Csikor, L., Rothenberg, C., Pezaros, D. , Schmid, S., Toka, L. and Retvari, G. (2018) Policy Injection: a Cloud Dataplane DoS Attack. In: ACM Special Interest Group on Data Communication (SIGCOMM), Budapest, Hungary, 20-25 Aug 2018, pp. 147-149. ISBN 9781450395153 (doi: 10.1145/3234200.3234250)
|
Text
164494.pdf - Accepted Version 765kB |
Abstract
Enterprises continue to migrate their services to the cloud on a massive scale, but the increasing attack surface has become a natural target for malevolent actors. We show policy injection, a novel algorithmic complexity attack that enables a tenant to add specially tailored ACLs into the data center fabric to mount a denial-of-service attack through exploiting the built-in security mechanisms of the cloud management systems (CMS) . Our insight is that certain ACLs, when fed with special covert packets by an attacker, may be very difficult to evaluate, leading to an exhaustion of cloud resources. We show how a tenant can inject seemingly harmless ACLs into the cloud data plane to abuse an algorithmic deficiency in the most popular cloud hypervisor switch, Open vSwitch, and reduce its effective peak performance by 80-90%, and, in certain cases, denying network access altogether.
Item Type: | Conference Proceedings |
---|---|
Status: | Published |
Refereed: | Yes |
Glasgow Author(s) Enlighten ID: | Csikor, Dr Levente and Pezaros, Professor Dimitrios |
Authors: | Csikor, L., Rothenberg, C., Pezaros, D., Schmid, S., Toka, L., and Retvari, G. |
College/School: | College of Science and Engineering > School of Computing Science |
ISBN: | 9781450395153 |
Copyright Holders: | Copyright © 2018 Association for Computing Machinery |
First Published: | First published in Proceedings of the ACM SIGCOMM 2018 Conference on Posters and Demos (SIGCOMM '18): 147-149 |
Publisher Policy: | Reproduced in accordance with the publisher copyright policy |
University Staff: Request a correction | Enlighten Editors: Update this record