By Topic

Hash tables for efficient flow monitoring: vulnerabilities and countermeasures

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
Eckhoff, D. ; Comput. Networks & Commun. Syst., Univ. of Erlangen, Erlangen, Germany ; Limmer, T. ; Dressler, F.

Aggregation modules within flow-based network monitoring tools make use of fast lookup methods to be able to quickly assign received packets to their corresponding flows. In software-based aggregators, hash tables are usually used for this task, as these offer constant lookup times under optimal conditions. The hash functions used for mapping flow keys to hash values need to be chosen carefully to ensure optimal utilization of the hash table. If attackers would be able to create collisions, the hash table degenerates to linked lists with worst-case lookup times of O(n) and greatly reduces the performance of the aggregation modules. Thus, independent of the available computational power of the monitor, an attacker would easily be able to overload the system. In this report, we analyze the aggregation modules of the software-based flow meters Vermont and nProbe. We evaluate the resilience strength of used hash functions by theoretical analysis and confirm the results by performing real attacks. These attacks show how easily flow monitors can be overloaded if the hash algorithm has not been chosen carefully. Based on our observations, we finally present a hash function which we believe has none of the weaknesses we have discovered.

Published in:

Local Computer Networks, 2009. LCN 2009. IEEE 34th Conference on

Date of Conference:

20-23 Oct. 2009