1 / 44

Multi-Core Packet Scattering to Disentangle Performance Bottlenecks

Multi-Core Packet Scattering to Disentangle Performance Bottlenecks. Yehuda Afek Tel-Aviv University. Joint work with. Anat Bremler -Barr. David Hay. Yotam Harchol. Yaron Koral. This work was supported by European Research Council (ERC) Starting Grant no. 259085. Deep Packet Inspection.

kolina
Download Presentation

Multi-Core Packet Scattering to Disentangle Performance Bottlenecks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multi-Core Packet Scattering to Disentangle Performance Bottlenecks YehudaAfek Tel-Aviv University

  2. Joint work with Anat Bremler-Barr David Hay YotamHarchol YaronKoral This work was supported by European Research Council (ERC) Starting Grant no. 259085

  3. Deep Packet Inspection • IPS/IDS/FW Heaviest processing part: Search for malicious patterns in the payload • Pipeline multi-core, not efficient. • Imbalance of pipeline stations, DPI much heavier • Parallel multi-core?

  4. Multi-Core Deep Packet Inspection (DPI) • Option 1: Each core a subset of patterns Pattern Set 1 Core 1 Pattern Set 2 Core 2 Pattern Set 3 Core 3 Pattern Set 4 Core 4

  5. Multi-Core Deep Packet Inspection (DPI) • Option 1: Each core a subset of patterns Pattern Set 1 Core 1 Pattern Set 2 Core 2 Pattern Set 3 Core 3 Pattern Set 4 Core 4

  6. Multi-Core Deep Packet Inspection (DPI) • Option 1: Each core a subset of patterns Pattern Set 1 Core 1 Pattern Set 2 Core 2 Pattern Set 3 Core 3 Pattern Set 4 Core 4

  7. Multi-Core Deep Packet Inspection (DPI) • Option 1: Each core a subset of patterns • Option 2: All cores are the same, Load-balance between cores Pattern Set 1 Core 1 Pattern Set 2 Core 2 Pattern Set 3 Core 3 Pattern Set 4 Core 4

  8. Multi-Core Deep Packet Inspection (DPI) • Option 2: All cores are the same, Load-balance between cores DPI Core 1 DPI Core 2 DPI Core 3 DPI Core 4

  9. Multi-Core Deep Packet Inspection (DPI) • Option 2: All cores are the same, Load-balance between cores DPI Core 1 DPI Core 2 DPI Core 3 DPI Core 4

  10. Complexity DoS Attack Over NIDS • Easy to craft – very hard to process packets • 2 Steps attack: Attacker 1. Kill IPS/FW Internet 2. Steal CC.

  11. Attack on Security Elements Combined Attack:DDoS on Security Element exposed the network – theft of customers’ information

  12. Attack on Snort The most widely deployed IDS/IPS worldwide. Heavy packets rate

  13. OUR GOAL: A multi-core system architecture, which is robust against complexity DDoS attacks

  14. Airline Desk Example

  15. Airline Desk Example A flight ticket

  16. Airline Desk Example Overweight!!! An isle seat near window!! Can’t find passport!! 20 min. 1 min. Three carry handbags!!! Doesn’t like food!!!

  17. Airline Desk Example

  18. Airline Desk Example Special training Domain Properties Heavy & Light customers. Easy detection of heavy customers. Moving customers between queues is cheap. Heavy customers have special more efficient processing method. packets 4 min. 1 min. packets packets packets

  19. Property 1 in Snort Attack Some packets are much “heavier” than others The Snort-attack experiment

  20. Snort uses Aho-Corasick DFA • DPI mechanism is a main bottleneck in Snort • Allows single step for each input symbol • Holds transition for each alphabet symbol Fast & Huge Heavy Packet Best for normal traffic Exposed to cache-miss attack

  21. Crafting HEAVY packets Chop last 2 bytes Malicious pkts Factory Snort patterns Database

  22. Snort-Attack Experiment Normal Traffic Attack Scenario Cache Main Memory Cache-miss!!! Does not require many packets!!!

  23. The General Case: Complexity Attacks Domain Properties Heavy & Light packets. Easy detection of heavy packets Moving packets between queues is cheap. Heavy packets have special more efficient processing method. • Trivial to Craft --- Hard to process packets

  24. Property 2 in Snort AttackDetecting heavy packets is feasible

  25. How Do We Detect? • May be quickly classified • Common states • Claim: the general case in complexity attacks!!! threshold Percent non-common states

  26. How Do We Detect? Common States Non Common States # Not Common States α After at least 20 bytes ≤ Heavy packet : # Common States

  27. Domain Properties Heavy & Light packets. Easy detection of heavy packets Moving packets between queues is cheap. Heavy packets have special more efficient processing method.

  28. System Architecture Detects heavy packets NIC Core #1 Q Core #2 Q Processor Chip Routine Mode: Load balance between cores Core #8 Q Core #9 Q Core #10 Q

  29. System Architecture Detects heavy packets NIC Core #1 Q Core #2 Q Processor Chip Alert Mode: Dedicated cores for heavy packets Others detect and move heavy to Dedicated. Core #8 Q Dedicated Core #9 B B B Q Dedicated Core #10 Q B

  30. Inter-Thread Communication • Non-blocking IN-queues • Only one thread accesses • Dedicated queues blocking (using test&set locks) • Non-dedicated threads “steal” packets from the HoL when sending a heavy packet NIC Core #1 Q Core #2 Q Processor Chip Core #8 Q Dedicated Core #9 B B B Q Dedicated Core #10 Q B

  31. Domain Properties Heavy & Light packets. Easy detection of heavy packets Moving packets between queues is cheap. Heavy packets have special more efficient processing method.

  32. Snort uses Aho-Corasick DFA

  33. Full Matrix vs. Compressed Heavy packets rate

  34. Domain Properties Heavy & Light packets. Easy detection of heavy packets Moving packets between queues is cheap. Heavy packets have special more efficient processing method.

  35. Experimental Results

  36. System Throughput Over Time Reaction time can be smaller

  37. Different Algorithms Goodput

  38. Additional Application for MCA2 The Hybrid-FA-attack experiment

  39. Hybrid-FA s0 E C B s1 s2 s7 • Space-efficient data structure for regular expression matching • Faster than NFA • Structure: • Head DFA • Border states • Tail DFAs • More than one state can be activeat the same time! D E D C s3 s4 s5 s8 D B A s9 s13 s6 [^\n]* A C .* s14 s10 A s11 B s12

  40. Hybrid-FA Attack s0 E C B s1 s2 s7 s0 Normal Traffic Attack Scenario D s2 E D C s7 s3 s4 s5 s8 s5 s8 D B [^\n]* A s9 s9 s13 .* s13 s6 s10 A C s14 s10 s11 A s12 s11 Input: C D B B C A B B Again: Does not require many packets!!! s12

  41. Heavy Packet Detection threshold

  42. MCA2 With Hybrid-FA

  43. Concluding Remarks • A multi-core system architecture • Robustness against complexity DDoS attacks • In this talk we focused on specific NIDS and complexity attack • MCA2 can handle more NIDS complexity attacks, like the Bro Lazy-FA • We believe this approach can be generalized(outside the scope of NIDS)

  44. Thank You!! Deep packet inspection

More Related