short-paper

Free access

Policy Injection: A Cloud Dataplane DoS Attack

Authors:

Levente Csikor,

Christian Rothenberg,

Dimitrios P. Pezaros,

Stefan Schmid,

László Toka, and

Gábor RétváriAuthors Info & Claims

SIGCOMM '18: Proceedings of the ACM SIGCOMM 2018 Conference on Posters and Demos

August 2018

Pages 147 - 149

https://doi.org/10.1145/3234200.3234250

Published: 07 August 2018 Publication History

PDF eReader

Abstract

Enterprises continue to migrate their services to the cloud on a massive scale, but the increasing attack surface has become a natural target for malevolent actors. We show policy injection, a novel algorithmic complexity attack that enables a tenant to add specially tailored ACLs into the data center fabric to mount a denial-of-service attack through exploiting the built-in security mechanisms of the cloud management systems (CMS). Our insight is that certain ACLs, when fed with special covert packets by an attacker, may be very difficult to evaluate, leading to an exhaustion of cloud resources. We show how a tenant can inject seemingly harmless ACLs into the cloud data plane to abuse an algorithmic deficiency in the most popular cloud hypervisor switch, Open vSwitch, and reduce its effective peak performance by 80--90%, and, in certain cases, denying network access altogether.

References

[1]

CNCF. 2018. Network Policies. https://kubernetes.io/docs/concepts/services-networking/network-policies.

Google Scholar

[2]

Scott A. Crosby and Dan S. Wallach. 2003. Denial of Service via Algorithmic Complexity Attacks. In USENIX Security. 3--3.

Digital Library

Google Scholar

[3]

Levente Csikor and Dimitrios P. Pezaros. 2017. End-Host Driven Troubleshooting Architecture for Software-Defined Networking. In IEEE Globecom 2017. 1--7.

Google Scholar

[4]

A. Feldman and S. Muthukrishnan. 2000. Tradeoffs for packet classification. In INFOCOM, Vol. 3. 1193--1202.

Google Scholar

[5]

P. Gupta and N. McKeown. 2001. Algorithms for Packet Classification. Netwrk. Mag. of Global Internetwkg. 15, 2 (2001), 24--32.

Digital Library

Google Scholar

[6]

László Molnár, Gergely Pongrácz, Gábor Enyedi, Zoltán Lajos Kis, Levente Csikor, Ferenc Juhász, Attila Kőrösi, and Gábor Rétvári. 2016. Data-plane Specialization for High-performance OpenFlow Software Switching. In SIGCOMM. 539--552.

Digital Library

Google Scholar

[7]

Theofilos Petsios, Jason Zhao, Angelos D. Keromytis, and Suman Jana. 2017. SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities. In ACM CCS. 2155--2168.

Digital Library

Google Scholar

[8]

Nick Shelly, Ethan J. Jackson, Teemu Koponen, Nick McKeown, and Jarno Rajahalme. 2014. Flow Caching for High Entropy Packet Fields. SIGCOMM Comput. Commun. Rev. 44, 4 (2014).

Digital Library

Google Scholar

[9]

The OpenStack project. 2018. Manage project security. https://docs.openstack.org/nova/pike/admin/security-groups.html.

Google Scholar

Cited By

View all

Tu HZhao GXu HFang X(2022)Tenant-Grained Request Scheduling in Software-Defined Cloud ComputingIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2022.319903133:12(4654-4671)Online publication date: 1-Dec-2022
https://doi.org/10.1109/TPDS.2022.3199031
Wang JZhao GXu HZhai YZhang QHuang HYang Y(2022)A Robust Service Mapping Scheme for Multi-Tenant CloudsIEEE/ACM Transactions on Networking10.1109/TNET.2021.313329330:3(1146-1161)Online publication date: Jun-2022
https://doi.org/10.1109/TNET.2021.3133293
Hahn DDavidson DBardas A(2020)MisMesh: Security Issues and Challenges in Service MeshesSecurity and Privacy in Communication Networks10.1007/978-3-030-63086-7_9(140-151)Online publication date: 12-Dec-2020
https://doi.org/10.1007/978-3-030-63086-7_9
Show More Cited By

Index Terms

Policy Injection: A Cloud Dataplane DoS Attack
1. Networks

Recommendations

FAPA: a model to prevent flooding attacks in clouds
ACM-SE '12: Proceedings of the 50th Annual Southeast Regional Conference

Several schemes and a variety of intrusion detection systems are available in the market for DoS or flooding attacks. However, these schemes are not useful for cloud computing. They only consider a point of interest determined by the developers and ...
Read More
Enhanced-Adaptive Pattern Attack Recognition Technique E-APART Against EDoS Attacks in Cloud Computing

Cloud Computing is most widely used in current technology. It provides a higher availability of resources to greater number of end users. In the cloud era, security has develop a reformed source of worries. Distributed Denial of Service DDoS and ...
Read More
Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a Cloud computing environment

As Cloud computing is reforming the infrastructure of IT industries, it has become one of the critical security concerns of the defensive mechanisms applied to secure Cloud environment. Even if there are tremendous advancements in defense systems ...
Read More

Comments

Information & Contributors

Information

Published In

SIGCOMM '18: Proceedings of the ACM SIGCOMM 2018 Conference on Posters and Demos

August 2018

165 pages

ISBN:9781450359153

DOI:10.1145/3234200

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 August 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper
Research
Refereed limited

Funding Sources

Engineering and Physical Sciences Research Council

Conference

SIGCOMM '18

Sponsor:

SIGCOMM

SIGCOMM '18: ACM SIGCOMM 2018 Conference

August 20 - 25, 2018

Budapest, Hungary

Acceptance Rates

Overall Acceptance Rate 554 of 3,547 submissions, 16%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
455
Total Downloads

Downloads (Last 12 months)44
Downloads (Last 6 weeks)4

Other Metrics

View Author Metrics

Citations

Cited By

View all

Tu HZhao GXu HFang X(2022)Tenant-Grained Request Scheduling in Software-Defined Cloud ComputingIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2022.319903133:12(4654-4671)Online publication date: 1-Dec-2022
https://doi.org/10.1109/TPDS.2022.3199031
Wang JZhao GXu HZhai YZhang QHuang HYang Y(2022)A Robust Service Mapping Scheme for Multi-Tenant CloudsIEEE/ACM Transactions on Networking10.1109/TNET.2021.313329330:3(1146-1161)Online publication date: Jun-2022
https://doi.org/10.1109/TNET.2021.3133293
Hahn DDavidson DBardas A(2020)MisMesh: Security Issues and Challenges in Service MeshesSecurity and Privacy in Communication Networks10.1007/978-3-030-63086-7_9(140-151)Online publication date: 12-Dec-2020
https://doi.org/10.1007/978-3-030-63086-7_9
Thimmaraju KHermak SRétvári GSchmid SDan TDahlia M(2019)MTSProceedings of the 2019 USENIX Conference on Usenix Annual Technical Conference10.5555/3358807.3358851(521-536)Online publication date: 10-Jul-2019
https://dl.acm.org/doi/10.5555/3358807.3358851
Zerwas JKalmbach PHenkel LRétvári GKellerer WBlenk ASchmid S(2019)NetBOAProceedings of the 2019 Workshop on Network Meets AI & ML10.1145/3341216.3342207(8-14)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.1145/3341216.3342207

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

FAPA: a model to prevent flooding attacks in clouds

Enhanced-Adaptive Pattern Attack Recognition Technique E-APART Against EDoS Attacks in Cloud Computing

Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a Cloud computing environment

Comments

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF

eReader

Login options

Full Access

Abstract

References

Cited By

Index Terms

Recommendations

FAPA: a model to prevent flooding attacks in clouds

Enhanced-Adaptive Pattern Attack Recognition Technique E-APART Against EDoS Attacks in Cloud Computing

Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a Cloud computing environment

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations