Csikor, L., Divakaran, D. M., Kang, M. S., Kőrösi, A., Sonkoly, B., Haja, D., Pezaros, D. P. , Schmid, S. and Rétvári, G. (2019) Tuple Space Explosion: A Denial-of-Service Attack Against a Software Packet Classifier. In: 15th International Conference on emerging Networking EXperiments and Technologies (ACM CoNEXT'19), Orlando, FL, USA, 07-12 Dec 2019, pp. 292-304. ISBN 9781450369985 (doi: 10.1145/3359989.3365431)
|
Text
202085.pdf - Accepted Version 1MB |
Abstract
Efficient and highly available packet classification is fundamental for various security primitives. In this paper, we evaluate whether the de facto Tuple Space Search (TSS) packet classification algorithm used in popular software networking stacks such as the Open vSwitch is robust against low-rate denial-of-service attacks. We present the Tuple Space Explosion (TSE) attack that exploits the fundamental space/time complexity of the TSS algorithm. TSE can degrade the switch performance to 12% of its full capacity with a very low packet rate (0.7 Mbps) when the target only has simple policies such as, "allow some, but drop others". Worse, an adversary with additional partial knowledge of these policies can virtually bring down the target with the same low attack rate. Interestingly, TSE does not generate any specific traffic patterns but only requires arbitrary headers and payloads which makes it particularly hard to detect. Due to the fundamental complexity characteristics of TSS, unfortunately, there seems to be no complete mitigation to the problem. As a long-term solution, we suggest the use of other algorithms (e.g., HaRP) that are not vulnerable to the TSE attack. As a short-term countermeasure, we propose MFCGuard that carefully manages the tuple space and keeps packet classification fast.
Item Type: | Conference Proceedings |
---|---|
Status: | Published |
Refereed: | Yes |
Glasgow Author(s) Enlighten ID: | Csikor, Dr Levente and Pezaros, Professor Dimitrios |
Authors: | Csikor, L., Divakaran, D. M., Kang, M. S., Kőrösi, A., Sonkoly, B., Haja, D., Pezaros, D. P., Schmid, S., and Rétvári, G. |
College/School: | College of Science and Engineering > School of Computing Science |
ISBN: | 9781450369985 |
Copyright Holders: | Copyright © 2019 Association for Computing Machinery |
Publisher Policy: | Reproduced in accordance with the copyright policy of the publisher |
University Staff: Request a correction | Enlighten Editors: Update this record