Upload
marilu
View
51
Download
0
Tags:
Embed Size (px)
DESCRIPTION
MCA 2: Multi Core Architecture for Mitigating Complexity Attacks . Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay (HUJI) and Yotam Harchol (HUJI). A multicore system architecture, which is robust against complexity DDoS attacks. - PowerPoint PPT Presentation
Citation preview
MCA2: Multi Core Architecture for Mitigating Complexity Attacks
Yaron Koral (TAU)
Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay (HUJI) and Yotam Harchol (HUJI)
A multicore system architecture, which is robust against
complexity DDoS attacks
3
Network Intrusion Detection System• Reports or drops malicious packets• Important technique: Deep Packet Inspection (DPI)
InternetIP
packet
4
Complexity DoS Attack Over NIDS• Find a gap between average case and worst case• One may craft an input that exploits this gap• Launch a Denial of Service attack on the system
Internet
Real-Life Traffic
Throughput
Attack on Security Elements
Combined Attack:DDoS on Security Element
exposed the network – theft of customers’
information
Attack on Snort
• The most widely deployed IDS/IPS worldwide.
Max Throughput
Routine Traffic
Heavy Packet Traffic
Airline Desk Example
Airline Desk Example
A flight ticket
20 min.
Airline Desk Example
An isle seat near window!!
Three carry
handbags!!!
Doesn’t like
food!!!
Can’t find passport!!
Overweight!!!
1 min.
Airline Desk Example
Airline Desk Example
4 min.1 min.
Domain Properties
1. Heavy & Light customers.
2. Easy detection of heavy customers.
3. Moving customers between queues is cheap.
4. Heavy customers have special more efficient processing method.
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing method.
Special training
Some packets are much “heavier” than others
The Snort-attack experiment
•DPI mechanism is a main bottleneck in Snort•Allows single step for each input symbol•Holds transition for each alphabet symbol
Snort uses Aho-Corasick DFAHeavy PacketFast & Huge
Best for normal trafficExposed to cache-miss attack
Snort-Attack Experiment
Cache
Main Memory
Normal Traffic Attack Scenario
Cache-miss!!! Max Throughput
Routine Traffic
Heavy Packet Traffic
Does not require many packets!!!
The General Case: Complexity Attacks
• Building the packet is much cheaper than processing it.
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing method.
Detecting heavy packets is feasible
How Do We Detect?
• Normal and heavy packets differ from each other• May be classified quickly
• Claim: the general case in complexity attacks!!! threshold
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing method.
System Architecture
P
roce
ssor
Chi
p
Core #8
Dedicated Core #9
NIC Core #1Q
Core #2Q
Q
QB
Dedicated Core #10 B
Q
• Routine and alert mode• Drop mode• Dynamic thread allocation model• Non blocking queue synchronization • Move packets between cores with negligible overhead!
Detects heavy
packets
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing method.
Snort uses Aho-Corasick DFA
Full Matrix vs. Compressed
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing method.
Experimental Results
System Throughput Over Time
Different Algorithms Goodput
Concluding Remarks
• A multi-core system architecture, which is robust against complexity DDoS attacks
• In this talk we focused on specific NIDS and complexity attack
• Additional results show how the system fits to other cases:– Hybrid-FA– Bro Lazy-FA
• We believe this approach can be generalized (outside the scope of NIDS).
Thank You!!