[ieee 2011 seventh international conference on mobile ad-hoc and sensor networks (msn) - beijing,...

Shrew Attack in Cloud Data Center Networks

Zhenqian Feng, Bing Bai, Baokang Zhao, Jinshu Su

Computer Department, National University of Defense Technology

Changsha, China

{fengzhenqian1983, nudt.bb}@gmail.com, {bkzhao,sjs}@nudt.edu.cn

Abstract— Multi-tenancy and lack of network performanceisolation among tenants together make the public cloud vul-nerable to attacks. This paper studies one of the potentialattacks, namely, low-rate denial-of-service (DoS) attack (or Shrewattack for short), in cloud data center networks (DCNs). Toexplore the feasibility of launching Shrew attack from theperspective of a normal external tenant, we first leverage a loss-based probe to identify the locations and capabilities of theunderlying bottlenecks, and then make use of the low-latencyfeature of DCNs to synchronize the participating attack flows.Moreover, we quantitatively analyze the necessary and sufficienttraffic for an effective attack. Using a combination of analyticalmodeling and extensive experiments, we demonstrate that atenant could initiate an efficient Shrew attack with extremelylittle traffic, e.g., milliseconds-long burst traffic, which imposessignificant difficulty for the switching boxes and counter-DoSmechanisms to detect. We identify that both the conventionalprotocol assumption and new features of DCNs enable suchShrew attack, and new techniques are required to thwart it inthe DCNs.

Keywords-Data Center Network; Denial of Service; TCP

I. INTRODUCTION

Recent cloud computing provides elastic service, e.g., Ama-

zon EC2 and Microsoft Azure, to public tenants. In this service

model, tenants could rent or release VMs (Virtual Machines)

and upload images as need. While the computing resources

on servers are well allocated and isolated through VMs, the

network resources are directly shared among different tenants

[13], [4]. Lack of efficient bandwidth guarantee and traffic iso-

lation makes such cloud services vulnerable, since malicious

tenants may launch attacks towards co-resident tenants in the

same cloud data center.As one of the formidable attacks, Shrew attacks [9], [14],

[15] are widely studied on the Internet. However, the feasibility

of launching such attacks in a high-band and low-latency

environment like DCNs is still unknown. We firmly believe

that a quantitative understanding on the prerequisites and the

resultant damages of Shrew attacks would be essential and

helpful to the architecture and counter-measure designers. To

the best of our knowledge, we’re the first the explore it.There are both obstacles and conveniences to launch Shrew

attacks in DCNs. For a malicious tenant, there’re at least two

obstacles to overcome before attacking. (1) DCN architectures

feature high aggregate bandwidth, and target for non-blocking

communication between each node pair. In this spirit, there is

no explicit persistent bottleneck link in DCNs. For example,

in Fattree [1] and BCube [3], the output rates of network

interface cards are universally not higher than those of the

intermediate switching ports. Therefore, the attacker should

identify or artificially create temporal bottlenecks. (2) For the

security and management considerations, the VM placement

schemes and underlying flow paths are concealed from tenants.

The attacker should probe the potential targets with only the

rental VMs.

Nevertheless, the low-latency nature of DCNs paves the way

for Shrew attack. For instance, the average RTT (Rount-Trip

Time) in DCNs is extremely short, e.g., 100s of microseconds.

This makes it readily to synchronize and aggregate attack

traffic into large flows, without the need of complicated

mechanism for flow coordination [15]. Further, large flows

help identify and maintain the temporal bottlenecks.

Based upon the above discussions, we organize the Shrew

attack with given VMs as follows.

(a) Probe the potential bottlenecks. As flows traversing the

same bottleneck would experience the same level of conges-

tion, thus very similar loss rates regardless of the existence

of the background traffic. Based on this, we could group the

attack flows by their loss rates.

(b) Attack the bottlenecks according groups. After identi-

fying the potential bottlenecks, one VM acts as the controller

and issue requests to synchronize multiple flows from a certain

group to congest the bottlenecks. The necessary and sufficient

burst lengths are specified in the requests. To predict the burst

length for each group, we build an analytical model.

