mca 2: multi core architecture for mitigating complexity attacks
DESCRIPTION
MCA 2: Multi Core Architecture for Mitigating Complexity Attacks . Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay (HUJI) and Yotam Harchol (HUJI). A multicore system architecture, which is robust against complexity DDoS attacks. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/1.jpg)
MCA2: Multi Core Architecture for Mitigating Complexity Attacks
Yaron Koral (TAU)
Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay (HUJI) and Yotam Harchol (HUJI)
![Page 2: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/2.jpg)
A multicore system architecture, which is robust against
complexity DDoS attacks
![Page 3: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/3.jpg)
3
Network Intrusion Detection System• Reports or drops malicious packets• Important technique: Deep Packet Inspection (DPI)
InternetIP
packet
![Page 4: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/4.jpg)
4
Complexity DoS Attack Over NIDS• Find a gap between average case and worst case• One may craft an input that exploits this gap• Launch a Denial of Service attack on the system
Internet
Real-Life Traffic
Throughput
![Page 5: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/5.jpg)
Attack on Security Elements
Combined Attack:DDoS on Security Element
exposed the network – theft of customers’
information
![Page 6: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/6.jpg)
Attack on Snort
• The most widely deployed IDS/IPS worldwide.
Max Throughput
Routine Traffic
Heavy Packet Traffic
![Page 7: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/7.jpg)
Airline Desk Example
![Page 8: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/8.jpg)
Airline Desk Example
A flight ticket
![Page 9: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/9.jpg)
20 min.
Airline Desk Example
An isle seat near window!!
Three carry
handbags!!!
Doesn’t like
food!!!
Can’t find passport!!
Overweight!!!
1 min.
![Page 10: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/10.jpg)
Airline Desk Example
![Page 11: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/11.jpg)
Airline Desk Example
4 min.1 min.
Domain Properties
1. Heavy & Light customers.
2. Easy detection of heavy customers.
3. Moving customers between queues is cheap.
4. Heavy customers have special more efficient processing method.
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing method.
Special training
![Page 12: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/12.jpg)
Some packets are much “heavier” than others
The Snort-attack experiment
![Page 13: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/13.jpg)
•DPI mechanism is a main bottleneck in Snort•Allows single step for each input symbol•Holds transition for each alphabet symbol
Snort uses Aho-Corasick DFAHeavy PacketFast & Huge
Best for normal trafficExposed to cache-miss attack
![Page 14: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/14.jpg)
Snort-Attack Experiment
Cache
Main Memory
Normal Traffic Attack Scenario
Cache-miss!!! Max Throughput
Routine Traffic
Heavy Packet Traffic
Does not require many packets!!!
![Page 15: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/15.jpg)
The General Case: Complexity Attacks
• Building the packet is much cheaper than processing it.
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing method.
![Page 16: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/16.jpg)
Detecting heavy packets is feasible
![Page 17: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/17.jpg)
How Do We Detect?
• Normal and heavy packets differ from each other• May be classified quickly
• Claim: the general case in complexity attacks!!! threshold
![Page 18: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/18.jpg)
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing method.
![Page 19: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/19.jpg)
System Architecture
P
roce
ssor
Chi
p
Core #8
Dedicated Core #9
NIC Core #1Q
Core #2Q
Q
QB
Dedicated Core #10 B
Q
• Routine and alert mode• Drop mode• Dynamic thread allocation model• Non blocking queue synchronization • Move packets between cores with negligible overhead!
Detects heavy
packets
![Page 20: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/20.jpg)
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing method.
![Page 21: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/21.jpg)
Snort uses Aho-Corasick DFA
![Page 22: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/22.jpg)
Full Matrix vs. Compressed
![Page 23: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/23.jpg)
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing method.
![Page 24: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/24.jpg)
Experimental Results
![Page 25: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/25.jpg)
System Throughput Over Time
![Page 26: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/26.jpg)
Different Algorithms Goodput
![Page 27: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/27.jpg)
Concluding Remarks
• A multi-core system architecture, which is robust against complexity DDoS attacks
• In this talk we focused on specific NIDS and complexity attack
• Additional results show how the system fits to other cases:– Hybrid-FA– Bro Lazy-FA
• We believe this approach can be generalized (outside the scope of NIDS).
![Page 28: MCA 2: Multi Core Architecture for Mitigating Complexity Attacks](https://reader036.vdocuments.us/reader036/viewer/2022062316/5681676a550346895ddc530a/html5/thumbnails/28.jpg)
Thank You!!