research-article

Tuple space explosion: a denial-of-service attack against a software packet classifier

Authors:

Levente Csikor,

Dinil Mon Divakaran,

Attila Kőrösi,

Balázs Sonkoly,

Dimitrios P. Pezaros,

Stefan Schmid, and

Gábor RétváriAuthors Info & Claims

CoNEXT '19: Proceedings of the 15th International Conference on Emerging Networking Experiments And Technologies

December 2019

Pages 292 - 304

https://doi.org/10.1145/3359989.3365431

Published: 03 December 2019 Publication History

Abstract

Efficient and highly available packet classification is fundamental for various security primitives. In this paper, we evaluate whether the de facto Tuple Space Search (TSS) packet classification algorithm used in popular software networking stacks such as the Open vSwitch is robust against low-rate denial-of-service attacks. We present the Tuple Space Explosion (TSE) attack that exploits the fundamental space/time complexity of the TSS algorithm.

TSE can degrade the switch performance to 12% of its full capacity with a very low packet rate (0.7 Mbps) when the target only has simple policies such as, "allow some, but drop others". Worse, an adversary with additional partial knowledge of these policies can virtually bring down the target with the same low attack rate. Interestingly, TSE does not generate any specific traffic patterns but only requires arbitrary headers and payloads which makes it particularly hard to detect.

Due to the fundamental complexity characteristics of TSS, unfortunately, there seems to be no complete mitigation to the problem. As a long-term solution, we suggest the use of other algorithms (e.g., HaRP) that are not vulnerable to the TSE attack. As a short-term countermeasure, we propose MFCGuard that carefully manages the tuple space and keeps packet classification fast.

References

[1]

A Linux Foundation Collaborative Project. Production Quality, Multilayer Open Virtual Switch. http://www.openvswitch.org/, Accessed: June 2019.

[2]

Afek, Y., Bremler-Barr, A., Harchol, Y., Hay, D., and Koral, Y. Making DPI engines resilient to algorithmic complexity attacks. IEEE/ACM Transactions on Networking 24, 6 (2016), 3262--3275.

Digital Library

[3]

Afek, Y., Bremler-Barr, A., Harchol, Y., Hay, D., and Koral, Y. Making dpi engines resilient to algorithmic complexity attacks. IEEE/ACM Transactions on Networking 24, 6 (December 2016), 3262--3275.

Digital Library

[4]

Ajo, M., Graf, T., Lazzaro, I., and Pettit, J. Taking security groups to ludicrous speed with OVS. In OpenStack Summit (2015).

[5]

Alam, M. J., Goodrich, M. T., and Johnson, T. J-Viz: Finding algorithmic complexity attacks via graph visualization of Java bytecode. In IEEE Symposium on Visualization for Cyber Security (2016), pp. 1--8.

[6]

Amazon Web Services. Elastic Load Balancing features. https://aws.amazon.com/elasticloadbalancing/features/#Details_for_Elastic_Load_Balancing_Products, Accessed in Jun 2019.

[7]

Antikainen, M., Aura, T., and Särelä, M. Spook in your network: Attacking an SDN with a compromised OpenFlow switch. In NordSec (2014), pp. 229--244.

[8]

Arins, A. Firewall as a service in sdn openflow network. In 2015 IEEE 3rd Workshop on Advances in Information, Electronic and Electrical Engineering (AIEEE) (Nov 2015), pp. 1--5.

[9]

Auger, A., and Doerr, B. Theory of Randomized Search Heuristics. WORLD SCIENTIFIC, 2011.

Digital Library

[10]

Baboescu, F., Singh, S., and Varghese, G. Packet classification for core routers: Is there an alternative to CAMs? In Int. Conf. Comput. Commun. (Apr 2003), pp. 53--63.

[11]

Ben Pfaff. OVS Orbit podcast. https://ovsorbit.org/episode-67.mp3, 2018.

[12]

Ben Pfaff. [ovs-discuss] ovs-dpctl del-flow works strange. Mailing list archive, https://mail.openvswitch.org/pipermail/ovs-discuss/2019-June/048887.html, 2019 June.

[13]

Casado, M., Koponen, T., Moon, D., and Shenker, S. Rethinking packet forwarding hardware. In HotNets (2008).

[14]

CheckMarx. Regular expression Denial of Service: ReDoS, 2017. https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS.

[15]

Cloud Native Computing Foundation. Network Policies. https://kubernetes.io/docs/concepts/services-networking/network-policies.

