MCA2: Multi Core Architecture for Mitigating Complexity Attacks

Yaron Koral (TAU)

Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay (HUJI) and Yotam Harchol (HUJI)

A multicore system architecture, which is robust against

complexity DDoS attacks

3

Network Intrusion Detection System• Reports or drops malicious packets• Important technique: Deep Packet Inspection (DPI)

InternetIP

packet

4

Complexity DoS Attack Over NIDS• Find a gap between average case and worst case• One may craft an input that exploits this gap• Launch a Denial of Service attack on the system

Internet

Real-Life Traffic

Throughput

Attack on Security Elements

Combined Attack:DDoS on Security Element

exposed the network – theft of customers’

information

Attack on Snort

• The most widely deployed IDS/IPS worldwide.

Max Throughput

Routine Traffic

Heavy Packet Traffic

Airline Desk Example

Airline Desk Example

A flight ticket

20 min.

Airline Desk Example

An isle seat near window!!

Three carry

handbags!!!

Doesn’t like

food!!!

Can’t find passport!!

Overweight!!!

1 min.

Airline Desk Example

Airline Desk Example

4 min.1 min.

Domain Properties

1. Heavy & Light customers.

2. Easy detection of heavy customers.

3. Moving customers between queues is cheap.

4. Heavy customers have special more efficient processing method.

Domain Properties

1. Heavy & Light packets.

2. Easy detection of heavy packets

3. Moving packets between queues is cheap.

4. Heavy packets have special more efficient processing method.

Special training

Some packets are much “heavier” than others

The Snort-attack experiment

•DPI mechanism is a main bottleneck in Snort•Allows single step for each input symbol•Holds transition for each alphabet symbol

Snort uses Aho-Corasick DFAHeavy PacketFast & Huge

Best for normal trafficExposed to cache-miss attack

Snort-Attack Experiment

Cache

Main Memory

Normal Traffic Attack Scenario

Cache-miss!!! Max Throughput

Routine Traffic

Heavy Packet Traffic

Does not require many packets!!!

The General Case: Complexity Attacks

• Building the packet is much cheaper than processing it.

Domain Properties

1. Heavy & Light packets.

2. Easy detection of heavy packets

3. Moving packets between queues is cheap.

4. Heavy packets have special more efficient processing method.

Detecting heavy packets is feasible

How Do We Detect?

• Normal and heavy packets differ from each other• May be classified quickly

• Claim: the general case in complexity attacks!!! threshold

Domain Properties

1. Heavy & Light packets.

2. Easy detection of heavy packets

3. Moving packets between queues is cheap.

4. Heavy packets have special more efficient processing method.

System Architecture

P

roce

ssor

Chi

p

Core #8

Dedicated Core #9

NIC Core #1Q

Core #2Q

Q

QB

Dedicated Core #10 B

Q

• Routine and alert mode• Drop mode• Dynamic thread allocation model• Non blocking queue synchronization • Move packets between cores with negligible overhead!

Detects heavy

packets

Domain Properties

1. Heavy & Light packets.

2. Easy detection of heavy packets

3. Moving packets between queues is cheap.

4. Heavy packets have special more efficient processing method.

Snort uses Aho-Corasick DFA

Full Matrix vs. Compressed

Domain Properties

1. Heavy & Light packets.

2. Easy detection of heavy packets

3. Moving packets between queues is cheap.

4. Heavy packets have special more efficient processing method.

Experimental Results

System Throughput Over Time

Different Algorithms Goodput

Concluding Remarks

• A multi-core system architecture, which is robust against complexity DDoS attacks

• In this talk we focused on specific NIDS and complexity attack

• Additional results show how the system fits to other cases:– Hybrid-FA– Bro Lazy-FA

• We believe this approach can be generalized (outside the scope of NIDS).

Thank You!!