There is anecdotal evidence that attackers use reconnaissance to learn the capacity of their victims before DDoS attacks to maximize their impact. The first step to mitigate capacity reconnaissance attacks is to understand their feasibility. However, the feasibility of capacity reconnaissance in network functions (NFs) (e.g., firewalls, NATs) is unknown. To this end, we formulate the problem of network function capacity reconnaissance (NFCR) and explore the feasibility of inferring the processing capacity of an NF while avoiding detection. We identify key factors that make NFCR challenging and analyze how these factors affect accuracy (measured as a divergence from ground truth) and stealthiness (measured in packets sent). We propose a flexible tool, NFTY, that performs NFCR and we evaluate two practical NFTY configurations to showcase the stealthiness vs. accuracy tradeoffs. We evaluate these strategies in controlled, Internet and/or cloud settings with commercial NFs. NFTY can accurately estimate the capacity of different NF deployments within 10% error in the controlled experiments and the Internet, and within 7% error for a commercial NF deployed in the cloud (AWS). Moreover, NFTY outperforms link-bandwidth estimation baselines by up to 30x.

翻译：有实证证据表明，攻击者在发起分布式拒绝服务（DDoS）攻击前，会通过侦察手段了解受害者的处理能力，以最大化攻击效果。防御容量侦察攻击的首要步骤是理解其可行性。然而，针对网络功能（如防火墙、网络地址转换器）的容量侦察可行性尚不明确。为此，我们定义了网络功能容量侦察（NFCR）问题，并探究在规避检测的前提下推断NF处理能力的可行性。我们识别了使NFCR颇具挑战的关键因素，并分析了这些因素如何影响准确性（以与真实值的偏差衡量）和隐蔽性（以发送的数据包数量衡量）。我们提出了一种灵活的工具NFTY来执行NFCR，并通过评估两种实用的NFTY配置来展示隐蔽性与准确性之间的权衡。我们在受控环境、互联网及云环境中对商用NF进行了策略评估。结果表明，NFTY在受控实验和互联网环境中对不同NF部署的容量估计误差可控制在10%以内，在云环境（AWS）中针对商用NF的误差则低于7%。此外，NFTY的性能较链路带宽估计基线方法提升了最高达30倍。