[16]

Crosby, S. A., and Wallach, D. S. Denial of service via algorithmic complexity attacks. In USENIX Security (2003), pp. 3--3.

[17]

Csikor, L., Divakaran, D. M., and Kang, M. S. Tuple Space Explosion: A Denial-of-Service Attack Against a Software Packet Classifier. Blog post. https://ovsdos.comp.nus.edu.sg/, 2019.

[18]

Csikor, L., and Rétvári, G. The discrepancy of the megaflow cache in ovs. In Open vSwitch Fall Conference (Club Auto Sport, Santa Clara, CA, 2018).

[19]

Csikor, L., Rothenberg, C., Pezaros, D. P., Schmid, S., Toka, L., and Rétvári, G. Policy injection: A cloud dataplane dos attack. In Proceedings of the ACM SIGCOMM 2018 Conference on Posters and Demos (New York, NY, USA, 2018), SIGCOMM '18, ACM, pp. 147--149.

[20]

Csikor, L., Szalay, M., Sonkoly, B., and Toka, L. NFPA: Network function performance analyzer. In IEEE NFV-SDN, Demo Track (2015), pp. 17--19.

[21]

Czubak, A., and Szymanek, M. Algorithmic complexity vulnerability analysis of a stateful firewall. In ISAT (2017), pp. 77--97.

[22]

Dalton, M., et al. Andromeda: Performance, isolation, and velocity at scale in cloud network virtualization. In USENIX NSDI (2018), pp. 373--387.

[23]

Delimitrou, C., and Kozyrakis, C. Bolt: I know what you did last summer... in the cloud. In ASPLOS (2017), pp. 599--613.

Digital Library

[24]

DPDK. Membership Library. https://doc.dpdk.org/guides/prog_guide/member_lib.html.

[25]

et al., T. K. Network virtualization in multi-tenant datacenters. In NSDI (2014), pp. 203--216.

[26]

FD.io. Contiv/VPP Kubernetes Network Plugin. https://fdio-vpp.readthedocs.io/en/latest/usecases/contiv/K8s_Overview.html.

[27]

FD.io. VPP - Vector Packet Processing. https://docs.fd.io/vpp/19.01/index.html.

[28]

Feldman, A., and Muthukrishnan, S. Tradeoffs for packet classification. In INFOCOM (2000), vol. 3, pp. 1193--1202.

[29]

Firestone, D., et al. Azure accelerated networking: SmartNICs in the public cloud. In USENIX NSDI (2018), pp. 51--66.

[30]

Gobriel, S., and Tai, C. OvS Lookup Optimization Using Two-Layer Table Lookup. In Open vSwitch Fall Conference (2016).

[31]

Gupta, P., and McKeown, N. Packet classification on multiple fields. In SIGCOMM (1999), pp. 147--160.

Digital Library

[32]

Gupta, P., and McKeown, N. Algorithms for packet classification. IEEE Network 15, 2 (2001), 24--32.

Digital Library

[33]

Gupta, P., and McKeown, N. Algorithms for packet classification. Netwrk. Mag. of Global Internetwkg. 15, 2 (2001), 24--32.

Digital Library

[34]

Intel. Network function virtualization: Quality of Service in Broadband Remote Access Servers with Linux and Intel architecture. https://networkbuilders.intel.com/docs/Network_Builders_RA_NFV_QoS_Aug2014.pdf.

[35]

ioVisor. eXpress Data Path, 2016. https://www.iovisor.org/technology/xdp.

[36]

Istio. Authentication Policy, 2018. https://istio.io/docs/reference/config/istio.authentication.v1alpha1.

[37]

Istio. Ingress Controller, 2018. https://istio.io/docs/tasks/traffic-management/ingress.html.

[38]

Istio. Traffic Routing, 2018. https://istio.io/docs/reference/config/istio.networking.v1alpha3.

[39]

Khan, S., and Traore, I. A prevention model for algorithmic complexity attacks. In DIMVA (2005), pp. 160--173.

Digital Library

[40]

Kim, C., Caesar, M., Gerber, A., and Rexford, J. Revisiting route caching: The world should be flat. In PAM (2009), pp. 3--12.

[41]

Kocher, P., Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., and Yarom, Y. Spectre Attacks: Exploiting Speculative Execution. ArXiv e-prints (Jan. 2018).