The balance of the paper is as follows. Section II introduces

the probe method to detect the potential bottlenecks. Shrew

attack is described and modeled in Section III. Section IV

and V are the evaluations and potential counter-measures

respectively. Related work and a brief conclusion present at

the end.

II. PROBE THE BOTTLENECKS

Identifying the bottlenecks is an indispensable step towards

a meaningful attack in a “blackbox” network. Two key factors

might blind the attack, namely, where the bottleneck locates

and how much traffic is essential to congest it. We’ll discuss

them one by one in the following subsections.

A. Location of Bottleneck

Figure 1 exemplifies two cases indicating where the bottle-

neck links locate in DCNs, where (a) indicates the bottleneck

2011 Seventh International Conference on Mobile Ad-hoc and Sensor Networks

978-0-7695-4610-0/11 $26.00 © 2011 IEEE

DOI 10.1109/MSN.2011.71

442


978-0-7695-4610-0/11 $26.00 © 2011 IEEE

DOI 10.1109/MSN.2011.71

441


978-0-7695-4610-0/11 $26.00 © 2011 IEEE

DOI 10.1109/MSN.2011.71

441

Fig. 1. The locations of bottleneck links

uplink in an oversubscribed tree (commonly seem in practical

DCNs), and (b) the bottleneck downlink in a fattree.

Such bottleneck links are potential attack targets, since

when they get congested all the traversing flows would drop

packets and encounter a potential timeout. There are a lot of

proposals for the Internet cases to detect the shared bottlenecks

[7], [12], [8], however, they share a different assumption

of the existence of a dominant persistent bottleneck on the

Internet. While in the DCNs, the bottlenecks are dynamical

and transient, if any. In this spirit, utilities based upon this

assumption are questionable when being applied in DCNs.

Latency in DCNs could not easily be leveraged to infer

the hop numbers. For most of the cases, the basic RTT is

about 100s of microseconds. while the queueing delay and

unknown endpoint scheduling cost may range from 100s of

microseconds to several milliseconds.

Bottlenecks are dynamically and transiently created by the

traversing flows, therefore, the problem of identifying their

locations is equivalent to group attack flows which share the

same bottleneck. We adopt a loss-based method to group

the sending VMs by the flow paths to the destination. The

rationales behind this choice are two-folders. First, flows

traversing the same bottleneck would experience the same

level of congestion, thus very similar loss rates regardless

of the existence of the background traffic. This observation

largely helps us determine which VMs are co-located under the

same ToR switch or sharing the longest flow paths. Moreover,

loss rate is also monotonically increased with the logical hopnumber of the underlying flow paths, given the aggregated

flow rates are high enough to congest the intermediate switch

buffers. This observation further makes it clear that which VM

groups are farther away from the destination than others. After

grouping all the rental VMs, the tenant could schedule flows

issued from the same group to attack their shared bottleneck

links.

B. Capacity of Bottleneck

Current DCNs are generally equipped with high-bandwidth

switches and links, such as 1Gbps or even 10Gbps. For

simplicity, we just assume that 1Gps is the bottleneck rate.

The buffer size that a switch port can utilize represents

another aspect of capacity, namely, the capacity of handling

the burst traffic. To infer the maximum buffer room each port

can occupy, we again leverage the low-latency or easy-sync

feature of DCNs. We first randomly select two VMs from a

group which shares the same bottleneck, then simultaneously

generate two flows to the same receiver. The receiver records

the duration from the flow start to when packet losses appear.

This duration is expected as follows:

t =B

Rinput + ε− C(1)

where B denotes the buffer room that a port could utilize,

Rinput is the total input rate of our specified flows, ε represents

the rate of the background traffic and C the link rate. As the

background traffic is unknown and changing with time, the

resultant durations may vary a lot. To filter the impact from the

unknown traffic, we choose to probe multiple times and select

the maximum value as the final duration, since the duration

increases reversely with the rate of background traffic. With

the duration, flow rates and link rate known, it’s easy to deduce

the per-port buffer room. As the widely equipped switches are

commodity and shallow-buffered, each port could only occupy

a small buffer room. Given the expected buffer room is not

that large, the above filtering is enough for us the approach it.

