Below we present the essence of our paper appear(ed) at CoNEXT, 2019.

L. Csikor, D. M. Divakaran, M. S. Kang, A. Kőrösi, B. Sonkoly, D. Haja, D.P. Pezaros, S. Schmid, G. Rétvári, "Tuple Space Explosion: A Denial-of-Service Attack Against a Software Packet Classifier", In proc. of ACM CoNEXT'19, Orlando, FL, USA, 2019, https://dl.acm.org/citation.cfm?doid=3359989.3365431.

Furthermore, some parts of the works, preliminary results and follow-up works have appeared at several venues before and after:

• L. Csikor, V. Ujawane, and D. M. Divakaran, "On the Feasibility and Enhancement of the Tuple Space Explosion Attack against Open vSwitch", arXiv:2011.09107 [cs.CR], 2020.

• L. Csikor, V. Ujawane, and D. M. Divakaran, “The Discrepancy of the Megaflow Cache in OVS, Final Episode,” in OVS+OVN Conference, https://www.youtube.com/watch?v=DSC3m-Bww64, 2020.

• L. Csikor, M. S. Kang, and D. M. Divakaran, “The Discrepancy of the Megaflow Cache in OVS, Part II.” in OVS+OVN Conference, Red Hat, Westford, MA, 2019, https://bit.ly/35fFoKD.

• L. Csikor and G. Rétvári, “The Discrepancy of the Megaflow Cache in OVS,” in Open vSwitch Fall Conference, Club Auto Sport, Santa Clara, CA, 2018, https://bit.ly/34idgVQ.

• L. Csikor, C. Rothenberg, D. P. Pezaros, S. Schmid, L. Toka, and G. Rétvári, “Policy Injection: A Cloud Dataplane DoS Attack,” in Proceedings of the ACM SIGCOMM 2018 Conference on Posters and Demos, Budapest, Hungary, 2018, pp. 147-149, https://dl.acm.org/citation.cfm?id=3234250.

...and any further updates regarding the mitigation of the revealed attack will be published here.

Two flows in the flow table are said to overlap if there is a packet header that matches both. In this case, the matching flow that occurs first in the flow table takes precedence. For instance, in the sample ACL in Fig. 1, a packet with source IP address 10.0.0.1, source and destination ports 34521, and 443, respectively, matches both the second and the last flow entries with the first flow overriding the last one by higher priority. Accordingly, here we define several use cases according to the number of different header fields an allow rule matches on besides the only deny rule. In particular, the use case of destination port only (Dp), source port and destination port (SpDp), source IP and destination port (SipDp), and all previous three (SipSpDp), contains flow rule #1, flow rules #1 and #3, flow rules #1 and #2, and all flow rules, respectively.

In contrast, a flow table in which all rules are disjoint is order-independent because all packets have a single matching rule and equal priority (i.e., order is irrelevant). In general, this makes packet classification much simpler [8].

Most software switches (if not all) support order-dependent flow tables despite the performance benefit of order-independent tables because of the flexibility of the former. In virtualized environments (e.g., multiple tenants share a single software switch for access control), users with various networking knowledge configure the flow rules in the switches. The greater flexibility of order-dependent tables support rule wildcarding and flow priorities, which allow complex packet processing logics to be described concisely.

Within the fast path, the microflow cache implements a per-transport-connection exact-match store where lookup occurs over all header fields, while the megaflow cache (MFC) bundles multiple microflows into a single megaflow to impose common processing to the entire bundle.In this design, the microflow cache merely serves as “short-term” memory and it is often exhausted even in normal operation (by default, it contains only a couple of hundred entries). The lookup algorithm in the MFC relies on the TSS scheme [10], the prevailing packet classifier used to implement ACLs in other hypervisor switches as well (e.g., VPP [1], HyperSwitch [2], GSwitch [3]). MFC generally saves on cache entries by a single megaflow covering, say, all incoming HTTP connections regardless of the source TCP port (i.e., TCP port wildcarded). In a nutshell, this is done by collecting the entries matching on the same set of header bits into a hash in which masked packet headers can be found fast. Then, masks and associated hashes are searched sequentially until the first matching entry is found.

Note that the TSS implementation in OVS does not know about flow priorities; thus the slow path ensures that MFC entries are all disjoint to make packet classification simpler yet introducing worst case exponential complexity (i.e., exhaustive linear search in the different masks). Correspondingly, as long as the number of masks is kept in a reasonable range (e.g., couple of hundreds masks), packet processing in the fast path is close to line rate. This property of the TSS is the very logic we aim to exploit.

We show that even with a random packet sequence we can achieve the TSS implementation in OVS to produce thousands of masks significantly increasing the look up time of a given packet that can eventually bring down the whole packet processing to its knees.

The attacker’s goal is to send some attack packets to the virtual switch, which when subjected to the implemented ACL will exhaust the underlying resources denying access to the rest of the users. The adversary only needs to have the capability of crafting and sending IP packets with arbitrary legitimate headers without being filtered at the first hand; e.g., by her upstream or transit ISPs. Note that we do not require any privilege of the target switch for the effective DoS attack. However, having some partial, internal state of the target switch (e.g., installed ACL rules) can further improve the efficiency (i.e., less number of required attack packets). Here, we do not consider volumetric DoS attacks that congest the target‘s network bandwidth with attack traffic.

In a nutshell, to achieve the highest number of MFC masks with the smallest effort, the crafted packet sequence needs to be on par with the installed flow rules (see more details in the paper). Correspondingly, being aware of the ACL itself is a key aspect to the efficiency of the TSE attack. Thus, we present two different approaches of the TSE attack each posing different requirements and targets for the attacker.

In order to explain the main differences between them, and their practical targets, we need to understand a key abstraction in a cloud environment: the per-user virtual switches tenants configure to set up their ACLs. Tenants perceive these virtualised resources as their own physical switch, however switches are only logically separated and all of them are implemented and managed by the same individual software switch instance. Therefore, all workloads happened to be scheduled to the same hypervisor inherently share the switching fabric as well (e.g., the MFC).

Co-located TSE

We build on top of this abstraction: the attacker has leased resources in the cloud, which inherently makes him/her capable of installing ACLs into its own virtual switch. Then, the shared MFC can be easily populated with new masks by targeting the known ACLs. However, co-location comes at a price that only those tenants’ workloads are affected that happened to be scheduled to the same hypervisor.

General TSE

In this approach, we alleviate the restrictions of Co-located TSE: we consider the case when the attacker has neither resources in the cloud, nor knowledge about any ACLs. Here, we investigate how much more effort an attacker needs in order to achieve the same efficiency as Co-located TSE.

MFCGuard

As a more customized mitigation technique we developed MFCGuard, which monitors and modifies the MFC— if the number of masks exceed a certain threshold, it looks for patterns corresponding to a possible TSE attack in every 10 seconds according to the MFC expiration period, and wipes out those entries accordingly. We observed that monitoring (and modifying) the MFC has no overhead on the performance.

In essence, removing an entry from the MFC means that matching packets will be processed in the slow path again. Since the slow path would spark the same MFC entries again, the idea behind MFCGuard was to constantly keep those entries out of the fast path. In practice, however, we observed that once an MFC entry is deleted then it will never be sparked again, i.e., matching packets will always be processed by the slow path. Such undesired, unexpected and undocumented behavior [18] can have serious performance penalties; although MFC entries can be manually re-injected.

There are several requirements MFCGuard needs to meet: (i) entries covering the useful traffic should never be deleted. Furthermore, (ii) according to the available resources, we can only remove select flows from the MFC to find a balance between the maximum performance of the fast path and the increased resource utilization by the slow path; both impacting the overall quality of the run services. Due to requirement (i) MFCGuard will only remove entries with drop action! With this simple yet important requirement, only adversarial packets will be subjected to the slow path, keeping the fast path accelerated for the useful traffic flows (cf. Alg. 2 in §11.4). In our current implementation, we have therefore focused on (i), and keep you updated about (ii) here.

References

[1] FD.io, “VPP - Vector Packet Processing,” https://docs.fd.io/vpp/19.01/index.html.

[2] K. K. Ram, A. L. Cox, M. Chadha, and S. Rixner, “Hyper-Switch: A Scalable Software Virtual Switching Architecture,” in Usenix ATC, 2013, p. 12.

[3] M. Varvello, R. Laufer, F. Zhang, and T. Lakshman, “Multi-Layer Packet Classification with Graphics Processing Units,” in Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies - CoNEXT ’14. Sydney, Australia: ACM Press, 2014, pp. 109–120. [Online]. Available: http://dl.acm.org/citation.cfm?doid=2674005.2674990

[4] B. Pfaff, J. Pettit, T. Koponen, E. Jackson, A. Zhou, J. Rajahalme, J. Gross, A. Wang, J. Stringer, P. Shelar, K. Amidon, and M. Casado, “The design and implementation of Open vSwitch,” in NSDI, 2015, pp. 117–130.

[5] A Linux Foundation Collaborative Project, “Production Quality, Multilayer Open Virtual Switch,” http://www.openvswitch.org/, Accessed: June 2019.

[6] OpenFlow Switch Specifications v.1.4.0, The Open Networking Foundation, 2013.

[7] B. Pfaff and B. Davie, “The Open vSwitch database management protocol,” RFC 7047, 2013.

[8] K. Kogan et al., “SAX-PAC: scalable and expressive packet classification,” in SIGCOMM, 2014, pp. 15–26.

[9] P. Newman, G. Minshall, and T. L. Lyon, “IP switching – ATM under IP,” IEEE/ACM Trans. Netw., vol. 6, no. 2, pp. 117–129, 1998.

[10] V. Srinivasan, S. Suri, and G. Varghese, “Packet classification using tuple space search,” in SIGCOMM, 1999, pp. 135–146.

[11] Cloud Native Computing Foundation, “Network Policies,” https://kubernetes.io/docs/concepts/services-networking/network-policies.

[12] Istio, “Authentication Policy,” 2018, https://istio.io/docs/reference/config/istio.authentication.v1alpha1.

[13] Istio, “Traffic Routing,” 2018, https://istio.io/docs/reference/config/istio.networking.v1alpha3.

[14] Istio, “Ingress Controller,” 2018, https://istio.io/docs/tasks/traffic-management/ingress.html.

[15] Amazon Web Services, Elastic Load Balancing features. https://aws.amazon.com/elasticloadbalancing/features/#Details_for_Elastic_Load_Balancing_Products, Accessed in Jun 2019.

[16] DPDK. Membership Library. https://doc.dpdk.org/guides/prog_guide/member_lib.html.

[17] Pettit, J., "Accelerating Open vSwitch to Ludicrous Speed. Blog post: Network Heresy - Talses of the network reformation", 2014. http://networkheresy.com/accelerating-open-vswitch-to-ludicrous-speed/.

[18] Ben Pfaff. [ovs-discuss] ovs-dpctl del-flow works strange. Mailing list archive, https://mail.openvswitch.org/pipermail/ovs-discuss/2019-June/048887.html, 2019 June