multi-core packet scattering to disentangle performance bottlenecks
DESCRIPTION
Multi-Core Packet Scattering to Disentangle Performance Bottlenecks. Yehuda Afek Tel-Aviv University. Joint work with. Anat Bremler -Barr. David Hay. Yotam Harchol. Yaron Koral. This work was supported by European Research Council (ERC) Starting Grant no. 259085. Deep Packet Inspection. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/1.jpg)
Multi-Core Packet Scattering to Disentangle Performance Bottlenecks
Yehuda Afek Tel-Aviv University
![Page 2: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/2.jpg)
Anat Bremler-Barr
David Hay Yotam Harchol Yaron Koral
Joint work with
This work was supported by European Research Council (ERC) Starting Grant no. 259085
![Page 3: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/3.jpg)
Deep Packet Inspection
• IPS/IDS/FW Heaviest processing part: Search for malicious patterns in the payload
1. Pipeline multi-core, not efficient.
– Imbalance of pipeline stations, DPI much heavier
2. Parallel multi-core?
![Page 4: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/4.jpg)
Multi-Core Deep Packet Inspection (DPI)
• Option 1: Each core a subset of patternsCore 1
Core 2
Core 3
Core 4
Pattern Set 1
Pattern Set 2Pattern Set 3
Pattern Set 4
![Page 5: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/5.jpg)
Multi-Core Deep Packet Inspection (DPI)
• Option 1: Each core a subset of patternsCore 1
Core 2
Core 3
Core 4
Pattern Set 1
Pattern Set 2Pattern Set 3
Pattern Set 4
![Page 6: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/6.jpg)
Multi-Core Deep Packet Inspection (DPI)
• Option 1: Each core a subset of patternsCore 1
Core 2
Core 3
Core 4
Pattern Set 1
Pattern Set 2Pattern Set 3
Pattern Set 4
![Page 7: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/7.jpg)
Multi-Core Deep Packet Inspection (DPI)
• Option 1: Each core a subset of patterns
• Option 2: All cores are the same, Load-balance between cores
Core 1
Core 2
Core 3
Core 4
Pattern Set 1
Pattern Set 2Pattern Set 3
Pattern Set 4
![Page 8: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/8.jpg)
Multi-Core Deep Packet Inspection (DPI)
• Option 2: All cores are the same, Load-balance between cores
Core 1
Core 2
Core 3
Core 4
DPI
DPIDPI
DPI
![Page 9: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/9.jpg)
Multi-Core Deep Packet Inspection (DPI)
• Option 2: All cores are the same, Load-balance between cores
Core 1
Core 2
Core 3
Core 4
DPI
DPIDPI
DPI
![Page 10: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/10.jpg)
Complexity DoS Attack Over NIDS• Easy to craft – very hard to process packets
• 2 Steps attack:
Attacker
Internet
2. Steal CC.
1. Kill IPS/FW
![Page 11: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/11.jpg)
Attack on Security Elements
Combined Attack:DDoS on Security Element
exposed the network – theft of customers’
information
![Page 12: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/12.jpg)
Attack on Snort
The most widely deployed IDS/IPS worldwide.
Heavy packets rate
![Page 13: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/13.jpg)
OUR GOAL:A multi-core system
architecture, which is robust against complexity DDoS attacks
![Page 14: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/14.jpg)
Airline Desk Example
![Page 15: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/15.jpg)
Airline Desk Example
A flight ticket
![Page 16: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/16.jpg)
20 min.
Airline Desk Example
An isle seat near window!!
Three carry
handbags!!!
Doesn’t like
food!!!
Can’t find passport!!
Overweight!!!
1 min.
![Page 17: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/17.jpg)
Airline Desk Example
![Page 18: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/18.jpg)
Airline Desk Example
4 min.1 min.
Domain Properties
1. Heavy & Light customers.
2. Easy detection of heavy customers.
3. Moving customers between queues is cheap.
4. Heavy customers have special more efficient processing method.
Special training
packets
packets
packets
packets
![Page 19: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/19.jpg)
Some packets are much “heavier” than others
The Snort-attack experiment
Property 1 in Snort Attack
![Page 20: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/20.jpg)
•DPI mechanism is a main bottleneck in Snort•Allows single step for each input symbol•Holds transition for each alphabet symbol
Snort uses Aho-Corasick DFAHeavy PacketFast & Huge
Best for normal trafficExposed to cache-miss attack
![Page 21: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/21.jpg)
Crafting HEAVY packetsSnort patterns DatabaseMalicious pkts Factory
Chop last 2 bytes
![Page 22: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/22.jpg)
Snort-Attack Experiment
Cache
Main Memory
Normal Traffic Attack Scenario
Cache-miss!!!Does not require many packets!!!
