On 5 June 2014 20:29, Anoop Ghanwani <[email protected]> wrote: > It is possible for a sophisticated attacker with knowledge of the details of > large flow recognition algorithm (packet fields used and parameters of the > algorithm) and the network topology to launch an attack in which sufficient > traffic is generated so as to result in the flow being recognized as a large > flow resulting the the installation of a PBR rule. Subsequently, the > attacker can generate traffic for other such flows resulting in consuming > entries in the PBR table until the older, inactive flows are removed.
I had a little trouble parsing this, perhaps: An attacker with knowledge of the large flow recognition algorithm and any stateless distribution method can generate flows that are distributed in a way that overloads a specific path. This could be used to cause the creation of PBR rules that exhaust the available rule capacity on nodes. If PBR rules are consequently discarded, this could result in congestion on the attacker-selected path. Alternatively, tracking large numbers of PBR rules could result in performance degradation. _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
