ICTree: Discovering the underlying connections of your rental virtual machines in the public clouds

摘要

Public clouds allow tenants to rent and use computing resources in terms of virtual machines (or VMs) according to wishes, however, the underlying connections among those VMs, e.g., which VMs are connected to the same switch and how the flows share the paths, are concealed for security and management considerations, yet beneficial for both malicious and non-malicious tenants. Motivated by this, this paper studies the feasibility of exploring such sensitive information from the perspective of a normal tenant. To reduce the complexity of the problem, the logical overview of the underlying connections among all the rental VMs is decomposed into multiple sub-views, namely the ICTrees, each of which illustrates the path set of incoming flows that a receiving VM would see. For practically probing such ICTrees, we introduce the loss-based two-dimension probing algorithm, where the horizontal part groups the sending VMs according to their logical ingress switches and the vertical part determines the branches that each group belongs to. We utilize only normal traffic generated by the probing VMs and need no modifications to the system software or hardware. Moreover, by leveraging the low latency feature of data center networks (or DCNs), each probing action can be accomplished in an extremely short period, e.g., 10s of milliseconds. And for a tenant with hundreds of VMs, the cumulative probe time is even less than 1 second. We thus conclude that it's possible to detect the underlying connections of the rental VMs within a very short period of time.