Tuple Space Explosion: A Denial-of-Service Attack Against a Software Packet Classifier

Csikor, L., Divakaran, D. M., Kang, M. S., Kőrösi, A., Sonkoly, B., Haja, D., Pezaros, D. P. , Schmid, S. and Rétvári, G. (2019) Tuple Space Explosion: A Denial-of-Service Attack Against a Software Packet Classifier. In: 15th International Conference on emerging Networking EXperiments and Technologies (ACM CoNEXT'19), Orlando, FL, USA, 07-12 Dec 2019, pp. 292-304. ISBN 9781450369985 (doi:10.1145/3359989.3365431)

[img]
Preview
Text
202085.pdf - Accepted Version

1MB

Abstract

Efficient and highly available packet classification is fundamental for various security primitives. In this paper, we evaluate whether the de facto Tuple Space Search (TSS) packet classification algorithm used in popular software networking stacks such as the Open vSwitch is robust against low-rate denial-of-service attacks. We present the Tuple Space Explosion (TSE) attack that exploits the fundamental space/time complexity of the TSS algorithm. TSE can degrade the switch performance to 12% of its full capacity with a very low packet rate (0.7 Mbps) when the target only has simple policies such as, "allow some, but drop others". Worse, an adversary with additional partial knowledge of these policies can virtually bring down the target with the same low attack rate. Interestingly, TSE does not generate any specific traffic patterns but only requires arbitrary headers and payloads which makes it particularly hard to detect. Due to the fundamental complexity characteristics of TSS, unfortunately, there seems to be no complete mitigation to the problem. As a long-term solution, we suggest the use of other algorithms (e.g., HaRP) that are not vulnerable to the TSE attack. As a short-term countermeasure, we propose MFCGuard that carefully manages the tuple space and keeps packet classification fast.

Item Type:Conference Proceedings
Status:Published
Refereed:Yes
Glasgow Author(s) Enlighten ID:Csikor, Dr Levente and Pezaros, Professor Dimitrios
Authors: Csikor, L., Divakaran, D. M., Kang, M. S., Kőrösi, A., Sonkoly, B., Haja, D., Pezaros, D. P., Schmid, S., and Rétvári, G.
College/School:College of Science and Engineering > School of Computing Science
ISBN:9781450369985
Copyright Holders:Copyright © 2019 Association for Computing Machinery
Publisher Policy:Reproduced in accordance with the copyright policy of the publisher

University Staff: Request a correction | Enlighten Editors: Update this record

Project CodeAward NoProject NamePrincipal InvestigatorFunder's NameFunder RefLead Dept
172888Network Measurement as a Service (MaaS)Dimitrios PezarosEngineering and Physical Sciences Research Council (EPSRC)EP/N033957/1Computing Science
173446FRuIT: The Federated RaspberryPi Micro-Infrastructure TestbedJeremy SingerEngineering and Physical Sciences Research Council (EPSRC)EP/P004024/1Computing Science