in named data networking: A survey of recent solutions, limitations, challenges and future research directions. Artif. Intell. Rev. 2024, 58, 42. [Google Scholar] [CrossRef]
  18. Afanasyev, A.; Mahadevan, P.; Moiseenko, I.; Uzun, E.; Zhang, L. Interest flooding attack and countermeasures in named data networking. In Proceedings of the 2013 IFIP Networking Conference, Brooklyn, NY, USA, 22–24 May 2013; pp. 1–9. [Google Scholar]
  19. Theeranantachai, S.; Zhang, B.; Zhang, L. NDN’s Stateful Forwarding Plane in the Presence of Ground-Satellite Handovers. In Proceedings of the 2024 IEEE 32nd International Conference on Network Protocols (ICNP), Charleroi, Belgium, 28–31 October 2024; pp. 1–11. [Google Scholar]
  20. Yi, C.; Afanasyev, A.; Moiseenko, I.; Wang, L.; Zhang, B.; Zhang, L. A case for stateful forwarding plane. Comput. Commun. 2013, 36, 779–791. [Google Scholar] [CrossRef]
  21. Shi, Z.; Xu, Y.; Ma, M.; Zhang, Y. An EWMA-Based Mitigation Scheme Against Interest Flooding Attacks in Named Data Networks. In Proceedings of the International Conference on Intelligent Computing, Tianjin, China, 5–8 August 2024; pp. 158–167. [Google Scholar]
  22. Benarfa, A.; Hassan, M.; Losiouk, E.; Compagno, A.; Yagoubi, M.B.; Conti, M. ChoKIFA+: An early detection and mitigation approach against interest flooding attacks in NDN. Int. J. Inf. Secur. 2021, 20, 269–285. [Google Scholar] [CrossRef]
  23. Kumar, N.; Singh, A.K.; Srivastava, S. Fast Detection and Traceback-based Mitigation of Interest Flooding Attack. SN Comput. Sci. 2025, 6, 1–15. [Google Scholar] [CrossRef]
  24. Buragohain, M.; Nandi, S. Demystifying security on NDN: A survey of existing attacks and open research challenges. In The “Essence” of Network Security: An End-to-End Panorama; Springer: Singapore, 2021; pp. 241–261. [Google Scholar]
  25. Yu, L.; Ai, H.; Choi, D.O. Countermeasures of interest flooding attack in named data networking: A survey. Int. J. Electr. Eng. Educ. 2023, 60, 279–295. [Google Scholar] [CrossRef]
  26. Zhao, L.; Cheng, G.; Hu, X.; Wu, H.; Gong, J.; Yang, W.; Fan, C. An insightful experimental study of a sophisticated interest flooding attack in NDN. In Proceedings of the 2018 1st IEEE International Conference on Hot Information-Centric Networking (HotICN), Shenzhen, China, 15–17 August 2018; pp. 121–127. [Google Scholar]
  27. Rahman, M.A.; Liang, T.; Zhang, B. BLEnD: Improving NDN performance over wireless links using interest bundling. In Proceedings of the MILCOM 2021-2021 IEEE Military Communications Conference (MILCOM), San Diego, CA, USA, 29 November–2 December 2021; pp. 432–437. [Google Scholar]
  28. Compagno, A.; Conti, M.; Gasti, P.; Tsudik, G. Poseidon: Mitigating interest flooding DDoS attacks in named data networking. In Proceedings of the 38th Annual IEEE Conference on Local Computer Networks, Sydney, Australia, 21–24 October 2013; pp. 630–638. [Google Scholar]
  29. Wah, C.H.; Chang, R.K.C. Defending against flooding-based distributed denial-of-service attacks: A tutorial. IEEE Commun. Mag. 2002, 40, 42–51. [Google Scholar]
  30. Signorello, S.; Marchal, S.; Francois, J.; Festor, O.; State, R. Advanced interest flooding attacks in named-data networking. In Proceedings of the 2017 IEEE 16th International Symposium on Network Computing and Applications (NCA), Cambridge, MA, USA, 30 October–1 November 2017; pp. 1–10. [Google Scholar]
  31. Wang, K.; Guo, D.; Quan, W. Analyzing NDN NACK on interest flooding attack via SIS epidemic model. IEEE Syst. J. 2019, 14, 1862–1873. [Google Scholar] [CrossRef]
