Hash tables for efficient flow monitoring: vulnerabilities and countermeasures

Aggregation modules within flow-based network monitoring tools make use of fast lookup methods to be able to quickly assign received packets to their corresponding flows. In software-based aggregators, hash tables are usually used for this task, as these offer constant lookup times under optimal conditions. The hash functions used for mapping flow keys to hash values need to be chosen carefully to ensure optimal utilization of the hash table. If attackers would be able to create collisions, the hash table degenerates to linked lists with worst-case lookup times of O(n) and greatly reduces the performance of the aggregation modules. Thus, independent of the available computational power of the monitor, an attacker would easily be able to overload the system. In this report, we analyze the aggregation modules of the software-based flow meters Vermont and nProbe. We evaluate the resilience strength of used hash functions by theoretical analysis and confirm the results by performing real attacks. These attacks show how easily flow monitors can be overloaded if the hash algorithm has not been chosen carefully. Based on our observations, we finally present a hash function which we believe has none of the weaknesses we have discovered.