[42]

Kogan, K., et al. SAX-PAC: scalable and expressive packet classification. In SIGCOMM (2014), pp. 15--26.

[43]

Kuzmanovic, A., and Knightly, E. W. Low-rate tcp-targeted denial of service attacks: the shrew vs. the mice and elephants. In Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications (2003), ACM, pp. 75--86.

Digital Library

[44]

Lim, H., Lee, N., and Lee, J. Multi-match packet classification scheme combining tcam with an algorithmic approach. IEIE Transactions on Smart Processing and Computing 6, 1 (Febr 2017), 27--38.

[45]

Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Mangard, S., Kocher, P., Genkin, D., Yarom, Y., and Hamburg, M. Meltdown. ArXiv e-prints (Jan. 2018).

[46]

Liu, X., Cho, B., and Kim, J. Sd-ovs: Syn flooding attack defending open vswitch for sdn. In WISA (03 2017), pp. 29--41.

[47]

Liu, Y., Amin, S. O., and Wang, L. Efficient FIB caching using minimal non-overlapping prefixes. SIGCOMM Comput. Commun. Rev. 43, 1 (2013), 14--21.

Digital Library

[48]

McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., and Turner, J. OpenFlow: enabling innovation in campus networks. SIGCOMM Computer Communication Review 38, 2 (2008), 69--74.

Digital Library

[49]

Molnár, L., Pongrácz, G., Enyedi, G., Kis, Z. L., Csikor, L., Juhász, F., Kőrösi, A., and Rétvári, G. Dataplane specialization for high-performance OpenFlow software switching. In SIGCOMM (2016), pp. 539--552.

Digital Library

[50]

Netronome. Agilio OVS Software Architecture for Server-based Networking. Whitepaper, 2018. https://www.netronome.com/media/documents/WP_Agilio_SW.pdf.

[51]

Newman, P., Minshall, G., and Lyon, T. L. IP switching - ATM under IP. IEEE/ACM Trans. Netw. 6, 2 (1998), 117--129.

Digital Library

[52]

Nicholas Gray, Manuel Sommer, T. Z., and Tran-Gia, P. FlowFuzz: a framework for fuzzing openflow-enabled software and hardware switches. In Black Hat (2017).

[53]

The Open Networking Foundation. OpenFlow Switch Specifications v.1.4.0, 2013.

[54]

Pearce, M., Zeadally, S., and Hunt, R. Virtualization: Issues, security threats, and solutions. ACM Comput. Surv. 45, 2 (2013), 17:1--17:39.

Digital Library

[55]

Petsios, T., Zhao, J., Keromytis, A. D., and Jana, S. SlowFuzz: Automated domain-independent detection of algorithmic complexity vulnerabilities. In ACM CCS (2017), pp. 2155--2168.

Digital Library

[56]

Pettit, J. Accelerating Open vSwitch to "Ludicrous Speed. Blog post: Network Heresy - Talses of the network reformation, 2014. https://networkheresy.com/2014/11/13/accelerating-open-vswitch-to-ludicrous-speed/.

[57]

Pfaff, B., and Davie, B. The Open vSwitch database management protocol. RFC 7047, 2013.

[58]

Pfaff, B., Pettit, J., Koponen, T., Jackson, E., Zhou, A., Rajahalme, J., Gross, J., Wang, A., Stringer, J., Shelar, P., Amidon, K., and Casado, M. The design and implementation of Open vSwitch. In NSDI (2015), pp. 117--130.

Digital Library

[59]

Pong, F., and Tzeng, N.-F. Hashing round-down prefixes for rapid packet classification. In USENIX Annual Technical Conference (2009).

[60]

Ram, K. K., Cox, A. L., Chadha, M., and Rixner, S. Hyper-Switch: A Scalable Software Virtual Switching Architecture. In Usenix ATC (2013), p. 12.

[61]

Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In ACM CCS (2009), pp. 199--212.

Digital Library

[62]

Schuchard, M., Thompson, C., Hopper, N., and Kim, Y. Taking routers off their meds: Unstable routers and the buggy bgp implementations that cause them. Tech. rep., tech. rep., University of Minnesota, 2011.

[63]

SecuritytWeek. CSA's cloud adoption, practices and priorities survey report, 2015. http://www.securityweek.com/data-security-concerns-still-challenge.

[64]

Shelly, N., Jackson, E. J., Koponen, T., McKeown, N., and Rajahalme, J. Flow caching for high entropy packet fields. SIGCOMM Comput. Commun. Rev. 44, 4 (2014).

