Being a crucial part of networked systems, packet classification has to be highly efficient; however, software switches in cloud environments still face performance challenges. The recently proposed Tuple Space Explosion (TSE) attack exploits an algorithmic deficiency in Open vSwitch (OVS). In TSE, legitimate low-rate attack traffic makes the cardinal linear search algorithm in the Tuple Space Search (TSS) algorithm to spend an unaffordable time for classifying each packet resulting in a denial-of-service (DoS) for the rest of the users. In this paper, we investigate the feasibility of TSE from multiple perspectives. Besides showing that TSE is still efficient in the newer version of OVS, we show that when the kernel datapath is compiled from a different source, it can degrade its performance to ~1% of its baseline with less than 1 Mbps attack rate. Finally, we show that TSE is much less effective against OVS-DPDK with userspace datapath due to the enhanced ranking process in its TSS implementation. Therefore, we propose TSE 2.0 to defeat the ranking process and achieve a complete DoS against OVS-DPDK. Furthermore, we present TSE 2.1, which achieves the same goal against OVS-DPDK running on multiple cores without significantly increasing the attack rate.

中文翻译：

---

对 Open vSwitch 的元组空间爆炸攻击的可行性和增强

作为网络系统的重要组成部分，数据包分类必须非常高效；然而，云环境中的软件交换机仍然面临性能挑战。最近提出的元组空间爆炸 (TSE) 攻击利用了 Open vSwitch (OVS) 中的算法缺陷。在 TSE 中，合法的低速率攻击流量使得元组空间搜索 (TSS) 算法中的基数线性搜索算法花费无法承受的时间来对每个数据包进行分类，从而导致对其余用户的拒绝服务 (DoS) . 在本文中，我们从多个角度研究了 TSE 的可行性。除了表明 TSE 在较新版本的 OVS 中仍然有效之外，我们还表明当内核数据路径是从不同的源编译时，它可以在攻击率低于 1 Mbps 的情况下将其性能降低到其基线的 1% 左右。最后，我们表明 TSE 对具有用户空间数据路径的 OVS-DPDK 的效果要低得多，因为其 TSS 实现中增强了排名过程。因此，我们建议使用 TSE 2.0 来击败排名过程并实现针对 OVS-DPDK 的完整 DoS。此外，我们提出了 TSE 2.1，它在不显着增加攻击率的情况下，针对在多核上运行的 OVS-DPDK 实现了相同的目标。