Researchers from the College of William and Mary in Virginia put forth an interesting new attack vector specific to data centres – the ‘power attack’. In their paper [PDF] Doctors Zhang Xu and Haining Wang present – along with colleagues Zichen Xu and Xiaorui Wang from the Department of Electrical and Computer Engineering Ohio at State University – the new concept of the data centre ‘power attack’: a theoretical cyber-attack technique intended to disrupt and even shut down data centre installations which have grown ‘piecemeal’ without properly addressing the problem of power oversubscription.
The central premise of the Power Attack is that data centres are augmented ad hoc over a period of years according to demand and other market factors, and that the modularity and scalability which is designed into racking and other commercial facets of the operation is not similarly applied to power provisioning – leaving scope for attackers to cause damaging power crises without any special access privileges or tools, beyond malicious intent.
To prove their theory, the researchers undertook a tripartite attack against simulated victims, including one modelled on accurate data which Google publicly provides on its data centre in Lenoir, North Carolina. All scenarios were successful in compromising or taking down their DC targets, using attack models that varied from Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to Software-as-a-Service(SaaS).
The report implies that some of the biggest players in the data centre market most fit the model of the attackable, over-expanded data centre which is profiting from oversubscription without attending to power provisioning. The report posits that “many data centers keep deploying new high-density servers (e.g., blade servers) to support their rapidly growing business. As a result, their power distribution systems have already approached the peak capacity. In order to minimize the high capital expenses of upgrading their power infrastructures, data centers recently started to adopt power oversubscription as an important methodology to fully utilize their existing power infrastructures. For example, Google, HP, and IBM researchers have proposed various ways to implement power oversubscription in data centers…”
The PaaS ‘Power Attack’
In the first of the three attack models, the approach takes advantage of the tendency of the oversubscribed data centre to provide load balancing, but not power balancing (wherein an unusually high volume of maliciously-intentioned workload gets equal distribution among modules and power sectors). The researchers ran SPECCPU2006 and High Performance Linpack (HPL) in various configurations, successfully bringing the power consumption of a discrete rack in the target data centre to levels critical enough to trip the circuit breaker. Depending on the power distribution configuration, this is perhaps the best result for an attacker, as it is relatively likely to impact other equipment that is not directly under attack.
“Our experimental results above validate that in PaaS environments, an attacker can generate abnormal high power consumption by adjusting workload running on target machines…The damage caused by such a power attack is at two levels. A relatively light damage can be overheating the IT [equipment] and degrading the performance of the victim servers,”
PaaS users have a level of control and freedom of movement which makes this approach an apparently obvious choice for potential attack success – surprising, then, that it was the most-restricted access-level, SaaS, which yielded the most damaging results in the experiments.
The IaaS approach
The researchers found a ‘parasite’ approach the most effective when subject to the greater restrictions (than PaaS) of attempting to trip circuit breakers by excessive power consumption via an AWS-style access-model. The parasite approach involved multiple instantiation of VM instances, and burdening the DC infrastructure with VM migration procedures – among the most power-hungry operations possible within a virtualisation environment.
“On one hand, the controlled VMs can directly run intensive workloads to increase the power consumption of the host. On the other hand, the controlled VMs can exploit the vulnerability of virtualization to further abuse more resources and power of the host system,”
The scientists combined the VM-manipulating technique with DoS attacks via an open source tool, and found that they were able to increase the server workload by 30%, and raise power consumption in an individual rack to 280W. Multiple simultaneous operations of this nature were able to trip the circuit breaker.
The SaaS approach
Finally the researchers turned to the most restrictive possible attack vector model – Software as a Service, wherein control is limited to approved APIs or provided web interfaces. Yet they found that “specially crafted web requests can generate significantly more power consumption of servers in SaaS than normal requests,”, and once again they were able to trip the circuit breaker and – they argue – potentially take the entire data centre offline in this scenario. The report states “The data center-level simulation demonstrates that a power attack could potentially shut down the entire data center,”
The SaaS technique involves the preference of floating point numbers over integers in setting up critically burdensome calculation workloads, thereby generating power-draining ‘cache misses’.
Remedies and safeguards
Overall the report is broadly critical of jigsaw-built data centre extensions which increase the capacity of the plant without providing the necessary power provisioning safeguards that could potentially obviate the ‘Power Attack’. Some of the less expensive solutions are still no minor financial consideration, such as the provision and maintenance of rack-level UPSes.
“…replacing data-center- level UPS with tens of thousands of mini-UPSes is not an easy task. Different UPS deployment mechanisms will bring in great impact on data centers, and hence it will take time to have per-server UPSes be widely deployed in data centers,”
The implicit take-aways from the report are that manufacturers should perhaps stop using oversubscription as a design tool; should provide for power scalability from inception; or should let the necessity of upgrading power provisioning occupy an important place in the expansion budget.