III. SHREW ATTACK

The Shrew attack works as follows. At first, the receiver

issues requests to each sender of a certain group. On receiving

the requests, each sender generates on-off traffic with required

burst length as specified in the requests periodically.

The key to launch an efficient attack is determining the

necessary and sufficient burst length, since a too long burst

would risk exposing the attacker and a too short one may

not bring down the victim’s performance thoroughly. Previous

work [9] claimed that the burst length should be larger than

RTTs of all the victim TCP flows, namely,

Tbst ≥ RTTi, i = 1, · · ·, n (2)

That’s true for the Internet case, but not sufficient for the DCN

case. We begin our model with single victim TCP flow and

then figure out the necessary and sufficient burst length to

suppress the aggregate traversing flows.

A. Notations and Assumptions

Fig. 2. Periodical attack flows

Figure 2 illustrates the periodical flows that we leverage to

launch the Shrew attack. Between every two successive active

bursts, there is an idle duration which usually corresponds to

a multiple of TCP’s retransmission timeout values.

443442442

TABLE INOTATIONS FOR MODEL

B Switch buffer size, counted by packetsτ Time to transmit a packetN Number of DoS attack flowsδ Normalized rate of attack flows, δ ∈ [0, 1]

Tbst Burst length of persistent attackλ Inter-arrival time of the attack flowsR0 Basic RTT of the victim TCP without queueingW Congestion window of the victim TCP

Table. I introduces the related notations for our model. We

assume the victim TCP already entered its steady state before

the attack, and a round corresponds to the round-trip, namely,

the duration for the forefront packet of a full TCP window to

arrive at the switch twice successively. In the following, we

let k denote the round number. For convenience, we further

presume all packets are of the same size(e.g., 1.5KB in our

testbed).

B. Analytical Model for Burst Length

We decompose Tbst into two parts: the time to saturate the

switch buffer (T1) and time to endure enough packet losses for

timeout (T2). For the former, as more Shrew packets pile into

the buffer, both the RTT and the queue length would increase

until the switch buffer gets overflowed and evolve as follows:

R (k) = R0 +Q (k)× τ (3)

Q (k) = Q (k − 1) +W + (φ− 1)×R (k − 1) /τ (4)

where R (k) and Q (k) are the RTT and queue length in the

kth round respectively, and φ indicates the effective aggregate

rate of Shrew flows,

φ =N × Tbst × δ

Tbst × (N − 1)× λ(5)

Note that Q (k) consists of four parts: the cumulative queue

length in the last round (Q (k − 1)), packets from the victim

TCP connection (W ), packets from the attack flows and

packets that traverse the output port ((φ− 1)×R (k − 1) /τ ).

Also note that the RTT increases sharply with the queue length

and eventually is dominated by the queueing delay, which is

the fundamental difference between DCNs and the Internet.

Let Q (k′) = B, one can find the round when the buffer

begins to overflow. We then get:

T1 =∑

i∈[1,k′]R (i), where : k′ = Q−1 (B) (6)

For the latter, we simply assume that an additional round

after the buffer gets full would cause enough packet losses for

TCP to timeout, hence:

T2 = R (k′) = R0 +B × τ (7)

Note that the timeout conditions are dependent on the TCP

variants and the schemes deployed for switch buffer manage-

ment, which would complicate our discussion. We would show

later that such approximation introduces invisible inaccuracy

on the burst length.

Thus we can conclude that the time to launch an efficient

attack is Tbst ≥ T1 + T2 by combining (4) and (5).

The above system of equations serves as the generic model

of the burst length in a Shrew attack. Unfortunately, it’s hard

to give a generic solution as there’re super-equations. To solve

this, we leverage experimental observations to approach it. As

DCN features low-latency and it’s easy to synchronize multiple

attack flows, we just ignore the inter-arrival times, namely, λin our model. Therefore,

φ =N × Tbst × δ

Tbst × (N − 1)× λ≈ N × δ (8)

The rationale of such approximation lies in that the inter-

arrival times (λ) are often within 100s of microseconds, while

the burst lengths (Tbst) are generally at the millisecond level.

