Levente Csikor
Dinil Mon Divakaran
ABSTRACT
Efficient and highly available packet classification is fundamental for various security primitives. In this paper, we evaluate whether the de facto Tuple Space Search (TSS) packet classification algorithm used in popular software networking stacks such as the Open vSwitch is robust against low-rate denial-of-service attacks. We present the Tuple Space Explosion (TSE) attack that exploits the fundamental space/time complexity of the TSS algorithm.
TSE can degrade the switch performance to 12% of its full capacity with a very low packet rate (0.7 Mbps) when the target only has simple policies such as, "allow some, but drop others". Worse, an adversary with additional partial knowledge of these policies can virtually bring down the target with the same low attack rate. Interestingly, TSE does not generate any specific traffic patterns but only requires arbitrary headers and payloads which makes it particularly hard to detect.
Due to the fundamental complexity characteristics of TSS, unfortunately, there seems to be no complete mitigation to the problem. As a long-term solution, we suggest the use of other algorithms (e.g., HaRP) that are not vulnerable to the TSE attack. As a short-term countermeasure, we propose MFCGuard that carefully manages the tuple space and keeps packet classification fast.
- A Linux Foundation Collaborative Project. Production Quality, Multilayer Open Virtual Switch. http://www.openvswitch.org/, Accessed: June 2019.Google Scholar
- Afek, Y., Bremler-Barr, A., Harchol, Y., Hay, D., and Koral, Y. Making DPI engines resilient to algorithmic complexity attacks. IEEE/ACM Transactions on Networking 24, 6 (2016), 3262--3275.Google ScholarDigital Library
- Afek, Y., Bremler-Barr, A., Harchol, Y., Hay, D., and Koral, Y. Making dpi engines resilient to algorithmic complexity attacks. IEEE/ACM Transactions on Networking 24, 6 (December 2016), 3262--3275.Google ScholarDigital Library
- Ajo, M., Graf, T., Lazzaro, I., and Pettit, J. Taking security groups to ludicrous speed with OVS. In OpenStack Summit (2015).Google Scholar
- Alam, M. J., Goodrich, M. T., and Johnson, T. J-Viz: Finding algorithmic complexity attacks via graph visualization of Java bytecode. In IEEE Symposium on Visualization for Cyber Security (2016), pp. 1--8.Google ScholarCross Ref
- Amazon Web Services. Elastic Load Balancing features. https://aws.amazon.com/elasticloadbalancing/features/#Details_for_Elastic_Load_Balancing_Products, Accessed in Jun 2019.Google Scholar
- Antikainen, M., Aura, T., and Särelä, M. Spook in your network: Attacking an SDN with a compromised OpenFlow switch. In NordSec (2014), pp. 229--244.Google ScholarCross Ref
- Arins, A. Firewall as a service in sdn openflow network. In 2015 IEEE 3rd Workshop on Advances in Information, Electronic and Electrical Engineering (AIEEE) (Nov 2015), pp. 1--5.Google ScholarCross Ref
- Auger, A., and Doerr, B. Theory of Randomized Search Heuristics. WORLD SCIENTIFIC, 2011.Google ScholarDigital Library
- Baboescu, F., Singh, S., and Varghese, G. Packet classification for core routers: Is there an alternative to CAMs? In Int. Conf. Comput. Commun. (Apr 2003), pp. 53--63.Google ScholarCross Ref
- Ben Pfaff. OVS Orbit podcast. https://ovsorbit.org/episode-67.mp3, 2018.Google Scholar
- Ben Pfaff. [ovs-discuss] ovs-dpctl del-flow works strange. Mailing list archive, https://mail.openvswitch.org/pipermail/ovs-discuss/2019-June/048887.html, 2019 June.Google Scholar
- Casado, M., Koponen, T., Moon, D., and Shenker, S. Rethinking packet forwarding hardware. In HotNets (2008).Google Scholar
- CheckMarx. Regular expression Denial of Service: ReDoS, 2017. https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS.Google Scholar