  32. Kumari, M.K.; Tripathi, N. Detecting interest flooding attacks in NDN: A probability-based event-driven approach. Comput. Secur. 2025, 148, 104124. [Google Scholar] [CrossRef]
  33. Cheng, G.; Zhao, L.; Hu, X.; Zheng, S.; Wu, H.; Fan, C. A network-wide view-based detection and mitigation of a sophisticated Interest Flooding Attack. EURASIP J. Wirel. Commun. Netw. 2020, 2020, 1–18. [Google Scholar] [CrossRef]
  34. Karami, A.; Guerrero-Zapata, M. A hybrid multiobjective rbf-pso method for mitigating dos attacks in named data networking. Neurocomputing 2015, 151, 1262–1282. [Google Scholar] [CrossRef]
  35. Hidouri, A.; Hajlaoui, N.; Touati, H.; Hadded, M.; Muhlethaler, P. A survey on security attacks and intrusion detection mechanisms in named data networking. Computers 2022, 11, 186. [Google Scholar] [CrossRef]
  36. Named Data Networking Project. Named Data Networking (NDN) Project FAQ. 2025. Available online: https://named-data.net/project/faq/ (accessed on 3 April 2025).
  37. Dong, J.; Wang, K.; Quan, W.; Yin, H. InterestFence: Simple but efficient way to counter interest flooding attack. Comput. Secur. 2020, 88, 101628. [Google Scholar] [CrossRef]
  38. Wang, Y.; Rozhnova, N.; Narayanan, A.; Oran, D.; Rhee, I. An improved hop-by-hop interest shaper for congestion control in named data networking. ACM SIGCOMM Comput. Commun. Rev. 2013, 43, 55–60. [Google Scholar] [CrossRef]
  39. Alston, A.; Refaei, T. Neutralizing interest flooding attacks in named data networks using cryptographic route tokens. In Proceedings of the 2016 IEEE 15th International Symposium on Network Computing and Applications (NCA), Cambridge, MA, USA, 31 October–2 November 2016; pp. 85–88. [Google Scholar]
  40. Ghali, C.; Tsudik, G.; Uzun, E. Needle in a haystack: Mitigating content poisoning in named-data networking. In Proceedings of the NDSS Workshop on Security of Emerging Networking Technologies (SENT), San Diego, CA, USA, 23 February 2014; pp. 1–10. [Google Scholar]
  41. Magsi, A.H.; Mohsan, S.A.H.; Muhammad, G.; Abbasi, S. A machine learning-based interest flooding attack detection system in vehicular named data networking. Electronics 2023, 12, 3870. [Google Scholar] [CrossRef]
  42. Rabari, J.; Kumar, A.R.P. FIFA: Fighting against interest flooding attack in NDN-based VANET. In Proceedings of the 2021 International Wireless Communications and Mobile Computing (IWCMC), Harbin, China, 28 June–2 July 2021; pp. 1539–1544. [Google Scholar]
  43. Liang, H.; Burgess, L.; Liao, W.; Wang, Q.; Yu, W. On detecting interest flooding attacks in named data networking (ndn)–based iot searches. In AI, Machine Learning and Deep Learning; CRC Press: Boca Raton, FL, USA, 2023; pp. 259–276. [Google Scholar]
  44. Ogunbunmi, S.; Chen, Y.; Blasch, E.; Chen, G. A survey on reputation systems for uav networks. Drones 2024, 8, 253. [Google Scholar] [CrossRef]
  45. Ogunbunmi, S.; Hatmai, M.; Xu, R.; Chen, Y.; Blasch, E.; Ardiles-Cruz, E.; Aved, A.; Chen, G. A lightweight reputation system for uav networks. In Proceedings of the International Conference on Security and Privacy in Cyber-Physical Systems and Smart Vehicles, Chicago, IL, USA, 12–16 October 2023; pp. 114–129. [Google Scholar]
  46. Qu, Q.; Ogunbunmi, S.; Hatami, M.; Xu, R.; Chen, Y.; Chen, G.; Blasch, E. A digital twins enabled reputation system for microchain-based uav networks. In Proceedings of the 2023 IEEE 12th International Conference on Cloud Networking (CloudNet), Hoboken, NJ, USA, 1–3 November 2023; pp. 428–432. [Google Scholar]
  47. Sivaganesan, D. A data driven trust mechanism based on blockchain in IoT sensor networks for detection and mitigation of attacks. J. Trends Comput. Sci. Smart Technol. (TCSST) 2021, 3, 59–69. [Google Scholar]
