Dr. Haim Zlatokrilov

Network research and cyber security


Anat Bremler-Barr, Michael Czeizler
Red Hat research ,

It is a common belief that Auto-scaling mechanisms serve as a mitigation for Distributed Denial of Service (DDoS) attacks on cloud computing infrastructures by dynamically adding machines to cope with the additional load. Intuitively, such attacks are mostly associated with Economic Denial of Sustainability (EDoS) derived from paying for the extra resources required to process the malicious incoming traffic.

Contrary to this belief, we present and analyze the Yo-Yo attack, a new attack against the auto-scaling mechanism that can cause significant performance degradation in addition to economic damage. We demonstrate the attack on Amazon EC2, Kubernetes, and serverless architecture. We then present and analyze Tandem Attack, a new attack on Microservices architecture. In this attack, the attacker exploits the tandem behavior of services with different auto-scaling mechanisms, causing both economic and performance damage.

Conferences & Workshops
Yehuda Afek, Anat Bremler-Barr, Dor Israeli and Alon Noy
The International Symposium on Cyber Security, Cryptology and Machine Learning (CSCML),

This paper presents a new localhost browser based vulnerability and corresponding attack that opens the door to new attacks on private networks and local devices. We show that this new vulnerability may put hundreds of millions of internet users and their IoT devices at risk. Following the attack presentation, we suggest three new protection mechanisms to mitigate this vulnerability.
This new attack bypasses recently suggested protection mechanisms designed to stop browser-based attacks on private devices and local applications.

Conferences & Workshops
Anat Bremler-Barr, David Hay, Bar Meyuhas, Shoham Danino
ACM/IRTF Applied Networking Research Workshop (ANRW),

We explore the impact of device location on the communication endpoints of IoT devices within the context of Manufacturer Usage Description (MUD), an IETF security framework for IoT devices.
Two types of device location are considered: IP-based location, which corresponds to the physical location of the device based on its IP address; and user-defined location, which is chosen during device registration.
Our findings show that IP-based location barely affects the domain set with which IoT devices interact. Conversely, user-defined location drastically changes this set, mainly through region-specific domains that embody location identifiers selected by the user at registration.
We examine these findings’ effects on creating MUD file tools and IoT device identification. As MUD files rely on allowlists of domain allowlists, we show that security appliances supporting MUD need to manage a significantly larger number of MUD rules than initially anticipated. 
To address this challenge, we leverage EDNS Client Subnet (ECS) extension to differentiate user-defined locations without needing regional domains, consequently reducing the number of Access Control Entries (ACEs) required by security appliances.

Conferences & Workshops
Yehuda Afek, Anat Bremler-Barr, Shani Stajnrod
Usenix Security ,

Malicious actors carrying out distributed denial-of-service (DDoS) attacks are interested in requests that consume a large amount of resources and provide them with ammunition. We present a severe complexity attack on DNS resolvers, where a single malicious query to a DNS resolver can significantly increase its CPU load. Even a few such concurrent queries can result in resource exhaustion and lead to a denial of its service to legitimate clients. This attack is unlike most recent DDoS attacks on DNS servers, which use communication amplification attacks where a single query generates a large number of message exchanges between DNS servers.

The attack described here involves a malicious client whose request to a target resolver is sent to a collaborating malicious authoritative server; this server, in turn, generates a carefully crafted referral response back to the (victim) resolver. The chain reaction of requests continues, leading to the delegation of queries. These ultimately direct the resolver to a server that does not respond to DNS queries. The exchange generates a long sequence of cache and memory accesses that dramatically increase the CPU load on the target resolver. Hence the name non-responsive delegation attack, or NRDelegationAttack.

We demonstrate that three major resolver implementations, BIND9, Unbound, and Knot, are affected by the NRDelegationAttack, and carry out a detailed analysis of the amplification factor on a BIND9 based resolver. As a result of this work, three common vulnerabilities and exposures (CVEs) regarding NRDelegationAttack were issued by these resolver implementations. We also carried out minimal testing on 16 open resolvers, confirming that the attack affects them as well.

Poster and brief announcement
Anat Bremler-Barr, Hanoch Levy, Jhonatan Tavori

Retry mechanisms are commonly used in microservices architectures as a mechanism for recovering from transit errors, including network failures and service overloading. This research aims at studying the operation of cloud retry mechanisms under deliberated DDoS attacks, and their effect on the application performance and operational costs. In this poster we focus on the economic aspect, and demonstrate that enabling such mechanisms improperly might be counter-productive and expose the system to substantial
and quadratic economical damage in the presence of attacks.