IV. EVALUATION

We setup a testbed consisting of 24 servers and several

Quanta LB4G 48-port Gigabit Ethernet switches, each of

which has 4MB buffer per chip shared among 24 ports. Each

server has an Intel Xeon 2.2GHz Dual-core CPU, 32GB

DRAM and Broadcom BCM5709C NetXtreme II Gigabit

Ethernet NIC. The operating system is Windows Server 2008

R2 Enterprise 64bit. All the switches adopt the first-in-first-

out, tail-drop scheme by default. All links works at 1Gbps.

We built the topology of our testbed as a multi-level tree, as

illustrated in Figure 3. Two VMs are setup on each server. We

randomly choose a VM from one of the servers as receiver (R

in Figure 3), and some or all of the others as senders. Servers

in each group (A∼D) are connected to the same ToR switch.

Fig. 3. Testbed: a three-level tree

We adapt the open-source measurement tool iperf to gen-

erate traffic. All sending VMs are initially setup as listeners.

The receiver acts as the global controller and issues back-to-

back requests to the sending VMs, where each request contains

information such as burst length, flow rate and packet size.

On receiving such requests, the sending VMs generate traffic

accordingly. Note considering that broadcast service may not

be provided in practical DCNs, we use back-to-back unicast

requests instead of broadcast ones.

A. Group VMs by Loss Rate

We randomly choose three VMs from each group (A ∼D) and initiate a flow from each VM to the receiver. For

each round, we increase the flow rates with 100Mbps until the

resultant loss rates could distinguish the rest flows. Meanwhile

444443443

TABLE IIGROUP VMS BY LOSS RATES

ID of VM Rflow(Mbps)100 200 300 400

v01 0.21 0.66 0.67v03 0.21 0.66 0.67v04 0.21 0.66 0.67v08 0.20 0.42v09 0.20 0.42v12 0.20 0.42v13 0.21 0.69 0.83 0.78v15 0.21 0.67 0.82 0.78v17 0.21 0.67 0.83 0.78v19 0.21 0.67 0.83 0.75v22 0.21 0.67 0.83 0.75v23 0.21 0.67 0.82 0.75

there are other services running on all the servers, thus the

network natively has background traffic.

Table. II shows the values of loss rates in four rounds

with Rflow ranging from 100Mbps to 400Mbps. When Rflow

equals 100Mbps, the downlink of switch S2 which is directly

connected with server R becomes the bottleneck, all other links

are not congested, thus all the flows are with similar loss

rates. As Rflow increases, flows from the groups closer to

the receiver would experience much lower loss rates, because

they encounter less congestions than the farther away ones. For

instance, when Rflow is 200Mbps, flows from VMs belonging

to the group B has the lowest loss rates (0.42). Flows from

the last two groups (C and D) has very fuzzy but still

visible difference in their loss rates. The similarity between

their loss rates lies in the symmetric locations of the source

VMs and the same specified flow rates, while the potential

background traffic makes their loss rates dissimilar. Even they

share the same loss rates, e.g., without the interference from

the background traffic, it does little harm to our Shrew attack

as all these flows are with similar attack power.

B. Per-Port Buffer Utilization

After grouping the VMs, we randomly choose one group

to deduce the buffer room that each port could utilize. For

example, we select three VMs on different servers from

group A to measure the buffer size of output port between

switch S1 and S5. Three flows are synchronized to congest

the bottleneck link, and the receiver records the time until

packet loss emerges. To verify that our approach is background

traffic tolerant, we randomly choose three servers (thus totally

12 flows) from each group and generate all-to-all traffic

ranging from 10Mbps to 100Mbps. Note the aggregate rate

of the background traffic that a port receives would vary from

110Mbps to 1.1Gbps.