  48. Bilgili, S.; Demir, A.K.; Alam, S. Ifnot: An approach towards mitigating interest flooding attacks in named data networking of things. Internet Things 2024, 25, 101076. [Google Scholar] [CrossRef]
  49. He, Y.; Ma, Y.; Hu, Q.; Zhou, Z.; Xiao, K.; Wang, C. Lightweight transmission behavior audit scheme for NDN Industrial Internet identity resolution and transmission based on blockchain. Electronics 2023, 12, 2538. [Google Scholar] [CrossRef]
  50. Din, M.S.U.; Rehman, M.A.U.; Kim, B.S. CIDF-WSN: A collaborative interest and data forwarding strategy for named data wireless sensor networks. Sensors 2021, 21, 5174. [Google Scholar] [CrossRef]
  51. Bukhowah, R.; Aljughaiman, A.; Rahman, M.H. Detection of dos attacks for IoT in information-centric networks using machine learning: Opportunities, challenges, and future research directions. Electronics 2024, 13, 1031. [Google Scholar] [CrossRef]
  52. Dong, J.; Wang, K.; Lyu, Y.; Jiao, L.; Yin, H. InterestFence: Countering interest flooding attacks by using hash-based security labels. In Proceedings of the Algorithms and Architectures for Parallel Processing: 18th International Conference, ICA3PP 2018, Guangzhou, China, 15–17 November 2018; Proceedings, Part IV 18. Springer: Berlin/Heidelberg, Germany, 2018; pp. 527–537. [Google Scholar]
  53. Oikonomou, G.; Duquennoy, S.; Elsts, A.; Eriksson, J.; Tanaka, Y.; Tsiftes, N. The Contiki-NG open source operating system for next generation IoT devices. SoftwareX 2022, 18, 101089. [Google Scholar] [CrossRef]
  54. Wang, X.; Cai, S. Edge-assisted NDN-based IoT framework with provider and consumer mobility support. IEEE Trans. Netw. Sci. Eng. 2022, 9, 1713–1725. [Google Scholar] [CrossRef]
  55. Wang, X.; Cai, S. Secure healthcare monitoring framework integrating NDN-based IoT with edge cloud. Future Gener. Comput. Syst. 2020, 112, 320–329. [Google Scholar] [CrossRef]
  56. Habibzadeh, H.; Dinesh, K.; Shishvan, O.R.; Boggio-Dandry, A.; Sharma, G.; Soyata, T. A survey of healthcare Internet of Things (HIoT): A clinical perspective. IEEE Internet Things J. 2019, 7, 53–71. [Google Scholar] [CrossRef] [PubMed]
  57. Dhingra, S.; Madda, R.B.; Gandomi, A.H.; Patan, R.; Daneshmand, M. Internet of Things mobile–air pollution monitoring system (IoT-Mobair). IEEE Internet Things J. 2019, 6, 5577–5584. [Google Scholar] [CrossRef]
  58. Askar, N.A.; Habbal, A. RLEAFS: Reinforcement Learning based Energy Aware Forwarding Strategy for NDN based IoT Networks. IEEE Access 2024, 12, 177173–177188. [Google Scholar] [CrossRef]
  59. Karim, S.M.; Habbal, A.; Chaudhry, S.A.; Irshad, A. BSDCE-IoV: Blockchain-based secure data collection and exchange scheme for IoV in 5G environment. IEEE Access 2023, 11, 36158–36175. [Google Scholar] [CrossRef]
Figure 1. NDN forwarding architecture.
Figure 1. NDN forwarding architecture.
Futureinternet 17 00357 g001
Figure 2. Illustration of Collusive IFA (CIFA).
Figure 2. Illustration of Collusive IFA (CIFA).
Futureinternet 17 00357 g002
Figure 3. Interest Flooding Attack (IFA) taxonomy.
Figure 3. Interest Flooding Attack (IFA) taxonomy.
Futureinternet 17 00357 g003
Table 1. Taxonomy of Interest Flooding Attacks (IFAs).
Table 1. Taxonomy of Interest Flooding Attacks (IFAs).
Attack TypeDescriptionTargetSourceRate
Fake InterestRequests for non-existent contentNetwork layerSingle/DistributedConstant/Variable
Unsatisfiable InterestExploits filters to block matching dataNetwork layerDistributedConstant
Interest LoopsAbuses aggregation/routing to create loopsNetwork layerSingleVariable