- Cloud Native Computing Foundation. Network Policies. https://kubernetes.io/docs/concepts/services-networking/network-policies.Google Scholar
- Crosby, S. A., and Wallach, D. S. Denial of service via algorithmic complexity attacks. In USENIX Security (2003), pp. 3--3.Google Scholar
- Csikor, L., Divakaran, D. M., and Kang, M. S. Tuple Space Explosion: A Denial-of-Service Attack Against a Software Packet Classifier. Blog post. https://ovsdos.comp.nus.edu.sg/, 2019.Google Scholar
- Csikor, L., and Rétvári, G. The discrepancy of the megaflow cache in ovs. In Open vSwitch Fall Conference (Club Auto Sport, Santa Clara, CA, 2018).Google Scholar
- Csikor, L., Rothenberg, C., Pezaros, D. P., Schmid, S., Toka, L., and Rétvári, G. Policy injection: A cloud dataplane dos attack. In Proceedings of the ACM SIGCOMM 2018 Conference on Posters and Demos (New York, NY, USA, 2018), SIGCOMM '18, ACM, pp. 147--149.Google Scholar
- Csikor, L., Szalay, M., Sonkoly, B., and Toka, L. NFPA: Network function performance analyzer. In IEEE NFV-SDN, Demo Track (2015), pp. 17--19.Google Scholar
- Czubak, A., and Szymanek, M. Algorithmic complexity vulnerability analysis of a stateful firewall. In ISAT (2017), pp. 77--97.Google ScholarCross Ref
- Dalton, M., et al. Andromeda: Performance, isolation, and velocity at scale in cloud network virtualization. In USENIX NSDI (2018), pp. 373--387.Google Scholar
- Delimitrou, C., and Kozyrakis, C. Bolt: I know what you did last summer... in the cloud. In ASPLOS (2017), pp. 599--613.Google ScholarDigital Library
- DPDK. Membership Library. https://doc.dpdk.org/guides/prog_guide/member_lib.html.Google Scholar
- et al., T. K. Network virtualization in multi-tenant datacenters. In NSDI (2014), pp. 203--216.Google Scholar
- FD.io. Contiv/VPP Kubernetes Network Plugin. https://fdio-vpp.readthedocs.io/en/latest/usecases/contiv/K8s_Overview.html.Google Scholar
- FD.io. VPP - Vector Packet Processing. https://docs.fd.io/vpp/19.01/index.html.Google Scholar
- Feldman, A., and Muthukrishnan, S. Tradeoffs for packet classification. In INFOCOM (2000), vol. 3, pp. 1193--1202.Google ScholarCross Ref
- Firestone, D., et al. Azure accelerated networking: SmartNICs in the public cloud. In USENIX NSDI (2018), pp. 51--66.Google Scholar
- Gobriel, S., and Tai, C. OvS Lookup Optimization Using Two-Layer Table Lookup. In Open vSwitch Fall Conference (2016).Google Scholar
- Gupta, P., and McKeown, N. Packet classification on multiple fields. In SIGCOMM (1999), pp. 147--160.Google ScholarDigital Library
- Gupta, P., and McKeown, N. Algorithms for packet classification. IEEE Network 15, 2 (2001), 24--32.Google ScholarDigital Library
- Gupta, P., and McKeown, N. Algorithms for packet classification. Netwrk. Mag. of Global Internetwkg. 15, 2 (2001), 24--32.Google ScholarDigital Library
- Intel. Network function virtualization: Quality of Service in Broadband Remote Access Servers with Linux and Intel architecture. https://networkbuilders.intel.com/docs/Network_Builders_RA_NFV_QoS_Aug2014.pdf.Google Scholar
- ioVisor. eXpress Data Path, 2016. https://www.iovisor.org/technology/xdp.Google Scholar
- Istio. Authentication Policy, 2018. https://istio.io/docs/reference/config/istio.authentication.v1alpha1.Google Scholar
- Istio. Ingress Controller, 2018. https://istio.io/docs/tasks/traffic-management/ingress.html.Google Scholar
- Istio. Traffic Routing, 2018. https://istio.io/docs/reference/config/istio.networking.v1alpha3.Google Scholar
- Khan, S., and Traore, I. A prevention model for algorithmic complexity attacks. In DIMVA (2005), pp. 160--173.Google ScholarDigital Library
- Kim, C., Caesar, M., Gerber, A., and Rexford, J. Revisiting route caching: The world should be flat. In PAM (2009), pp. 3--12.Google ScholarCross Ref
