FlowShredder: a Protocol-Independent in-Network Security Service in the Cloud

Abstract

Cloud services increasingly generates enormous Internet traffic. Much of it such as rich media traffic is not highly sensitive, but prefers some sort of protection. The traditional end-to-end encryption such as TLS is costly and has issues such as increased latency, while the simple anonymity solutions cannot resist traffic analysis attacks. In this paper, we propose FlowShredder, a protocol-independent and in-network service to secure such traffic in the cloud. FlowShredder aims to break the association between packets, data flow and hosts by obfuscating the packet header (some payload if needed). Without the context of flow and hosts, packets are of little value to the adversary. The operation is carried out at cloud gateways, without encrypting the payload. Its simple logic can therefore be executed within a single pipeline of the Tofino programmable switch, to ensure wire-speed performance without the scalability issue. Being protocol-independent and operating in-network at wire speed make FlowShredder a practical and generic security service to protect the cloud traffic. In addition, FlowShredder can work with end-to-end encryption such as 0-RTT TLS for enhanced protection. We implement FlowShredder in P4 switches. Experiments show that FlowShredder can effectively resist the traffic analysis attack with supervised learning techniques.