tuple space explosion
play

Tuple Space Explosion: A Denial-of-Service Attack Against a - PowerPoint PPT Presentation

Jan 30, 2024 •459 likes •773 views

Tuple Space Explosion: A Denial-of-Service Attack Against a Software Packet Classifier Levente Csikor, Min Suk Kang, Dinil Mon Divakaran Attila K rsi, Dvid Haja, Balzs Sonkoly, Dimitrios P. Pezaros, Stefan Schmid, Gbor Rtvri

  1. Tuple Space Explosion: A Denial-of-Service Attack Against a Software Packet Classifier Levente Csikor, Min Suk Kang, Dinil Mon Divakaran Attila K ő rösi, Dávid Haja, Balázs Sonkoly, Dimitrios P. Pezaros, Stefan Schmid, Gábor Rétvári CoNEXT 2019 Dec 11, 2019

  2. Packet Classification in the Past Facebook eMail Storage Packet Classifier IDS Drop 2/26

  3. Proliferation of virtualization Social Media eMail virtualized Packet classifier (e.g., Open vSwitch, VPP) Storage Packet Classifier IDS virtualized Packet classifier (e.g., Open vSwitch, VPP) 3/26

  4. Algorithmic packet classification is expensive on general purpose processors... Ben Pfaff et al. “The Design and Implementation of Open vSwitch” , USENIX NSDI 2015. 4/26

  5. In this talk ▻ Tuple Space Explosion (TSE): Family of novel Denial-of-Service (DoS) attacks against the de facto packet classifier algorithm (Tuple Space Search scheme) used in Open vSwitch, VPP, GSwitch, etc. ▻ Remote adversary can degrade the performance to 12% of the baseline (10 Gbps) with only 672 kbps (!) attack traffic ▻ Co-located adversary can virtually bring down the performance to 0% ▻ Attack traffic is particularly hard to filter out : ▾ no attack signature (packets w/ random headers) ▾ low-rate (thousands of packets per second) ▾ legitimate packets ▻ Countermeasures 5/26

  6. Threat model ▻ System model: ▾ typical multi-tenant cloud ▾ OVS is used for packet processing ▾ tenants use the Cloud Management System (CMS) to set up their ACLs to ▾ access-control, redirect, log, etc. ▻ Attacker’s goal ▾ send some packet towards the virtual switch that when subjected to the ACLs will exhaust resources ▻ Attacker’s capability ▾ craft and send arbitrary packets to a target OVS ▿ No privilege of the target (General TSE) ▿ Co-locate with the target (Colocated TSE) 6/26

  7. Social Media dst_port action 80 allow src_IP dst_por action eMail t * drop * 993 allow 10.0.2. * allow 2 * * drop virtualized Packet classifier Storage IDS Packet Classifier virtualized Packet classifier 7/26

  8. 22/02/2020

  9. 22/02/2020

  10. Explosion in the Tuple Space ▻ Problem : more masks → slower packet classification ▻ Tuple Space Explosion phenomenon: 1) 16-bit TCP destination port → 16 masks 2) 32-bit source IP address → 32 masks ▻ And that’s only ONE allow rule on ONE header ▻ Multiple allow rules on multiple header fields result in an exponential growth → cross-product ▾ matching on either 1) or 2) → 16*32 = 512 masks 10/26

  11. p p p (TSE) ▻ Goal : blow up the tuple space ▾ Spawn as many masks (and hashes) as possible ▿ to make classification a costly linear search Flow Table ▾ One packet for each bucket TCP DST PORT action 80 output:1 ◦ port=[0, 64, 80, 81, …, 32768] (16 packets) * drop 0/ffc0 64/fff0 80/ffff 81/ffff 256/ff00 32768/8000 32768 drop 256 drop 80 allow 81 drop 32769 drop 67 drop 2 drop ... ... 32770 drop 32771 drop 32772 drop 32773 drop ... 65535 drop 11/26