![Page 23: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/23.jpg)
The General Case: Complexity Attacks
• Trivial to Craft --- Hard to process packetsDomain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing method.
![Page 24: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/24.jpg)
Property 2 in Snort Attack
Detecting heavy packets is feasible
![Page 25: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/25.jpg)
How Do We Detect?
• May be quickly classified• Common states
• Claim: the general case in complexity attacks!!!
threshold
Percent non-common states
![Page 26: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/26.jpg)
How Do We Detect?
Common States
NonCommon States
Heavy packet : # Not Common States # Common States ≤ α After at least
20 bytes
![Page 27: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/27.jpg)
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing method.
![Page 28: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/28.jpg)
System Architecture
P
roce
ssor
Chi
p
Core #8NI
C Core #1Q
Core #2Q
Q
Q
Q
Detects heavy
packets
Core #9
Core #10
Routine Mode:
Load balance between cores
![Page 29: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/29.jpg)
System Architecture
P
roce
ssor
Chi
p
Core #8Dedicated Core
#9
NIC Core #1Q
Core #2Q
Q
QB
Dedicated Core #10 B
Q
Detects heavy
packets
Alert Mode:Dedicated cores for heavy packets
Others detect and move heavy to Dedicated.
B
B
![Page 30: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/30.jpg)
Inter-Thread Communication• Non-blocking IN-queues
– Only one thread accesses
• Dedicated queues blocking (using test&set locks)
– Non-dedicated threads “steal” packets from the HoL when sending a heavy packet
P
roce
ssor
Chi
p
Core #8Dedicated Core
#9
NIC Core #1Q
Core #2Q
Q
QB
Dedicated Core #10 B
Q
B
B
![Page 31: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/31.jpg)
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing method.
![Page 32: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/32.jpg)
Snort uses Aho-Corasick DFA
![Page 33: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/33.jpg)
Full Matrix vs. Compressed
Heavy packets rate
![Page 34: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/34.jpg)
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing method.
![Page 35: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/35.jpg)
Experimental Results
![Page 36: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/36.jpg)
System Throughput Over Time
Reaction time can be smaller
![Page 37: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/37.jpg)
Different Algorithms Goodput
![Page 38: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/38.jpg)
Additional Application for MCA2
The Hybrid-FA-attack experiment
![Page 39: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/39.jpg)
Hybrid-FA
• Space-efficient data structure for regular expression matching
• Faster than NFA• Structure:
– Head DFA– Border states– Tail DFAs
• More than one state can be activeat the same time!
s0
s7
s12
s1 s2
s3 s5s4
C
C
E
D
B
E D
s14
s13 s6
D
s8
Bs9
Cs10
As11
B
A
A
.*
[^\n]*
![Page 40: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/40.jpg)
Hybrid-FA Attack
Normal Traffic Attack Scenario
Again: Does not require many packets!!!
s0
s7
s12
s1 s2
s3 s5s4
C
C
E
D
B
E D
s14
s13 s6
D
s8
B
s9
Cs10
As11
B
A
A
.*
[^\n]*
s0
s7
s8
s9
s10
s11
s12
s2
s5
s13
Input: C D B B C AB
![Page 41: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/41.jpg)
Heavy Packet Detection
threshold
![Page 42: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/42.jpg)
MCA2 With Hybrid-FA
![Page 43: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/43.jpg)
Concluding Remarks• A multi-core system architecture
• Robustness against complexity DDoS attacks
• In this talk we focused on specific NIDS and
complexity attack
– MCA2 can handle more NIDS complexity attacks, like the
Bro Lazy-FA
• We believe this approach can be generalized
(outside the scope of NIDS)
![Page 44: Multi-Core Packet Scattering to Disentangle Performance Bottlenecks](https://reader030.vdocuments.us/reader030/viewer/2022033106/5681676c550346895ddc53bc/html5/thumbnails/44.jpg)
Thank You!!
Deep packet inspection