1 / 28

MCA 2: Multi Core Architecture for Mitigating Complexity Attacks

MCA 2: Multi Core Architecture for Mitigating Complexity Attacks . Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay (HUJI) and Yotam Harchol (HUJI). A multicore system architecture, which is robust against complexity DDoS attacks.

marilu
Download Presentation

MCA 2: Multi Core Architecture for Mitigating Complexity Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MCA2: Multi Core Architecture for Mitigating Complexity Attacks Yaron Koral (TAU) Joint work with: YehudaAfek (TAU), Anat Bremler-Barr (IDC), David Hay (HUJI) and Yotam Harchol (HUJI)

  2. A multicore system architecture, which is robust against complexity DDoS attacks

  3. Network Intrusion Detection System • Reports or drops malicious packets • Important technique: Deep Packet Inspection (DPI) Internet IP packet

  4. Complexity DoS Attack Over NIDS • Find a gap between average case and worst case • One may craft an input that exploits this gap • Launch a Denial of Service attack on the system Real-Life Traffic Internet Throughput

  5. Attack on Security Elements Combined Attack:DDoS on Security Element exposed the network – theft of customers’ information

  6. Attack on Snort • The most widely deployed IDS/IPS worldwide. Heavy Packet Traffic Max Throughput Routine Traffic

  7. Airline Desk Example

  8. Airline Desk Example A flight ticket

  9. Airline Desk Example Overweight!!! An isle seat near window!! Can’t find passport!! 20 min. 1 min. Three carry handbags!!! Doesn’t like food!!!

  10. Airline Desk Example

  11. Airline Desk Example Special training Domain Properties Heavy & Light customers. Easy detection of heavy customers. Moving customers between queues is cheap. Heavy customers have special more efficient processing method. Domain Properties Heavy & Light packets. Easy detection of heavy packets Moving packets between queues is cheap. Heavy packets have special more efficient processing method. 4 min. 1 min.

  12. Some packets are much “heavier” than others The Snort-attack experiment

  13. Snort uses Aho-Corasick DFA • DPI mechanism is a main bottleneck in Snort • Allows single step for each input symbol • Holds transition for each alphabet symbol Fast & Huge Heavy Packet Best for normal traffic Exposed to cache-miss attack

  14. Snort-Attack Experiment Normal Traffic Attack Scenario Cache Main Memory Cache-miss!!! Heavy Packet Traffic Max Throughput Routine Traffic Does not require many packets!!!

  15. The General Case: Complexity Attacks Domain Properties Heavy & Light packets. Easy detection of heavy packets Moving packets between queues is cheap. Heavy packets have special more efficient processing method. • Building the packet is much cheaper than processing it.

  16. Detecting heavy packets is feasible

  17. How Do We Detect? • Normal and heavy packets differ from each other • May be classified quickly • Claim: the general case in complexity attacks!!! threshold

  18. Domain Properties Heavy & Light packets. Easy detection of heavy packets Moving packets between queues is cheap. Heavy packets have special more efficient processing method.

  19. System Architecture Detects heavy packets NIC Core #1 Q Core #2 Q Processor Chip Core #8 Q Dedicated Core #9 B • Routine and alert mode • Drop mode • Dynamic thread allocation model • Non blocking queue synchronization • Move packets between cores with • negligible overhead! Q Dedicated Core #10 Q B

  20. Domain Properties Heavy & Light packets. Easy detection of heavy packets Moving packets between queues is cheap. Heavy packets have special more efficient processing method.

  21. Snort uses Aho-Corasick DFA

  22. Full Matrix vs. Compressed

  23. Domain Properties Heavy & Light packets. Easy detection of heavy packets Moving packets between queues is cheap. Heavy packets have special more efficient processing method.

  24. Experimental Results

  25. System Throughput Over Time

  26. Different Algorithms Goodput

  27. Concluding Remarks • A multi-core system architecture, which is robust against complexity DDoS attacks • In this talk we focused on specific NIDS and complexity attack • Additional results show how the system fits to other cases: • Hybrid-FA • Bro Lazy-FA • We believe this approach can be generalized (outside the scope of NIDS).

  28. Thank You!!

More Related