Headline
CVE-2019-25076: On the Feasibility and Enhancement of the Tuple Space Explosion Attack against Open vSwitch
The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.17.2 and 3.0.0 allows remote attackers to cause a denial of service (delays of legitimate traffic) via crafted packet data that requires excessive evaluation time within the packet classification algorithm for the MegaFlow cache, aka a Tuple Space Explosion (TSE) attack.
Download PDF
Abstract: Being a crucial part of networked systems, packet classification has to be highly efficient; however, software switches in cloud environments still face performance challenges. The recently proposed Tuple Space Explosion (TSE) attack exploits an algorithmic deficiency in Open vSwitch (OVS). In TSE, legitimate low-rate attack traffic makes the cardinal linear search algorithm in the Tuple Space Search (TSS) algorithm to spend an unaffordable time for classifying each packet resulting in a denial-of-service (DoS) for the rest of the users. In this paper, we investigate the feasibility of TSE from multiple perspectives. Besides showing that TSE is still efficient in the newer version of OVS, we show that when the kernel datapath is compiled from a different source, it can degrade its performance to ~1% of its baseline with less than 1 Mbps attack rate. Finally, we show that TSE is much less effective against OVS-DPDK with userspace datapath due to the enhanced ranking process in its TSS implementation. Therefore, we propose TSE 2.0 to defeat the ranking process and achieve a complete DoS against OVS-DPDK. Furthermore, we present TSE 2.1, which achieves the same goal against OVS-DPDK running on multiple cores without significantly increasing the attack rate.
Submission history
From: Levente Csikor PhD [view email]
[v1] Wed, 18 Nov 2020 06:13:08 UTC (1,842 KB)