Policy Injection: a Cloud Dataplane DoS Attack

Csikor, L., Rothenberg, C., Pezaros, D. , Schmid, S., Toka, L. and Retvari, G. (2018) Policy Injection: a Cloud Dataplane DoS Attack. In: ACM Special Interest Group on Data Communication (SIGCOMM), Budapest, Hungary, 20-25 Aug 2018, pp. 147-149. ISBN 9781450395153 (doi: 10.1145/3234200.3234250)

[img]
Preview
Text
164494.pdf - Accepted Version

765kB

Abstract

Enterprises continue to migrate their services to the cloud on a massive scale, but the increasing attack surface has become a natural target for malevolent actors. We show policy injection, a novel algorithmic complexity attack that enables a tenant to add specially tailored ACLs into the data center fabric to mount a denial-of-service attack through exploiting the built-in security mechanisms of the cloud management systems (CMS) . Our insight is that certain ACLs, when fed with special covert packets by an attacker, may be very difficult to evaluate, leading to an exhaustion of cloud resources. We show how a tenant can inject seemingly harmless ACLs into the cloud data plane to abuse an algorithmic deficiency in the most popular cloud hypervisor switch, Open vSwitch, and reduce its effective peak performance by 80-90%, and, in certain cases, denying network access altogether.

Item Type:Conference Proceedings
Status:Published
Refereed:Yes
Glasgow Author(s) Enlighten ID:Csikor, Dr Levente and Pezaros, Professor Dimitrios
Authors: Csikor, L., Rothenberg, C., Pezaros, D., Schmid, S., Toka, L., and Retvari, G.
College/School:College of Science and Engineering > School of Computing Science
ISBN:9781450395153
Copyright Holders:Copyright © 2018 Association for Computing Machinery
First Published:First published in Proceedings of the ACM SIGCOMM 2018 Conference on Posters and Demos (SIGCOMM '18): 147-149
Publisher Policy:Reproduced in accordance with the publisher copyright policy

University Staff: Request a correction | Enlighten Editors: Update this record