Network Function Capacity Reconnaissance by Remote Adversaries

TL;DR

The paper formalizes Network Function Capacity Reconnaissance (NFCR) and introduces NFTY, a dispersion-based probing framework that remotely estimates an NF's processing capacity with limited packets. It distinguishes two threat models (one-sided and two-sided) and presents two configurations, NFTY-100 and NFTY-5K, achieving 3–10% mean error across lab, Internet, and cloud deployments and outperforming link-bandwidth baselines by up to 30x. NFTY leverages step-detection and optimized measurement infrastructure to cope with NF-specific factors such as DVFS, multi-threading, and batching, and even extends to one-sided control via TTL-exceeded feedback. The work evaluates NFTY comprehensively and also proposes countermeasures (e.g., under-clocking) with quantified overhead, highlighting practical implications for NF security and defense planning in real-world networks.

Abstract

There is anecdotal evidence that attackers use reconnaissance to learn the capacity of their victims before DDoS attacks to maximize their impact. The first step to mitigate capacity reconnaissance attacks is to understand their feasibility. However, the feasibility of capacity reconnaissance in network functions (NFs) (e.g., firewalls, NATs) is unknown. To this end, we formulate the problem of network function capacity reconnaissance (NFCR) and explore the feasibility of inferring the processing capacity of an NF while avoiding detection. We identify key factors that make NFCR challenging and analyze how these factors affect accuracy (measured as a divergence from ground truth) and stealthiness (measured in packets sent). We propose a flexible tool, NFTY, that performs NFCR and we evaluate two practical NFTY configurations to showcase the stealthiness vs. accuracy tradeoffs. We evaluate these strategies in controlled, Internet and/or cloud settings with commercial NFs. NFTY can accurately estimate the capacity of different NF deployments within 10% error in the controlled experiments and the Internet, and within 7% error for a commercial NF deployed in the cloud (AWS). Moreover, NFTY outperforms link-bandwidth estimation baselines by up to 30x.

Figures (12)

• Figure 1: The NF processes incoming traffic of the private enterprise. A two-sided attacker controls nodes on both sides of the NF (in and out of the enterprise), while a one-sided attacker controls nodes only outside the enterprise (sender).
• Figure 2: Traditional bandwidth-estimation techniques underestimate the processing capacity of NFs. [Traditional bandwidth estimation techniques]Traditional bandwidth-estimation techniques underestimate the processing capacity of NFs.
• Figure 3: In the two-sided threat model, the time difference between consecutive packets increases as packets exit from the NF revealing NF's processing time, thus its capacity.
• Figure 4: (a) Assuming that the last step corresponds to maximum frequency is incorrect due to the potential under-clocking. (b) Batching can cause spikes in the dispersion signature. Hence, choosing a probe length larger than the batch interval is important.
• Figure 5: One-sided threat model: While a router can be used to echo the packets back to the receiver (triggering ICMP TTL time exceeded), its processing rate may change the spacing across packets (dispersion), effectively ruining the signature.