We deduce the per-port buffer size according to equation (1),

and Figure 4 illustrates all the values, where each point denotes

a test. The theoretical value of the buffer size is about 113 full-

size(∼1.5KB) packets, while the maximum experimental value

reaches 108. We thus conclude that even with the interference

from the background traffic, the deduced buffer room still

0

20

40

60

80

100

120

0 5 10 15 20 25 30

Ded

uced

Buf

fer

Siz

e(pa

cket

s)

Test Number

experimentaltheoretical

Fig. 4. Deduced buffer size each port can utilize

matches the expected value well.

C. Burst Length

To verify our analytic model of burst length, we setup a

long-lived TCP connection as the victim flow and one or more

periodical square-wave flows to attack it. For the victim TCP

flow, we restrict its receive window to control the congestion

window (W in our model). To suppress the victim flow, we

vary the number of attack flows (N ) to evaluate the necessary

burst lengths (Tbst). As there is always unavoidable overhead,

the attack flows could only achieve about 940Mbps instead of

1Gps, thus we set δ to 0.94 for the analytic model.

1

2

3

4

5

6

7

8

9

10

8 12 16 20 24 28 32 36 40 44

Burs

t L

ength

(ms)

of

Att

ack F

low

Number of Packets per Round of Victim TCP

model(Ndos=1)experiment(Ndos=1)



Fig. 5. Tbst vs num of packets per round.

Figure 5 shows the resultant burst lengths under two chang-

ing factors, namely, the number of attack flows and the rate of

victim TCP flow (indirectly implied by the number of packet

per round). As the value of each of the above two factors

increased, the necessary burst lengths to suppress the victim

TCP flow decreased, as expected. This is easy to explain, as

more packets per round traverse the bottleneck link, the switch

buffer gets overflowed much faster. Also we’re surprised to

find that it’s so readily to launch a Shrew attck with extremely

short burst traffic, e.g., less than 10ms even for the worst case.

Moreover, if the idle period is specified as 300ms (the RTO

445444444

value for Microsoft Windows OS), the long-term average rate

of the attack flows would be only 30Mbps.

V. DISCUSSION ON COUNTER-MEASURES

Shrew attack can be launched with extremely short periodi-

cal burst traffic, which could not be easily distinguished from

the normal traffic by conventional mechanisms. To thwart such

attack, attentions should be paid to the root causes and the

preconditions of launching it.

A. TCP Enhancement

One of the root cause for Shrew lies in the mismatch

between the high retransmission timeout bound and the low-

latency in DCNs. The straightforward counter-measure is to

low down the retransmission timer so as to achieve a much

faster recovery, such as the proposal for TCP Incast [5] where

1ms or shorter is used. However, an attacker would also

shorten the idle period of the traffic to mimic the renewed

retransmission timeout. Moreover, it costs more.

B. Rate Limiting

There’s an implied assumption that the attack flows can

make full use of the link capacity. Generally this is true, as

current DCNs provision best-effort services so as to achieve

a better utilization. However, as more attentions are paid to

the network performance isolation [4], [13], there’s a trend to

limit the flow rates in various ways. We claim that it only

partly mitigates the damages of the attack, since a determined

tenant could rent more VMs. More importantly, rate limiting

itself trades the network utilization for performance isolation.

C. Random Path Selecting

As TCP is sensitive to packet reordering, current schemes of

path selecting defer to per-flow scheduling in DCNs [2]. If the

flow path can be randomly chosen among all the candidate (or

equivalent) paths at a much finer granularity, the attack would

be difficult to control. The flowlet [6] is proposed as a good

tradeoff between load balance and packet reordering. However,

the performance of flowlet switching depends largely on the

inter-flowlet space. As the end-to-end latency itself is very low,

its application in DCNs is hard to predict.

VI. RELATED WORK

Shrew attack is a long-term concern on the Internet [9],

[15]. To the best of our knowledge, we’re the first to explore

it in DCNs. While a lot of counter-measures [14] exist for

curing this, we claim that the new features of DCNs call for

new techniques.

