Policy Injection: A Cloud Dataplane DoS Attack

Policy Injection: A Cloud Dataplane DoS Attack

Abstract

Enterprises continue to migrate their services to the cloud on a massive scale, but the increasing attack surface has become a natural target for malevolent actors. We show policy injection, a novel algorithmic complexity attack that enables a tenant to add specially tailored ACLs into the data center fabric to mount a denial-of-service attack through exploiting the built-in security mechanisms of the cloud management systems (CMS) . Our insight is that certain ACLs, when fed with special covert packets by an attacker, may be very difficult to evaluate, leading to an exhaustion of cloud resources. We show how a tenant can inject seemingly harmless ACLs into the cloud data plane to abuse an algorithmic deficiency in the most popular cloud hypervisor switch, Open vSwitch, and reduce its effective peak performance by 80-90%, and, in certain cases, denying network access altogether

Grafik Top
Authors
  • Csikor, Levente
  • Rothenberg, Christian
  • Pezaros, Dimitrios
  • Schmid, Stefan
  • Toka, Laszlo
  • Retvari, Gabor
Grafik Top
Supplemental Material
Shortfacts
Category
Paper in Conference Proceedings or in Workshop Proceedings (Paper)
Event Title
ACM SIGCOMM 2018
Divisions
Communication Technologies
Subjects
Informatik Allgemeines
Event Location
Budapest, Hungary
Event Type
Conference
Event Dates
August 2018
Date
2018
Export
Grafik Top