Hashtray: Turning the tables on Scalable Client Classification

Untrusted network clients can undergo a classification process before they are allowed to use more of a service’s resources, and services typically rely on a table to remember the clients’ classification. But as the number of clients increases so does the amount of state required to remember this classification over time.In this paper we explore the trade-off between data-structure accuracy and network size when needing to remember client state. We present Hashtray—a hash table library that consists of a generic API and instantiations of various kinds of tables—and a system to evaluate and compare different data structures.We evaluate Hashtray in the context of Denial-of-Service mitigation using both a modelled network of 106 machines, and a testbed experiment with over 200 hosts connecting to a version of Apache modified to use Hashtray. The system is open-sourced to enable others to extend or build on this work.

[1]  Mark Handley,et al.  Internet Denial-of-Service Considerations , 2006, RFC.

[2]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[3]  Dong Zhou,et al.  Scalable, high performance ethernet forwarding with CuckooSwitch , 2013, CoNEXT.

[4]  Shan Suthaharan,et al.  Big data classification: problems and challenges in network intrusion prediction with machine learning , 2014, PERV.

[5]  Rasmus Pagh,et al.  Cuckoo Hashing , 2001, Encyclopedia of Algorithms.

[6]  Boon Thau Loo,et al.  An extensible evaluation system for DoS research , 2019, 2019 11th International Conference on Communication Systems & Networks (COMSNETS).

[7]  Nikos Vrakas,et al.  Utilizing bloom filters for detecting flooding attacks against SIP based services , 2009, Comput. Secur..

[8]  Nicolas Le Scouarnec Cuckoo++ hash tables: high-performance hash tables for networking applications , 2017, ANCS.

[9]  Henry Zhu,et al.  Making Break-ups Less Painful: Source-level Support for Transforming Legacy Software into a Network of Tasks , 2018 .

[10]  Bin Fan,et al.  Cuckoo Filter: Practically Better Than Bloom , 2014, CoNEXT.

[11]  Mahmood Ahmadi,et al.  Bloom filter applications in network security: A state-of-the-art survey , 2013, Comput. Networks.

[12]  Chirag Shah,et al.  DeDoS: Defusing DoS with Dispersion Oriented Software , 2018, ACSAC.

[13]  Myungjin Lee,et al.  MAPLE: a scalable architecture for maintaining packet latency measurements , 2012, IMC '12.

[14]  Vanish Talwar,et al.  Monalytics: online monitoring and analytics for managing large scale data centers , 2010, ICAC '10.

[15]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.