There is a number of works on shared path or bottleneck

identification on the Internet [7], [12]. As the Internet en-

vironment is heterogeneous and complicated, challenge lies

in how to efficiently capture the correlations between shared

flows. For instance, [12] propose loss and delay correlation

tests among flow pairs to determine shared bottlenecks. Katabi

[7] computes correlation among a set of flows at the receiver

through an entropy function. While in DCNs, no explicit

bottlenecks exist. Thus correlations of shared flows are hard

to retrieve.

Only a few works focusing on detecting the properties of

DCNs. Liu [10] studies similar problems and presents the idea

of distinguishing distances of VMs by the received bandwidth,

based upon the observation that farther away flows experience

more bandwidth competitions and splitting. That may be true

in a clear network, while not in noisy ones. Ristenpart et al [11]

experimentally verifies the feasibility of stealing information,

given the victim’s VM is co-located with malicious tenants’

VMs. Their work is complementary to ours and could help

identify the potential victims.

VII. CONCLUSIONS

Shrew attack leverages the low-latency feature of DCN to

congest the bottleneck within milliseconds time. As it takes

effect in an extremely short period, current solutions either

partly mitigate the impact or make an inevitable tradeoff

between performance isolations and resource utilizations. A

thorough counter-measure is our future work.

ACKNOWLEDGEMENT

This Research Project was partially or fully sponsored by

the National 863 Development Plan of China under Grants

2008AA01A325, the National Grand Fundamental Research

973 Program of China under Grants 2009CB320503, Network

Technology Innovation Team of the Ministry of Education and

Network Technology Innovation Team of Hunan Province.

REFERENCES

[1] M. Al-Fares, A. Loukissas, and A. Vahdat. A scalable, commodity datacenter network architecture. In Proc. Sigcomm, 2008.

[2] M. Al-Fares, S. Radhakrishnan, B. Raghavan, N. Huang, and A. Vahdat.Hedera: Dynamic flow scheduling for data center networks. In Proc.NSDI, 2010.

[3] C. Guo et al. Bcube: A high performance, server-centric networkarchitecture for modular data centers. In Proc. Sigcomm, 2009.

[4] C. Guo et al. Secondnet: A data center network virtualization architec-ture with bandwidth guarantees. In Proc. CoNext, 2010.

[5] V. Vasudevan et al. Safe and effective fine-grained tcp retransmissionsfor datacenter communication. In Proc. Sigcomm, 2009.

[6] S. Kandula, D. Katabi, S. Sinha, and A. Berger. Dynamic load balancingwithout packet reordering. In CCR, 2007.

[7] D. Katabi, I. Bazzi, and X. Yang. A passive approach for detectingshared bottlenecks. In Proc. ICNP, 2001.

[8] M. Kim, T. Kim, Y. Shin, S. Lam, and E. Powers. Scalable clusteringof internet paths by shared congestion. In Proc. Infocom, 2006.

[9] A. Kuzmanovic and E. W. Knightly. Low-rate tcptargeted denial ofservice attacks (the shrew vs. the mice and elephants). In Proc. Sigcomm,2003.

[10] H. Liu. A new form of dos attack in a cloud and its avoidancemechanism. In Proc. CCSW, 2011.

[11] T Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, getoff of my cloud: Exploring information leakage in third-party computeclouds. In Proc. CCS, 2009.

[12] D. Rubenstein, J. Kurose, and D. Towsley. Detecting shared congestionof flows via end-to-end measurement. In IEEE/ACM ToN, 2002.

[13] A. Shieh, S. Kandula, A. Greenberg, C. Kim, and B. Saha. Sea-wall:performance isolation for cloud datacenter networks. 2011.

[14] H. Sun, J.C.S. Lui, and D.K.Y. Yau. Defending against low-rate tcpattacks: Dynamic detection and protection. In Proc. ICNP, 2004.

[15] Y. Zhang, Z.M. Mao, and J. Wang. Low-rate tcp-targeted dos attackdisrupts internet routing. In Proc. NDSS, 2007.

446445445

[ieee 2011 seventh international conference on mobile ad-hoc and sensor networks (msn) - beijing,...

Documents