Policy Injection: A Cloud Dataplane DoS Attack

Csikor, L., Rothenberg, C., Pezaros, D. , Schmid, S., Toka, L. and Retvari, G. (2018) Policy Injection: A Cloud Dataplane DoS Attack. ACM Special Interest Group on Data Communication (SIGCOMM), Budapest, Hungary, 20-25 Aug 2018. (Unpublished)

[img] Text
164494.pdf - Accepted Version
Restricted to Repository staff only

581kB

Abstract

Enterprises continue to migrate their services to the cloud on a massive scale, but the increasing attack surface has become a natural target for malevolent actors. We show policy injection, a novel algorithmic complexity attack that enables a tenant to add specially tailored ACLs into the data center fabric to mount a denial-of-service attack through exploiting the built-in security mechanisms of the cloud management systems (CMS) . Our insight is that certain ACLs, when fed with special covert packets by an attacker, may be very difficult to evaluate, leading to an exhaustion of cloud resources. We show how a tenant can inject seemingly harmless ACLs into the cloud data plane to abuse an algorithmic deficiency in the most popular cloud hypervisor switch, Open vSwitch, and reduce its effective peak performance by 80-90%, and, in certain cases, denying network access altogether.

Item Type:Conference or Workshop Item
Status:Unpublished
Refereed:Yes
Glasgow Author(s) Enlighten ID:Csikor, Dr Levente and Pezaros, Dr Dimitrios
Authors: Csikor, L., Rothenberg, C., Pezaros, D., Schmid, S., Toka, L., and Retvari, G.
College/School:College of Science and Engineering > School of Computing Science

University Staff: Request a correction | Enlighten Editors: Update this record