Network Function Capacity Reconnaissance by Remote Adversaries

TL;DR

This paper investigates the feasibility of remotely inferring network function capacities, proposing a tool called NFTY that achieves high accuracy while balancing stealthiness, demonstrated through evaluations in various network environments.

Contribution

It formulates the problem of network function capacity reconnaissance and introduces NFTY, a flexible tool that accurately estimates NF capacities with minimal detection risk.

Findings

NFTY estimates NF capacity within 10% error in controlled and Internet settings.

NFTY achieves within 7% error for cloud-deployed NFs.

NFTY outperforms link-bandwidth estimation baselines by up to 30x.

Abstract

There is anecdotal evidence that attackers use reconnaissance to learn the capacity of their victims before DDoS attacks to maximize their impact. The first step to mitigate capacity reconnaissance attacks is to understand their feasibility. However, the feasibility of capacity reconnaissance in network functions (NFs) (e.g., firewalls, NATs) is unknown. To this end, we formulate the problem of network function capacity reconnaissance (NFCR) and explore the feasibility of inferring the processing capacity of an NF while avoiding detection. We identify key factors that make NFCR challenging and analyze how these factors affect accuracy (measured as a divergence from ground truth) and stealthiness (measured in packets sent). We propose a flexible tool, NFTY, that performs NFCR and we evaluate two practical NFTY configurations to showcase the stealthiness vs. accuracy tradeoffs. We evaluate these strategies in controlled, Internet and/or cloud settings with commercial NFs. NFTY can accurately estimate the capacity of different NF deployments within 10% error in the controlled experiments and the Internet, and within 7% error for a commercial NF deployed in the cloud (AWS). Moreover, NFTY outperforms link-bandwidth estimation baselines by up to 30x.