- Kocher, P., Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., and Yarom, Y. Spectre Attacks: Exploiting Speculative Execution. ArXiv e-prints (Jan. 2018).Google Scholar
- Kogan, K., et al. SAX-PAC: scalable and expressive packet classification. In SIGCOMM (2014), pp. 15--26.Google Scholar
- Kuzmanovic, A., and Knightly, E. W. Low-rate tcp-targeted denial of service attacks: the shrew vs. the mice and elephants. In Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications (2003), ACM, pp. 75--86.Google ScholarDigital Library
- Lim, H., Lee, N., and Lee, J. Multi-match packet classification scheme combining tcam with an algorithmic approach. IEIE Transactions on Smart Processing and Computing 6, 1 (Febr 2017), 27--38.Google ScholarCross Ref
- Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Mangard, S., Kocher, P., Genkin, D., Yarom, Y., and Hamburg, M. Meltdown. ArXiv e-prints (Jan. 2018).Google Scholar
- Liu, X., Cho, B., and Kim, J. Sd-ovs: Syn flooding attack defending open vswitch for sdn. In WISA (03 2017), pp. 29--41.Google Scholar
- Liu, Y., Amin, S. O., and Wang, L. Efficient FIB caching using minimal non-overlapping prefixes. SIGCOMM Comput. Commun. Rev. 43, 1 (2013), 14--21.Google ScholarDigital Library
- McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., and Turner, J. OpenFlow: enabling innovation in campus networks. SIGCOMM Computer Communication Review 38, 2 (2008), 69--74.Google ScholarDigital Library
- Molnár, L., Pongrácz, G., Enyedi, G., Kis, Z. L., Csikor, L., Juhász, F., Kőrösi, A., and Rétvári, G. Dataplane specialization for high-performance OpenFlow software switching. In SIGCOMM (2016), pp. 539--552.Google ScholarDigital Library
- Netronome. Agilio OVS Software Architecture for Server-based Networking. Whitepaper, 2018. https://www.netronome.com/media/documents/WP_Agilio_SW.pdf.Google Scholar
- Newman, P., Minshall, G., and Lyon, T. L. IP switching - ATM under IP. IEEE/ACM Trans. Netw. 6, 2 (1998), 117--129.Google ScholarDigital Library
- Nicholas Gray, Manuel Sommer, T. Z., and Tran-Gia, P. FlowFuzz: a framework for fuzzing openflow-enabled software and hardware switches. In Black Hat (2017).Google Scholar
- The Open Networking Foundation. OpenFlow Switch Specifications v.1.4.0, 2013.Google Scholar
- Pearce, M., Zeadally, S., and Hunt, R. Virtualization: Issues, security threats, and solutions. ACM Comput. Surv. 45, 2 (2013), 17:1--17:39.Google ScholarDigital Library
- Petsios, T., Zhao, J., Keromytis, A. D., and Jana, S. SlowFuzz: Automated domain-independent detection of algorithmic complexity vulnerabilities. In ACM CCS (2017), pp. 2155--2168.Google ScholarDigital Library
- Pettit, J. Accelerating Open vSwitch to "Ludicrous Speed. Blog post: Network Heresy - Talses of the network reformation, 2014. https://networkheresy.com/2014/11/13/accelerating-open-vswitch-to-ludicrous-speed/.Google Scholar
- Pfaff, B., and Davie, B. The Open vSwitch database management protocol. RFC 7047, 2013.Google Scholar
- Pfaff, B., Pettit, J., Koponen, T., Jackson, E., Zhou, A., Rajahalme, J., Gross, J., Wang, A., Stringer, J., Shelar, P., Amidon, K., and Casado, M. The design and implementation of Open vSwitch. In NSDI (2015), pp. 117--130.Google ScholarDigital Library
- Pong, F., and Tzeng, N.-F. Hashing round-down prefixes for rapid packet classification. In USENIX Annual Technical Conference (2009).Google Scholar
- Ram, K. K., Cox, A. L., Chadha, M., and Rixner, S. Hyper-Switch: A Scalable Software Virtual Switching Architecture. In Usenix ATC (2013), p. 12.Google Scholar
- Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In ACM CCS (2009), pp. 199--212.Google ScholarDigital Library
- Schuchard, M., Thompson, C., Hopper, N., and Kim, Y. Taking routers off their meds: Unstable routers and the buggy bgp implementations that cause them. Tech. rep., tech. rep., University of Minnesota, 2011.Google Scholar