  12. 22/02/2020

  13. p p p (TSE) ▻ Without the flow table → Difficult ▾ All possible packets seems fine ▿ BUT: 2 k packets for a header of k bits! ◦ too much effort ◦ easily detectable (like a portscan, easily becomes volumetric) ▾ Can we just send random packets? 13/26

  14. TSE w/ random packets ▻ Q: What are the chances that a random header spawns a new mask (and hash)? 32768/8000 32768 drop 32769 drop 32770 drop 32771 drop dport=32769 32772 drop 32773 drop ... ▻ key finding is the number of wildcarded bits ( k ) for header length h 65535 drop 64/fff0 64 drop ▾ 1*** **** **** **** (32768) ~ 50% 65 drop 66 drop 67 drop ▾ 0000 0000 01** **** (64) ~ 0.1% 68 drop 69 drop ... ... 79 drop 14/26

  15. TSE w/ random packets ▻ (M) easured and (E) xpected numbers for different ACLs assumed to be installed by the victim drop to 10% ▿ Dp ◦ dst_port only ▿ SipDp ◦ src_IP + dst_port ▿ SpDp ◦ src_port + dst_port ▿ SipSpDp (full-blown) ◦ src_IP+ src_port + dst_port 15/26

  16. Denial-of-Service ▻ Success rate of randomly generated packets ▾ 672 kbps (!) attack traffic → 88% performance drop ▿ 1,000 pps → reduce from 10 Gbps to 1,2 Gbps ▻ What if the adversary has more knowledge/resources? 16/26

  17. Social Media dst_port action 80 allow eMail src_IP dst_port action * drop * 993 allow 10.0.2.2 * allow * * drop virtualized Packet classifier src_IP src_port dst_port action * * 80 allow Storage * 45321 * allow 10.0.0.1 * * allow Packet Classifier IDS * * * drop virtualized Packet classifier 17/26

  18. Co-located TSE attack ▻ Adversary leases resources in the cloud ▻ Configures its own ACL ▻ Sends only the required number of packets ▾ one packet for each mask (and hash) ▻ More significant service degradation – much less packets ▾ 1000 pps → thousands of masks → close to 0% (full DoS) ▻ However: ▾ Attack is against the infrastructure not a specific target ▿ DoS against the co-located services “ only ” 18/26

  19. Effects in a broader scale ▻ In a cloud, an attacker can easily exploit this! ▻ Several public cloud deployments are affected ▾ Docker/OVN (based on OVS) ✔ Kubernetes/OVN (based on OVS) ▾ Contiv/VPP Kubernetes (based on VPP) ✔ OpenStack/Neutron/OVN (based on OVS) ▾ OpenStack/Neutro-VPP (based on VPP) 19/26

  20. Countermeasures ▻ Filtering out the attack traffic is hard ▾ legitimate traffic ▾ no attack signature (random packets w/ random headers) ▾ low-attack rate (thousands of packets per second) ▻ A long term solution ▾ Different classifiers: ▿ Hierarchical trees, HyperCuts, HaRP, etc. 20/26

  21. 22/02/2020

  22. 22/02/2020

  23. MFC Guard (MFCg) in action

  24. MFC Guard (MFCg) ▻ When MFC is cleaned the victim’s performance goes back to its baseline ▾ attack packets → slow path ▻ CPU overhead? ▾ 1 kpps attack rate = 15% CPU usage ▾ 10 kpps attack rate = 80% CPU usage 24/26

  25. 22/02/2020

  26. 22/02/2020

  27. 22/02/2020

  28. 22/02/2020

  29. General TSE ▻ Random packets ▾ Probability that from n random packets there will be at least 1 packet that sparks an MFC entry for a given k is: ▾ C k is the number entries for a given k (e.g., k =0, C k = 2 ▻ Expected value can be formalized by: 29/27

  30. Countermeasures ▻ Immediate yet impractical remedies ▾ offload ACL implementation to a different switch ✗ others might suffer from the same attack ▾ high performance gateway appliance ✗ cannot help against an attack within the cloud ▾ switch MFC completely OFF ✗ biggest performance improvement so far 30/27