Collusive IFA (CIFA)Producer cooperates with attackerApplication layerDistributedVariable
Cache Bypassing AttackUses unique suffixes to bypass cacheApplication layerSingleConstant
Table 2. Comparison of IFA mitigation techniques.
Table 2. Comparison of IFA mitigation techniques.
TechniqueMain IdeaStrengthsWeaknessesComputing Complexity
Rate LimitingThrottle interfaces based on unsatisfied interest rateSimple, lightweight, easy to deployMay penalize legitimate bursts of trafficLow
PIT ManagementModify or bypass PIT storage to reduce overloadTargets core vulnerability directlyRisks breaking interest–data matching semanticsMedium
ML/AI-BasedLearn and classify traffic patterns as normal or maliciousAdaptive to evolving attacks, detects stealthy behaviorRequires training data, high resource usageHigh
Trust/ReputationScore consumers based on behavior historyGradual mitigation, works in distributed settingsCold-start problem, susceptible to Sybil or collusionMedium
Blockchain-BasedUse shared ledgers or smart contracts to validate behaviorTamper-proof, ensures accountability and traceabilityHigh latency, storage, and consensus overheadHigh
Table 3. Application domains vs. IFA mitigation strategies.
Table 3. Application domains vs. IFA mitigation strategies.
Application DomainRecommended Mitigation Approaches
Smart HomesRate limiting, PIT management, content-agnostic filtering
Healthcare IoTLightweight ML detection, trust/reputation scoring, flow-based filtering
Industrial IoT (IIoT)Stateless detection, adaptive rate control, collaborative trust systems
NDNoT (NDN over IoT)ML + caching strategies, low-latency interest shaping, PIT pruning
Wireless Sensor NetworksRule-based detection, periodic PIT flushing, constrained rate-limiting
Table 4. Open research challenges in IFA detection.
Table 4. Open research challenges in IFA detection.
ChallengeWhy It MattersWhat’s NeededFuture Direction
High False PositivesCan block legitimate usersAdaptive thresholding, behavior modelingAdaptive baselines
NDN Privacy vs. DetectionEncrypted names hide attacker behaviorContent-agnostic or zero-knowledge detectionCryptographic techniques
Real-Time IoT ConstraintsSlow methods can not run on microcontrollersRTOS-compatible lightweight algorithmsInterrupt-driven detection mechanisms
Lack of Evaluation StandardsNo uniform metrics across studiesShared testbeds, benchmark datasetsEdge-assisted NDN-based IoT framework
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Ogunbunmi, S.; Chen, Y.; Zhao, Q.; Nagothu, D.; Wei, S.; Chen, G.; Blasch, E. Interest Flooding Attacks in Named Data Networking and Mitigations: Recent Advances and Challenges. Future Internet 2025, 17, 357. https://doi.org/10.3390/fi17080357

AMA Style

Ogunbunmi S, Chen Y, Zhao Q, Nagothu D, Wei S, Chen G, Blasch E. Interest Flooding Attacks in Named Data Networking and Mitigations: Recent Advances and Challenges. Future Internet. 2025; 17(8):357. https://doi.org/10.3390/fi17080357

Chicago/Turabian Style

Ogunbunmi, Simeon, Yu Chen, Qi Zhao, Deeraj Nagothu, Sixiao Wei, Genshe Chen, and Erik Blasch. 2025. "Interest Flooding Attacks in Named Data Networking and Mitigations: Recent Advances and Challenges" Future Internet 17, no. 8: 357. https://doi.org/10.3390/fi17080357

APA Style

Ogunbunmi, S., Chen, Y., Zhao, Q., Nagothu, D., Wei, S., Chen, G., & Blasch, E. (2025). Interest Flooding Attacks in Named Data Networking and Mitigations: Recent Advances and Challenges. Future Internet, 17(8), 357. https://doi.org/10.3390/fi17080357

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop