On the Feasibility and Enhancement of the Tuple Space Explosion Attack against Open vSwitch

by   Levente Csikor, et al.

Being a crucial part of networked systems, packet classification has to be highly efficient; however, software switches in cloud environments still face performance challenges. The recently proposed Tuple Space Explosion (TSE) attack exploits an algorithmic deficiency in Open vSwitch (OVS). In TSE, legitimate low-rate attack traffic makes the cardinal linear search algorithm in the Tuple Space Search (TSS) algorithm to spend an unaffordable time for classifying each packet resulting in a denial-of-service (DoS) for the rest of the users. In this paper, we investigate the feasibility of TSE from multiple perspectives. Besides showing that TSE is still efficient in the newer version of OVS, we show that when the kernel datapath is compiled from a different source, it can degrade its performance to  1 Mbps attack rate. Finally, we show that TSE is much less effective against OVS-DPDK with userspace datapath due to the enhanced ranking process in its TSS implementation. Therefore, we propose TSE 2.0 to defeat the ranking process and achieve a complete DoS against OVS-DPDK. Furthermore, we present TSE 2.1, which achieves the same goal against OVS-DPDK running on multiple cores without significantly increasing the attack rate.


page 1

page 10


Catch Me If You Can: A New Low-Rate DDoS Attack Strategy Disguised by Feint

While collaborative systems provide convenience to our lives, they also ...

The Time for Reconstructing the Attack Graph in DDoS Attacks

Despite their frequency, denial-of-service (DoSDenial of Service (DoS), ...

Early detection of Crossfire attacks using deep learning

Crossfire attack is a recently proposed threat designed to disconnect wh...

Construction of Two Statistical Anomaly Features for Small-Sample APT Attack Traffic Classification

Advanced Persistent Threat (APT) attack, also known as directed threat a...

AccFlow: Defending Against the Low-Rate TCP DoS Attack in Wireless Sensor Networks

Because of the open nature of the Wireless Sensor Networks (WSN), the De...

A structural attack to the DME-(3,2,q) cryptosystem

We present a structural attack on the DME cryptosystem with paramenters ...

Algorithms for Reconstructing DDoS Attack Graphs using Probabilistic Packet Marking

DoS and DDoS attacks are widely used and pose a constant threat. Here we...

Please sign up or login with your details

Forgot password? Click here to reset