MCA2: Multi Core Architecture for
Mitigating Complexity Attacks
Yaron Koral (TAU)
Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC),
David Hay (HUJI) and Yotam Harchol (HUJI)
A multicore system architecture,
which is robust against
complexity DDoS attacks
Network Intrusion Detection System
• Reports or drops malicious packets
• Important technique: Deep Packet Inspection (DPI)
IP
packet
Internet
3
Complexity DoS Attack Over NIDS
• Find a gap between average case and worst case
• One may craft an input that exploits this gap
• Launch a Denial of Service attack on the system
Internet
Throughput
4
Attack on Security Elements
Combined Attack:
DDoS on Security Element
exposed the network –
theft of customers’
information
Attack on Snort
• The most widely deployed IDS/IPS worldwide.
Max
Throughput
Routine
Traffic
Heavy Packet
Traffic
Airline Desk Example
Airline Desk Example
A flight
ticket
Airline Desk Example
Overweight!!!
Can’t find
passport!!
Doesn’t
like
food!!!
An isle
seat near
window!!
Three
carry
handbags
!!!
Airline Desk Example
Airline Desk Example
Special
training
Domain Properties
1. Heavy &&Light
Lightpackets.
customers.
packets
2. Easy detection of heavy customers.
packets between
queues
is cheap.
3. Moving customers
between
queues
is cheap.
4. Heavy customers
packets have
special
more
efficient
processing
have
special
more
efficient
processing
method.
Some packets are much
“heavier” than others
The Snort-attack experiment
Snort uses Aho-Corasick DFA
•DPI mechanism is a main bottleneck in Snort
Heavy
•Allows single step for each input
symbol
Fast & Huge
Packet
•Holds transition for each alphabet symbol
Best for normal traffic
Exposed to cache-miss attack
Snort-Attack Experiment
Normal Traffic
Attack Scenario
Cache
Main
Memory
Max
Throughput
Routine
Traffic
Heavy
Packet
Traffic
The General Case: Complexity Attacks
DomainisProperties
• Building the packet
much cheaper than
processing it.
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing
method.
Detecting heavy packets
is feasible
How Do We Detect?
• Normal and heavy packets differ from each other
• May be classified quickly
• Claim:
the general case
in complexity attacks!!!
threshold
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing
method.
System Architecture
• Routine and alert mode
• Drop mode
• Dynamic thread allocation model
• Non blocking queue synchronization
• Move packets between cores with
negligible overhead!
Q
Core #1
Q
Core #2
Q
Core #8
Q
Dedicated
Core #9
Q
Dedicated
Core #10
Processor Chip
NIC
Detects
heavy
packets
B
B
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing
method.
Snort uses Aho-Corasick DFA
Full Matrix vs. Compressed
Domain Properties
1. Heavy & Light packets.
2. Easy detection of heavy packets
3. Moving packets between queues is cheap.
4. Heavy packets have special more efficient processing
method.
Experimental Results
System Throughput Over Time
Different Algorithms Goodput
Concluding Remarks
• A multi-core system architecture, which is robust
against complexity DDoS attacks
• In this talk we focused on specific NIDS and
complexity attack
• Additional results show how the system fits to
other cases:
– Hybrid-FA
– Bro Lazy-FA
• We believe this approach can be generalized
(outside the scope of NIDS).
Thank You!!