research-article

Attacks and Defenses in the Data Plane of Networks

Authors:

Danai Chasaki,

Tilman WolfAuthors Info & Claims

IEEE Transactions on Dependable and Secure Computing, Volume 9, Issue 6

Pages 798 - 810

https://doi.org/10.1109/TDSC.2012.50

Published: 01 November 2012 Publication History

Abstract

Security issues in computer networks have focused on attacks on end systems and the control plane. An entirely new class of emerging network attacks aims at the data plane of the network. Data plane forwarding in network routers has traditionally been implemented with custom-logic hardware, but recent router designs increasingly use software-programmable network processors for packet forwarding. These general-purpose processing devices exhibit software vulnerabilities and are susceptible to attacks. We demonstrate—to our knowledge the first—practical attack that exploits a vulnerability in packet processing software to launch a devastating denial-of-service attack from within the network infrastructure. This attack uses only a single attack packet to consume the full link bandwidth of the router's outgoing link. We also present a hardware-based defense mechanism that can detect situations where malicious packets try to change the operation of the network processor. Using a hardware monitor, our NetFPGA-based prototype system checks every instruction executed by the network processor and can detect deviations from correct processing within four clock cycles. A recovery system can restore the network processor to a safe state within six cycles. This high-speed detection and recovery system can ensure that network processors can be protected effectively and efficiently from this new class of attacks.

Cited By

View all

Wu ZTian LWang YXie JDu YZhang Y(2021)Network Security Defense Decision-Making Method Based on Stochastic Game and Deep Reinforcement LearningSecurity and Communication Networks10.1155/2021/22837862021Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1155/2021/2283786
Dalmazo BMarques JCosta LBonfim MCarvalho Rda Silva AFernandes SBordim JAlchieri ESchaeffer‐Filho APaschoal Gaspary LCordeiro W(2021)A systematic review on distributed denial of service attack defense mechanisms in programmable networksInternational Journal of Network Management10.1002/nem.216331:6Online publication date: 2-Nov-2021
https://dl.acm.org/doi/10.1002/nem.2163
Narayanan NSankaran GSivalingam K(2019)Mitigation of security attacks in the SDN data plane using P4-enabled switches2019 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS)10.1109/ANTS47819.2019.9118071(1-6)Online publication date: 16-Dec-2019
https://dl.acm.org/doi/10.1109/ANTS47819.2019.9118071
Show More Cited By

Attacks and Defenses in the Data Plane of Networks
1. Social and professional topics
  1. Computing / technology policy

Recommendations

Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks

The Common Vulnerability Scoring System (CVSS) is a widely used and well-established standard for classifying the severity of security vulnerabilities. For instance, all vulnerabilities in the US National Vulnerability Database (NVD) are scored ...
Denial of service attacks, defences and research challenges

This paper presents a review of current denial of service (DoS) attack and defence concepts, from a theoretical ad practical point of view. Seriousness of DoS attacks is tangible and they present one of the most significant threats to assurance of ...
Mitigating denial of service attacks: a tutorial

This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...

Comments

Information & Contributors

Information

Published In

cover image IEEE Transactions on Dependable and Secure Computing

IEEE Transactions on Dependable and Secure Computing Volume 9, Issue 6

November 2012

159 pages

ISSN:1545-5971

Issue’s Table of Contents

Publisher

IEEE Computer Society Press

Washington, DC, United States

Publication History

Published: 01 November 2012

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Wu ZTian LWang YXie JDu YZhang Y(2021)Network Security Defense Decision-Making Method Based on Stochastic Game and Deep Reinforcement LearningSecurity and Communication Networks10.1155/2021/22837862021Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1155/2021/2283786
Dalmazo BMarques JCosta LBonfim MCarvalho Rda Silva AFernandes SBordim JAlchieri ESchaeffer‐Filho APaschoal Gaspary LCordeiro W(2021)A systematic review on distributed denial of service attack defense mechanisms in programmable networksInternational Journal of Network Management10.1002/nem.216331:6Online publication date: 2-Nov-2021
https://dl.acm.org/doi/10.1002/nem.2163
Narayanan NSankaran GSivalingam K(2019)Mitigation of security attacks in the SDN data plane using P4-enabled switches2019 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS)10.1109/ANTS47819.2019.9118071(1-6)Online publication date: 16-Dec-2019
https://dl.acm.org/doi/10.1109/ANTS47819.2019.9118071
Thimmaraju KShastry BFiebig THetzelt FSeifert JFeldmann ASchmid SThuraisingham BKarame GStavrou A(2017)The vAMP AttackProceedings of the 2017 on Cloud Computing Security Workshop10.1145/3140649.3140651(11-15)Online publication date: 3-Nov-2017
https://dl.acm.org/doi/10.1145/3140649.3140651
Wolf TChandrikakutty HKekai Hu Unnikrishnan DTessier R(2015)Securing Network Processors with High-Performance Hardware MonitorsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2014.237337812:6(652-664)Online publication date: 1-Nov-2015
https://dl.acm.org/doi/10.1109/TDSC.2014.2373378
Hu KWolf TTeixeira TTessier R(2014)System-Level Security for Network Processors with Hardware MonitorsProceedings of the 51st Annual Design Automation Conference10.1145/2593069.2593226(1-6)Online publication date: 1-Jun-2014
https://dl.acm.org/doi/10.1145/2593069.2593226
Chandrikakutty HUnnikrishnan DTessier RWolf T(2013)High-performance hardware monitors to protect network processors from data plane attacksProceedings of the 50th Annual Design Automation Conference10.1145/2463209.2488832(1-6)Online publication date: 29-May-2013
https://dl.acm.org/doi/10.1145/2463209.2488832

Abstract

Cited By

Recommendations

Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks

Denial of service attacks, defences and research challenges

Mitigating denial of service attacks: a tutorial

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Share

Share this Publication link

Share on social media

Affiliations