- SecuritytWeek. CSA's cloud adoption, practices and priorities survey report, 2015. http://www.securityweek.com/data-security-concerns-still-challenge.Google Scholar
- Shelly, N., Jackson, E. J., Koponen, T., McKeown, N., and Rajahalme, J. Flow caching for high entropy packet fields. SIGCOMM Comput. Commun. Rev. 44, 4 (2014).Google ScholarDigital Library
- Srinivasan, V., Suri, S., and Varghese, G. Packet classification using tuple space search. In SIGCOMM (1999), pp. 135--146.Google ScholarDigital Library
- The Calico project. https://www.projectcalico.org/.Google Scholar
- The Chromium Projects. QUIC, a multiplexed stream transport over UDP. https://www.chromium.org/quic, 2019.Google Scholar
- The ONOS project. Security Group. https://wiki.onosproject.org/display/ONOS/Security+Group.Google Scholar
- The Open vSwitch project. Kubernetes integration for OVN. https://github.com/openvswitch/ovn-kubernetes.Google Scholar
- The OpenDaylight project. OVSDB:Security Groups. https://wiki.opendaylight.org/view/OVSDB:Security_Groups.Google Scholar
- The OpenStack project. Manage project security. https://docs.openstack.org/nova/pike/admin/security-groups.html.Google Scholar
- The OpenStack project. Networking-vpp. https://wiki.openstack.org/wiki/Networking-vpp.Google Scholar
- The OpenStack project. OpenStack Neutron integration with OVN. https://docs.openstack.org/networking-ovn/latest.Google Scholar
- Thimmaraju, K., Shastry, B., Fiebig, T., Hetzelt, F., Seifert, J., Feldmann, A., and Schmid, S. Taking control of sdn-based cloud systems via the data plane. In ACM Symposium on SDN Research (SOSR) (2018).Google ScholarDigital Library
- Tollet, J. Networking-VPP: A fast forwarding vSwitch/vRouter for OpenStack. In FOSDEM (2018).Google Scholar
- Varadarajan, V., Zhang, Y., Ristenpart, T., and Swift, M. A placement vulnerability study in multi-tenant public clouds. In USENIX Security (2015), pp. 913--928.Google Scholar
- Varvello, M., Laufer, R., Zhang, F., and Lakshman, T. Multi-Layer Packet Classification with Graphics Processing Units. In Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies - CoNEXT '14 (Sydney, Australia, 2014), ACM Press, pp. 109--120.Google ScholarDigital Library
- Weimer, F. Algorithmic complexity attacks and the linux networking code, 2003. http://www.enyo.de/fw/security/notes/linux-dst-cache-dos.html.Google Scholar
- Zhou, D., Fan, B., Lim, H., Kaminsky, M., and Andersen, D. G. Scalable, high performance Ethernet forwarding with CuckooSwitch. In CoNEXT (2013), pp. 97--108.Google ScholarDigital Library
Index Terms
- Tuple space explosion: a denial-of-service attack against a software packet classifier
Recommendations
A comprehensive survey of DDoS defense solutions in SDN: Taxonomy, research challenges, and future directions
Highlights- Identified high quality research articles in the field of SDN-aimed DDoS attacks using a systematic literature review protocol.
AbstractThe recent emergence of technologies such as Network Functions Virtualization (NFV), Intent based Networking, Internet of Things (IoT), 5G, and Cloud Computing have led to the rapid growth of networks. The inflexibility and vendor-...
Catabolism attack and Anabolism defense
Security is a major challenge in Opportunistic Networks (OppNets) because of its characteristics, such as open medium, dynamic topology, no centralized management and absent clear lines of defense. A packet dropping attack is one of the major security ...
Defense against packet collusion attacks in opportunistic networks
Security is a major challenge in Opportunistic Networks (OppNets) because of its characteristics such as an open medium, dynamic topology, no centralized management and absent clear lines of defense. A packet dropping attack is one of the major security ...
Comments