Tearing Down the Face of Algorithmic Complexity Attacks for DPI Engines

摘要

Deep Packet Inspection (DPI) is the core of security devices, such as NIDS, NIPS, which is also an important target of the adversary. The vulnerability of DPI engine is that it relies heavily on pattern matching algorithms, which consume a lot of system resources. In order to make denial of service of DPI, the adversary leverages string repetitions to perform algorithmic complexity attacks. In this paper, we propose an attack identification method for automata and design three defensive strategies. Our attack identification method adopts a two-step threshold detection method, while defensive mechanisms include dropping, transferring and rescheduling the traffic. And the rescheduling traffic based on multi-core platform is a parallelization problem. To solve this problem, this paper proposes a traffic exchange strategy between threads, so that the attack traffic is allocated to dedicated threads. We demonstrate the effectiveness of our method by checking the packet loss rate of NIC and monitoring the utilization of CPU and memory. Upon different attack intensity, our experiments show a throughput boost of up to 11%-60% by comparing with the original system, and 4%-14% with the Level-1 threshold detection. In addition, the false negative rate under the diversified attack scenarios is lower than the original system and Level-1 threshold detection.