Substantial efforts are invested in improving network security, but the
threat landscape is rapidly evolving, particularly with the recent interest in
programmable network hardware. We explore a new security threat, from an
attacker who has gained control of such devices. While it should be obvious
that such attackers can trivially cause substantial damage, the challenge and
novelty are in doing so while preventing quick diagnosis by the operator.
We find that compromised programmable devices can easily degrade networked
applications by orders of magnitude, while evading diagnosis by even the most
sophisticated network diagnosis methods in deployment. Two key observations
yield this result: (a) targeting a small number of packets is often enough to
cause disproportionate performance degradation; and (b) new programmable
hardware is an effective enabler of careful, selective targeting of packets.
Our results also point to recommendations for minimizing the damage from such
attacks, ranging from known, easy to implement techniques like encryption and
redundant requests, to more complex considerations that would potentially limit
some intended uses of programmable hardware. For data center contexts, we also
discuss application-aware monitoring and response as a potential mitigation.