Digital Library

[65]

Srinivasan, V., Suri, S., and Varghese, G. Packet classification using tuple space search. In SIGCOMM (1999), pp. 135--146.

Digital Library

[66]

The Calico project. https://www.projectcalico.org/.

[67]

The Chromium Projects. QUIC, a multiplexed stream transport over UDP. https://www.chromium.org/quic, 2019.

[68]

The ONOS project. Security Group. https://wiki.onosproject.org/display/ONOS/Security+Group.

[69]

The Open vSwitch project. Kubernetes integration for OVN. https://github.com/openvswitch/ovn-kubernetes.

[70]

The OpenDaylight project. OVSDB:Security Groups. https://wiki.opendaylight.org/view/OVSDB:Security_Groups.

[71]

The OpenStack project. Manage project security. https://docs.openstack.org/nova/pike/admin/security-groups.html.

[72]

The OpenStack project. Networking-vpp. https://wiki.openstack.org/wiki/Networking-vpp.

[73]

The OpenStack project. OpenStack Neutron integration with OVN. https://docs.openstack.org/networking-ovn/latest.

[74]

Thimmaraju, K., Shastry, B., Fiebig, T., Hetzelt, F., Seifert, J., Feldmann, A., and Schmid, S. Taking control of sdn-based cloud systems via the data plane. In ACM Symposium on SDN Research (SOSR) (2018).

Digital Library

[75]

Tollet, J. Networking-VPP: A fast forwarding vSwitch/vRouter for OpenStack. In FOSDEM (2018).

[76]

Varadarajan, V., Zhang, Y., Ristenpart, T., and Swift, M. A placement vulnerability study in multi-tenant public clouds. In USENIX Security (2015), pp. 913--928.

[77]

Varvello, M., Laufer, R., Zhang, F., and Lakshman, T. Multi-Layer Packet Classification with Graphics Processing Units. In Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies - CoNEXT '14 (Sydney, Australia, 2014), ACM Press, pp. 109--120.

Digital Library

[78]

Weimer, F. Algorithmic complexity attacks and the linux networking code, 2003. http://www.enyo.de/fw/security/notes/linux-dst-cache-dos.html.

[79]

Zhou, D., Fan, B., Lim, H., Kaminsky, M., and Andersen, D. G. Scalable, high performance Ethernet forwarding with CuckooSwitch. In CoNEXT (2013), pp. 97--108.

Digital Library

Cited By

Yang RKornaropoulos ECheng Y(2023)Algorithmic Complexity Attacks on Dynamic Learned IndexesProceedings of the VLDB Endowment10.14778/3636218.363623217:4(780-793)Online publication date: 1-Dec-2023
https://dl.acm.org/doi/10.14778/3636218.3636232
Wei CLi XYang YJiang XXu TYang BWu TXu CLv YGao HZhang ZChen ZWang ZZhang ZZhu SChen WSchulzrinne HKohler EMaltz DMisra V(2023)Achelous: Enabling Programmability, Elasticity, and Reliability in Hyperscale Cloud NetworksProceedings of the ACM SIGCOMM 2023 Conference10.1145/3603269.3604859(769-782)Online publication date: 10-Sep-2023
https://dl.acm.org/doi/10.1145/3603269.3604859
Rashelbach ARottenstreich OSilberstein M(2023)Scaling by Learning: Accelerating Open vSwitch Data Path With Neural NetworksIEEE/ACM Transactions on Networking10.1109/TNET.2022.321514331:3(1230-1243)Online publication date: Jun-2023
https://doi.org/10.1109/TNET.2022.3215143
Show More Cited By

Index Terms

Tuple space explosion: a denial-of-service attack against a software packet classifier
1. Security and privacy
  1. Systems security
    1. Denial-of-service attacks

Recommendations

A comprehensive survey of DDoS defense solutions in SDN: Taxonomy, research challenges, and future directions
Highlights
- Identified high quality research articles in the field of SDN-aimed DDoS attacks using a systematic literature review protocol.
Abstract
The recent emergence of technologies such as Network Functions Virtualization (NFV), Intent based Networking, Internet of Things (IoT), 5G, and Cloud Computing have led to the rapid growth of networks. The inflexibility and vendor-...
Read More
Catabolism attack and Anabolism defense

Security is a major challenge in Opportunistic Networks (OppNets) because of its characteristics, such as open medium, dynamic topology, no centralized management and absent clear lines of defense. A packet dropping attack is one of the major security ...
Read More
Defense against packet collusion attacks in opportunistic networks

Security is a major challenge in Opportunistic Networks (OppNets) because of its characteristics such as an open medium, dynamic topology, no centralized management and absent clear lines of defense. A packet dropping attack is one of the major security ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CoNEXT '19: Proceedings of the 15th International Conference on Emerging Networking Experiments And Technologies

December 2019

395 pages

ISBN:9781450369985

DOI:10.1145/3359989

General Chairs:
Aziz Mohaisen
University of Central Florida
,
Zhi-Li Zhang
University of Minnesota

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CoNEXT '19

Sponsor:

SIGCOMM

CoNEXT '19: The 15th International Conference on emerging Networking EXperiments and Technologies

December 9 - 12, 2019

Florida, Orlando

Acceptance Rates

Overall Acceptance Rate 198 of 789 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
396
Total Downloads

Downloads (Last 12 months)37
Downloads (Last 6 weeks)7

Other Metrics

View Author Metrics

Citations

Cited By

Yang RKornaropoulos ECheng Y(2023)Algorithmic Complexity Attacks on Dynamic Learned IndexesProceedings of the VLDB Endowment10.14778/3636218.363623217:4(780-793)Online publication date: 1-Dec-2023
https://dl.acm.org/doi/10.14778/3636218.3636232
Wei CLi XYang YJiang XXu TYang BWu TXu CLv YGao HZhang ZChen ZWang ZZhang ZZhu SChen WSchulzrinne HKohler EMaltz DMisra V(2023)Achelous: Enabling Programmability, Elasticity, and Reliability in Hyperscale Cloud NetworksProceedings of the ACM SIGCOMM 2023 Conference10.1145/3603269.3604859(769-782)Online publication date: 10-Sep-2023
https://dl.acm.org/doi/10.1145/3603269.3604859
Rashelbach ARottenstreich OSilberstein M(2023)Scaling by Learning: Accelerating Open vSwitch Data Path With Neural NetworksIEEE/ACM Transactions on Networking10.1109/TNET.2022.321514331:3(1230-1243)Online publication date: Jun-2023
https://doi.org/10.1109/TNET.2022.3215143
Hutchison DPezaros DRak JSmith P(2023)On the Importance of Resilience Engineering for Networked Systems in a Changing WorldIEEE Communications Magazine10.1109/MCOM.001.230005761:11(200-206)Online publication date: Nov-2023
https://doi.org/10.1109/MCOM.001.2300057
Tikhe GPatheja P(2023)A Wrapper Feature Selection Based Hybrid Deep Learning Model for DDoS Detection in a Network with NFV BehaviorsWireless Personal Communications10.1007/s11277-023-10775-9133:1(481-506)Online publication date: 13-Dec-2023
https://doi.org/10.1007/s11277-023-10775-9
Jung CKim SJang RMohaisen DNyang DYin HStavrou ACremers CShi E(2022)A Scalable and Dynamic ACL System for In-Network DefenseProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560606(1679-1693)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560606
Jain VChu HQi SLee CChang HHsieh CRamakrishnan KChen JKuipers FOrda A(2022)L25GCProceedings of the ACM SIGCOMM 2022 Conference10.1145/3544216.3544267(143-157)Online publication date: 22-Aug-2022
https://dl.acm.org/doi/10.1145/3544216.3544267
Atre NSadok HChiang EWang WSherry JKuipers FOrda A(2022)SurgeProtectorProceedings of the ACM SIGCOMM 2022 Conference10.1145/3544216.3544250(723-738)Online publication date: 22-Aug-2022
https://dl.acm.org/doi/10.1145/3544216.3544250
Zhang XSalamatian KXie G(2022)Improving Open Virtual Switch Performance Through Tuple Merge Relaxation in Software Defined NetworksIEEE Transactions on Network and Service Management10.1109/TNSM.2022.315559219:3(2078-2091)Online publication date: Sep-2022
https://doi.org/10.1109/TNSM.2022.3155592
Zhang CXie G(2021)MultilayerTuple: A General, Scalable and High-performance Packet Classification Algorithm for Software Defined Network System2021 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking52078.2021.9472824(1-9)Online publication date: 21-Jun-2021
https://doi.org/10.23919/IFIPNetworking52078.2021.9472824
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents