It can be managed remotely through standardized control plane protocols.
Hyperswitch github software#
OVS is an open source, multilayer, production quality software switch that enables massive network automation through programmatic extensions. In this paper, we use OVS as our running example, but the presented vulnerabilities might affect other TSS-based software switches (e.g., VPP, Hyperswitch, GSwitch ). Reliable and efficient service provisioning heavily depends on the ability to efficiently switch traffic between the tenants' workloads and the outside world. We thus suggest, as a long-term solution, to use other packet classification algorithms (e.g., hierarchical tries, HaRP, Hypercuts) that are not vulnerable to the TSE attack.Īs a short-term solution, we propose MFCGuard, a monitoring system that carefully manages the entries in the tuple space to keep packet classification fast for the packets that are eventually accepted by the system.Įnterprises increasingly offload business-critical workloads to the public cloud to benefit from low infrastructure costs, high availability, and flexible resource provisioning. Since the TSE attack exploits the fundamental complexity characteristics of the TSS algorithm, unfortunately, there seems to be no complete mitigation of the problem. This makes it particularly hard to build a signature of our attack traffic for detection. The TSE attack, in general, does not generate any specific attack traffic patterns but some attack packets with randomly chosen IP headers and arbitrary message contents. We also show that if the adversary has partial knowledge of the installed classification policies, she can virtually bring down the packet classifier with the same low attack rate.
Hyperswitch github full#
We demonstrate that the TSE attack can degrade the switch performance to as low as 12% of its full capacity with a very low packet rate (i.e., 0.7 Mbps) when the target packet classification only has simple policies, e.g., "allow a few flows but drop all others". We present the Tuple Space Explosion (TSE) attack that exploits the fundamental space/time complexity of the TSS algorithm. In this paper, we evaluate whether the de facto packet classification algorithm (i.e., Tuple Space Search scheme, TSS) used in many popular software networking stacks, e.g., Open vSwitch, VPP, HyperSwitch, is robust against low-rate denial-of-service (DoS) attacks. Packet classification is one of the fundamental building blocks of various security primitives and thus it needs to be highly efficient and available. and any further updates regarding the mitigation of the revealed attack will be published here. Rétvári, “Policy Injection: A Cloud Dataplane DoS Attack,” in Proceedings of the ACM SIGCOMM 2018 Conference on Posters and Demos, Budapest, Hungary, 2018, pp. Rétvári, “The Discrepancy of the Megaflow Cache in OVS,” in Open vSwitch Fall Conference, Club Auto Sport, Santa Clara, CA, 2018. Divakaran, “The Discrepancy of the Megaflow Cache in OVS, Part II.” in OVS+OVN Conference, Red Hat, Westford, MA, 2019.
Divakaran, “The Discrepancy of the Megaflow Cache in OVS, Final Episode,” in OVS+OVN Conference, , 2020.
Divakaran, "On the Feasibility and Enhancement of the Tuple Space Explosion Attack against Open vSwitch", arXiv:2011.09107, 2020. įurthermore, some parts of the works, preliminary results and follow-up works have appeared at several venues before and after: of ACM CoNEXT'19, Orlando, FL, USA, 2019. Rétvári, "Tuple Space Explosion: A Denial-of-Service Attack Against a Software Packet Classifier", In proc. Below we present the essence of our paper appear(ed) at CoNEXT, 2019.
0 kommentar(er)