  31. Flow Table Tuple Space Search TCP DST PORT action 80 output:1 * drop ▻ entries matching on the same header are collected into a hash ▿ masked packet headers can be found fast ▾ Masks and associated hashes are searched sequentially Can be a costly linear search in case of lots of mas ▿ independent to each other → early exit once there is a hit ▾ PKT_IN → APPLY_MASK → LookUp → Repeat until found dport=80 dport=32777 0/ffc0 64/fff0 80/ffff 81/ffff 256/ff00 32768/8000 32768 drop 256 drop 64 drop 1 drop 80 allow 81 drop 32769 drop 257 drop 2 drop 65 drop ... ... 32770 drop 258 drop 3 drop 66 drop 32771 drop 259 drop 4 drop 67 drop 32772 drop 260 drop 5 drop 68 drop 32773 drop 261 drop 69 drop 6 drop ... ... ... ... ... ... ... 65535 drop 511 drop 31/26 79 drop 63 drop

Recommend

Indexing December 12, 2008 Indexing Introduction New tuple is stored without any order next

Indexing December 12, 2008 Indexing Introduction New tuple is stored without any order next

Indexing December 12, 2008 Indexing Introduction New tuple is stored without any order next available space Indexing Introduction New tuple is stored without any order next available space Access will require inspection of every tuple

287 views • 13 slides
Parallel Nested Loops For each tuple s i in S For each tuple t j in T If s i =t j ,

Parallel Nested Loops For each tuple s i in S For each tuple t j in T If s i =t j ,

9/15/2011 Parallel Nested Loops For each tuple s i in S For each tuple t j in T If s i =t j , then add (s i ,t j ) to output Create partitions S 1 , S 2 , T 1 , and T 2 Have processors work on (S 1 ,T 1 ), (S 1 ,T 2 ), (S 2 ,T 1

329 views • 13 slides
Time-Development of Explosions and a Path-Space Measure for Diffusion Process with Repulsive

Time-Development of Explosions and a Path-Space Measure for Diffusion Process with Repulsive

Time-Development of Explosions and a Path-Space Measure for Diffusion Process with Repulsive Higer Order Drift Hiroshi Ezawa Keiji Watanabe and Toru Nakamura 1. Time-development of explosion 1. Explosion Stochastic differential equation

295 views • 13 slides
Relational algebra tuple). More formally, R S is defined as follows: tain To ob- tributes of

Relational algebra tuple). More formally, R S is defined as follows: tain To ob- tributes of

Relational algebra tuple). More formally, R S is defined as follows: tain To ob- tributes of each tuple) to be retrieved. This specifies the specific subset of columns (at- . the cardinalities of its factors, i.e., | R S | = | R | | S

133 views • 9 slides
Advanced Algorithms (II) Shanghai Jiao Tong University Chihao Zhang March 9th, 2020 Random

Advanced Algorithms (II) Shanghai Jiao Tong University Chihao Zhang March 9th, 2020 Random

Advanced Algorithms (II) Shanghai Jiao Tong University Chihao Zhang March 9th, 2020 Random Variables Random Variables Recall that a probability space is a tuple ( , , Pr) Random Variables Recall that a probability space is a tuple (

1k views • 70 slides
Linda and Its Tuple Spaces Abhinav S Bhatele (CS498lvk) Introduction It is essentially a

Linda and Its Tuple Spaces Abhinav S Bhatele (CS498lvk) Introduction It is essentially a

Linda and Its Tuple Spaces Abhinav S Bhatele (CS498lvk) Introduction It is essentially a shared-memory programming model based on tuple-spaces Only cares about process creation and co- ordination How and what the process computes is

130 views • 11 slides
Records A Tuple (Mathematically): is a function f : { 0, 1, , n 1 } Set Example:

Records A Tuple (Mathematically): is a function f : { 0, 1, , n 1 } Set Example:

Records A Tuple (Mathematically): is a function f : { 0, 1, , n 1 } Set Example: ( 5, 3.1, 6.0, c , foo , 13, 14, d ) J.Carette (McMaster) CS 2S03 1 / 19 Records A Tuple (Mathematically): is a

616 views • 23 slides
The context : bioimage data explosion High-throughput imaging techniques have led to bioimage

The context : bioimage data explosion High-throughput imaging techniques have led to bioimage

The context : bioimage data explosion High-throughput imaging techniques have led to bioimage data explosion Submicrometer resolution Whole mouse brain mapping TeraByte scale images Heterogeneous images Need for tools capable to

599 views • 32 slides
Dirac neutrino magnetic moment and the dynamics of a supernova explosion Alexander Okrugin

Dirac neutrino magnetic moment and the dynamics of a supernova explosion Alexander Okrugin

Neutrino chirality-flip L R in the supernova core Could sterile R s stimulate the supernova explosion? Dirac neutrino magnetic moment and the dynamics of a supernova explosion Alexander Okrugin Yaroslavl State (P. G. Demidov)

768 views • 29 slides
Porgera Mine Explosion 2 nd August 1994 Background On the morning of the 2 nd August 1994 an

Porgera Mine Explosion 2 nd August 1994 Background On the morning of the 2 nd August 1994 an

Porgera Mine Explosion 2 nd August 1994 Background On the morning of the 2 nd August 1994 an explosion occurred at the Dyno Westfarmers explosives plant at the Porgera Gold Mine in Papua New Guinea. Background It was unknown at that time if

491 views • 25 slides
Tuple Abstract Data Type Table of Contents Introduction

Tuple Abstract Data Type Table of Contents Introduction

1 Tuple Abstract Data Type Table of Contents Introduction ................................................................................................................................ 1 The tuple object

810 views • 5 slides
Overview Grammars A grammar is a 4-tuple ( N, , S, P ) where Grammars, or: how to specify

Overview Grammars A grammar is a 4-tuple ( N, , S, P ) where Grammars, or: how to specify

Overview Grammars A grammar is a 4-tuple ( N, , S, P ) where Grammars, or: how to specify linguistic knowledge Towards more complex grammar systems Some basic formal language theory N is a finite set of non-terminals Automata, or:

226 views • 3 slides
Week 04 Lectures 1/110 Exercise 1: PostgreSQL Tuple Visibility Due to MVCC, PostgreSQL's

Week 04 Lectures 1/110 Exercise 1: PostgreSQL Tuple Visibility Due to MVCC, PostgreSQL's

Week 04 Lectures 16/8/18, 9(58 am Week 04 Lectures 1/110 Exercise 1: PostgreSQL Tuple Visibility Due to MVCC, PostgreSQL's getTuple(b,i) is not so simple i th tuple in buffer b may be "live" or "dead" or ... ? How does

783 views • 34 slides
Space Art astronautical extraterrestrial What is space art? astronomical How has space art

Space Art astronautical extraterrestrial What is space art? astronomical How has space art

The Federation of Galaxy Explorers Grade 3 | Lesson 6 Space Art astronautical extraterrestrial What is space art? astronomical How has space art affected how we think about space? Early space art Camille Flammarion Henry Alvim-Correa

423 views • 10 slides
Multi-Tuple Leakage Detection and the Dependent Signal Issue Olivier Bronchain Tobias Schneider

Multi-Tuple Leakage Detection and the Dependent Signal Issue Olivier Bronchain Tobias Schneider

Introduction Leakage Detection Multi-Tuple Leakage Detection Conclusion Multi-Tuple Leakage Detection and the Dependent Signal Issue Olivier Bronchain Tobias Schneider Fran cois-Xavier Standaert CHES 2019, Atlanta, USA Olivier Bronchain

1.3k views • 91 slides
Securing Caribbean networks Bevil Wooding Executive Director, CaribNOG THE DIGITAL WORLD

Securing Caribbean networks Bevil Wooding Executive Director, CaribNOG THE DIGITAL WORLD

Securing Caribbean networks Bevil Wooding Executive Director, CaribNOG THE DIGITAL WORLD Explosion of Online Devices Explosion of Online Users Explosion of Online Data Dark Side To Digital Progress There are only two types of

614 views • 34 slides
Probability Distribution 1. Probability Distribution: ( ,..., ) is a tuple p p p 1 n

Probability Distribution 1. Probability Distribution: ( ,..., ) is a tuple p p p 1 n

Probability Distribution : Building up the notion of Pseudo-randomness Debdeep Mukhopadhyay IIT Kharagpur Probability Distribution 1. Probability Distribution: ( ,..., ) is a tuple p p p 1 n of elements , 0 p 1,

311 views • 18 slides
Python: Tuple, Lists Introduction Have seen data type such int, float, char, scalar data.

Python: Tuple, Lists Introduction Have seen data type such int, float, char, scalar data.

Python: Tuple, Lists Introduction Have seen data type such int, float, char, scalar data. Compound data type: Tuple List Array

226 views • 18 slides
Hyperplane Ling572 Advanced Statistical Methods for NLP February 13, 2020 1 Points and Vectors

Hyperplane Ling572 Advanced Statistical Methods for NLP February 13, 2020 1 Points and Vectors

Hyperplane Ling572 Advanced Statistical Methods for NLP February 13, 2020 1 Points and Vectors A point in n-dimensional space is given by an n-tuple E.g., P=(p i ) Represents an absolute position in space A vector represents a

285 views • 7 slides
Storage April 2, 2018 1 IO + Buffering def Select(predicate, source)

Storage April 2, 2018 1 IO + Buffering def Select(predicate, source)

Storage April 2, 2018 1 IO + Buffering def Select(predicate, source) while(source.hasMoreTuples) in_buffer = source.fetch() while(in_buffer.hasMoreTuples) tuple = in_buffer.readTuple() if(predicate(tuple)) out_buffer.output(tuple)

413 views • 17 slides
Walk through previous lectures Tuple tuple_name = (value, value, ..., value) A way of

Walk through previous lectures Tuple tuple_name = (value, value, ..., value) A way of

Walk through previous lectures Tuple tuple_name = (value, value, ..., value) A way of packing multiple values into a variable >>> x = 3 >>> y = -5 >>> p = (x, y, 42) >>> p (3, -5, 42) name, name, ...,

1.1k views • 53 slides
WELCOME ABOARD! Thanks so much for getting Tube Profit Explosion, youre pretty cool! TUBE

WELCOME ABOARD! Thanks so much for getting Tube Profit Explosion, youre pretty cool! TUBE

WELCOME ABOARD! Thanks so much for getting Tube Profit Explosion, youre pretty cool! TUBE PROFIT EXPLOSION YOUTUBE ROCKS - More than 1 billion users visit youtube each month - 6 Billion hours of video watched each month on youtube - 100

219 views • 7 slides
ICD-10-CM Y36.23* Blown All The Way Up *War Operation Involving Explosion of Improvised

ICD-10-CM Y36.23* Blown All The Way Up *War Operation Involving Explosion of Improvised

ICD-10-CM Y36.23* Blown All The Way Up *War Operation Involving Explosion of Improvised Explosive Device Objectives Overview of Blast Injuries and Pathophysiology Kinematics of Blast Trauma Tactical Combat Casualty Care 2015

565 views • 54 slides
Fighting the Clock Explosion Oded Maler CNRS-VERIMAG Grenoble, France September 2006 Fighting

Fighting the Clock Explosion Oded Maler CNRS-VERIMAG Grenoble, France September 2006 Fighting

Fighting the Clock Explosion Oded Maler CNRS-VERIMAG Grenoble, France September 2006 Fighting the clock explosion Oded Maler Executive Summary Describe our (me and colleagues) efforts over the last decade to push the capabilities of timed

874 views • 71 slides

More recommend