Visible to the public Policy Injection: A Cloud Dataplane DoS Attack

TitlePolicy Injection: A Cloud Dataplane DoS Attack
Publication TypeConference Paper
Year of Publication2018
AuthorsCsikor, Levente, Rothenberg, Christian, Pezaros, Dimitrios P., Schmid, Stefan, Toka, László, Retvari, Gabor
Conference NameProceedings of the ACM SIGCOMM 2018 Conference on Posters and Demos
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-5915-3
Keywordsattack surface, Cloud Security, DoS, Metrics, OVS, policy injection, pubcrawl, resilience, Resiliency, Scalability
Abstract

Enterprises continue to migrate their services to the cloud on a massive scale, but the increasing attack surface has become a natural target for malevolent actors. We show policy injection, a novel algorithmic complexity attack that enables a tenant to add specially tailored ACLs into the data center fabric to mount a denial-of-service attack through exploiting the built-in security mechanisms of the cloud management systems (CMS). Our insight is that certain ACLs, when fed with special covert packets by an attacker, may be very difficult to evaluate, leading to an exhaustion of cloud resources. We show how a tenant can inject seemingly harmless ACLs into the cloud data plane to abuse an algorithmic deficiency in the most popular cloud hypervisor switch, Open vSwitch, and reduce its effective peak performance by 80-90%, and, in certain cases, denying network access altogether.

URLhttps://dl.acm.org/citation.cfm?doid=3234200.3234250
DOI10.1145/3234200.3234250
Citation Keycsikor_policy_2018