Saved in:
Bibliographic Details
Main Authors: Kashaf, Aqsa, Walsh, Aidan, Apostolaki, Maria, Sekar, Vyas, Agarwal, Yuvraj
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2405.09442
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866929344195067904
author Kashaf, Aqsa
Walsh, Aidan
Apostolaki, Maria
Sekar, Vyas
Agarwal, Yuvraj
author_facet Kashaf, Aqsa
Walsh, Aidan
Apostolaki, Maria
Sekar, Vyas
Agarwal, Yuvraj
contents There is anecdotal evidence that attackers use reconnaissance to learn the capacity of their victims before DDoS attacks to maximize their impact. The first step to mitigate capacity reconnaissance attacks is to understand their feasibility. However, the feasibility of capacity reconnaissance in network functions (NFs) (e.g., firewalls, NATs) is unknown. To this end, we formulate the problem of network function capacity reconnaissance (NFCR) and explore the feasibility of inferring the processing capacity of an NF while avoiding detection. We identify key factors that make NFCR challenging and analyze how these factors affect accuracy (measured as a divergence from ground truth) and stealthiness (measured in packets sent). We propose a flexible tool, NFTY, that performs NFCR and we evaluate two practical NFTY configurations to showcase the stealthiness vs. accuracy tradeoffs. We evaluate these strategies in controlled, Internet and/or cloud settings with commercial NFs. NFTY can accurately estimate the capacity of different NF deployments within 10% error in the controlled experiments and the Internet, and within 7% error for a commercial NF deployed in the cloud (AWS). Moreover, NFTY outperforms link-bandwidth estimation baselines by up to 30x.
format Preprint
id arxiv_https___arxiv_org_abs_2405_09442
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Network Function Capacity Reconnaissance by Remote Adversaries
Kashaf, Aqsa
Walsh, Aidan
Apostolaki, Maria
Sekar, Vyas
Agarwal, Yuvraj
Networking and Internet Architecture
There is anecdotal evidence that attackers use reconnaissance to learn the capacity of their victims before DDoS attacks to maximize their impact. The first step to mitigate capacity reconnaissance attacks is to understand their feasibility. However, the feasibility of capacity reconnaissance in network functions (NFs) (e.g., firewalls, NATs) is unknown. To this end, we formulate the problem of network function capacity reconnaissance (NFCR) and explore the feasibility of inferring the processing capacity of an NF while avoiding detection. We identify key factors that make NFCR challenging and analyze how these factors affect accuracy (measured as a divergence from ground truth) and stealthiness (measured in packets sent). We propose a flexible tool, NFTY, that performs NFCR and we evaluate two practical NFTY configurations to showcase the stealthiness vs. accuracy tradeoffs. We evaluate these strategies in controlled, Internet and/or cloud settings with commercial NFs. NFTY can accurately estimate the capacity of different NF deployments within 10% error in the controlled experiments and the Internet, and within 7% error for a commercial NF deployed in the cloud (AWS). Moreover, NFTY outperforms link-bandwidth estimation baselines by up to 30x.
title Network Function Capacity Reconnaissance by Remote Adversaries
topic Networking and Internet Architecture
url https://arxiv.org/abs/2405.09442