Defending Networked Assets at 100Gbps and Beyond

Abstract

Network security appliances # such as intrusion detection/prevention systems (#IDS#), forensic and monitoring systems (#network loggers#), and authentication systems # are crucial to defending networked assets. Defense and government security installations are among the most sophisticated deployments, with stringent forensic and encryption requirements.We argue that network security infrastructure itself is vulnerable to overload-based attacks due to a combination of trends in computer hardware as well as poor analysis ofworst-case performance bounds in the design and implementation of these systems. In this proposal, we aim to mitigate these vulnerabilities through a combination of new systems designs with mathematical bounds on their performance.Even in the absence of adversarial agents, network security appliances sit at a precipice for failure due to the convergence of two trends in computer systems. It is well known that the performance gains due to Moore#s Law are tapering off and that CPU speeds are increasing at only a moderate pace relative to their previously exponential growth. It is less well-known that Edholm#s Law, the networking equivalent, has shown nosuch slowdown and improvements in optical networking con-tinue to grow exponentially. Commercial and military use cases are eager to take advantage of this increase in network capacity as massive growth continues in deployments of sensors, unmanned drones, satellites, and other data collection ship information back to datacenters for large-scale analysis. Unfortunately, anecdotal reports fromcommercial operators today reveal that, due to the decline of Moore#s Law, network security appliances are increasingly unable to keep up with monitoring at state of the art link speeds.Making matters worse, the inability to keep up with line rates of data is a vulnerability in itself. Classic distributed denial of service (DDoS) attacks involve attackers producing massive amounts of data to overload networked systems, often by harnessing hundreds of thousands of #bots# at once. But attackers need not meet the devices marketed capacity to overload them: instead, attackers can carefully craft their traffic to trigger pessimal code-paths through the vulnerable systems. For example, one published attack on a widely deployed software switch provisioned to operate at 15Gbps showed thatthe device could be pushed to overload, dropping 99% of innocent packets, when faced with a mere 1Mbps stream of attack traffic. Attacks in which an attacker carefully crafts inputs to maximize their resource use are called Algorithmic Complexity Attacks (ACAs).Our goal in this proposal is to design network security infrastructure with built-in resilience to algorithmic overloads and provableperformance lower-bounds. Our insight to achieve this is twofold: first, that modern hardware offloads not only provide performancespeedups, they also provide performance predictability. For example, FPGAs, when carefully programmed, can guarantee traffic line rates regardless of input rates; PISA switches will simply fail to compile programs that cannot guarantee a fixed line rate. However,poorly designed algorithms and designs for either platform can still lead to slowdowns; furthermore, some sophisticated analysis such as regular-expression matching and anomaly detection really does perform better on CPUs. Hence, to provide strong performance guarantees, we need to couple combination hardware-software designs with careful, worst-case mathematical performance analysis. We present four vectors of research hardening algorithms, datastructures, and hardware and software systems to strengthen network security appliances against the threat of overload.

Document Details

Document Type

DoD Grant Award

Publication Date

Jan 24, 2024

Source ID

N000142412059

Entities

Tags