Cloud Security: DDoS Defense Mechanisms

Transcription

1 Cloud Security: DDoS Defense Mechanisms Sandipan Basu Department of Computer Science Government General Degree College, Singur Hooghly Sunirmal Khatua Department of Computer Science and Engineering University of Calcutta Kolkata Abstract: Security has been a major issue in the field of computer networking, and with no exception it remains a major issue in the field of cloud computing too. This paper focuses on security issues related to cloud systems. Different types and number of threats has been increasing, since malicious users/attackers have been trying to get access to the cloud services/resources in an unauthorized manner. Moreover, they are not limited to this; rather, their malicious activities prevent authorized cloud users from getting access to the resources/services that they deserve. In this respect, one of the most interesting and challenging security issues is - DDoS (Distributed Denial of Service) attack, which is more fatal in case of cloud system. In this paper, we will look upon some of the popular DDoS attacks and propose defense mechanisms that will increase the security level of a network. Keywords: Cloud Service Provider (CSP), MONITOR, SCANNER, big router, SaaS (Software-as-a-Service, IaaS (Infrastructure-as-a-service), PaaS (Platform-as-a-Service), ISP (Internet Service Provider), edge router. I. INTRODUCTION The field of cloud computing has been getting popular day by day, since by paying a reasonable amount, one can easily get different cloud services over the internet. It has been a challenge for Cloud Service Providers (CSPs), to provide secure, uninterrupted services to its authorized customers [17]. unable to get services from the CSP. Besides, the attack may aim to get control over one or more cloud instances and use them to expand the attack within the cloud and/or outside the cloud. III. CATEGORIZATION OF DDOS ATTACK II. DDOS ATTACK DDoS attack is getting popular and stronger in strength with invent of new attack techniques. DDoS attack is a distributed version of DoS attack. Since, it is distributed in nature; it is more effective and harmful than DoS (Denial-of-Service) [18]. In a computer network, DDoS attack may appear in one of the many ways [2]: TCP ACK flood TCP SYN flood NULL flood RST flood UDP flood ICMP flood Smurf flood Intermittent flooding Ping flood HTTP flood VoIP flood One of the purposes of any DDoS attack is, to send too many packets to victim(s) end and flood the network route(s) that converge to the victim. For any cloud system, this is very harmful. This not only congests the network route(s), but also prevents legitimate users requests to reach the CSP, and thus Figure 1. External Attacker Attacks Cloud We categorized DDoS attacks into three sections. First, an external attacker (outside to a cloud system) initiates DDoS attack. This falls under the category of --- attack network/cloud system outside form cloud (see Fig.1). In Second type, an insider (authorized cloud consumer) initiates DDoS attack using his currently owned instances of cloud system, to affect resources within the same network / cloud system (see Fig.2). Third, a minor modification of the second type, where an authorized cloud user initiates an attack RES Publication 2012 Page 83

2 using cloud resources and whose victim is outside of that native cloud system, anywhere in the internet world (see Fig.3). Figure 2. Attacker attacks cloud resources using native cloud instances to which the DDoS attack is being targeted. Here the term server refers to any of the cloud server/resource. V. PROPOSED APPROACHES A cloud system provides three types of services to its consumers: SaaS (Software as a service), PaaS (Platform as a Service) and IaaS (Infrastructure as a service). Some authors/ researches have expanded these categories into more detail. In the following section, we will elaborate the above mentioned types of DDoS attacks and its proposed solutions. From the above, it can be understood, that, there cannot be only one step to defend against the dangerous DDoS attack; rather a set of steps need to take to guard this attack. As mentioned earlier in this paper, three types of attack scenarios we are considering here. Case 1: External user(s) (not authorized) attacks server. In this type, DDoS attack can be initialized in the following ways. Attack Scenario 1 : The attacker does not hide the IP address he is using to attack i.e., without IP spoofing. The attacker generates and sends too many packets (bogus requests) to the server over a very short period of time and tries to flood network route that converge to the server. (see Fig.3). Figure 3. Attacker attacks outside world using cloud resource Traditional DDoS defending approaches cannot be easily combined in cloud security, due to their relatively low efficiency, large storage,numerous number of users etc. IV. THE REAL WORLD SCENARIO We can view the worldwide internet as a collection of millions of subnets, in which each single end system is connected to a subnet via some router. Again, these subnets are connected together via a big router, which connects other subnets. This can be viewed as hierarchy of routers. All the connections must belong to some ISPs (Internet Service Provider). In this paper, we will frequently use the term server, Figure 3. External User sends too many packets to Cloud Existing Solution 1 for Attack Scenario 1 This type of attack can easily be tracked down by a CSP, since the attacker uses no spoofed IP address. As a result the attacker can be blocked or delayed. Since, one can expect this minimum level of security mechanism from a CSP. Drawback of Solution 1 Although Solution1 can get rid of attack scenario1 (say, by blocking the attacker), but it lets the attacker (virtually) to reach the server. As a result, the flood of requests (attack) attacks the server and as a result it prevent authorized users requests to reach the server and consequently get delayed response of their requests (starvation situation). To overcome RES Publication 2012 Page 84

3 this limitation, we discuss proposed solution later in this paper. Attack Scenario 2 : In the second type of attack the attacker uses spoofed IP addresses, in order to hide network identity. Using spoofed IP address(s) the attacker initiates DDoS attack and attacks. Since the incoming packets contain spoofed IP address, it becomes bit difficult for the server to trace the actual source of attack and prevent it. Again, if the attacker uses zombies to initiate DDoS attack, then it becomes more difficult to detect the actual source of attack (see Fig.4). Figure 4. DDoS attack using Zombies Existing Solution 2 for Attack Scenario 2 As a solution of the above problem, we can implement the popular Ingress/Egress filtering technique [19] [20]. The Ingress filtering technique used to make sure that incoming packets are actually coming from the network sources that they are legal. On the other hand, the Egress filtering is used to monitor and potentially restrict the flow of information outbound from one network to another [19] [20]. Problem with Ingress/Egress filtering Ingress/egress filtering is a good solution to prevent packets with spoofed IP addresses and also restrict number of packets to pass, but it has few drawbacks [19]. Ingress/Egress filtering : Drawback 1 Since, universal implementation of ingress/egress filtering may not be guaranteed. Proposed Solution of Drawback 1 A user, who wants to access internet via an end system (PC, laptop, palmtop etc.), must be connected to some router(s). So, whenever an end system tries to connect to the internet, a request must reach via router(s) to the ISP. If the connection between the requesting router and the ISP is for the first time (i.e., the router has not been used to access internet, yet), then that router downloads a MONITOR program from its predecessor (firmware) and installs it within that router. This process is called registration of the router under ISP. Thus, whenever a new router is used to access the internet, it needs to be registered under its predecessor router. For each newly installed router, it must first complete the registration process, and then it can begin its desired task. The registration process is done only once for each and every router. Registration Process Here, we assume that, each router has a unique device identification number (device-id). Consider a newly installed router wants to establish connection with its predecessor router. In this process the router sends requests to its predecessor router. This request must contain the device-id of the newly installed router. The predecessor router keeps the device-id for future processing. The process of registration of routers can be thought of as the registration of a mobile handset (having a valid IMEI number) under a cell phone network service provider. MONITOR program monitors all the IP addresses passing through the routers, as done by Ingress/Egress filtering. Since, packets must pass through routers; the MONITOR program also maintains a limit on the number of identical packets that can be sent/received within a specified time limit. If the number of packets surpasses a predefined threshold value, then the MONITOR program can handle it either by discarding the excess packets, or by slowing down the packet forwarding rate. As mentioned earlier, one of the major restrictions of implementing Ingress/Egress filtering in DDoS defense mechanism is that it may not be possible to implement it in large scale. In other words, it is hard to guarantee, that every router in a subnet is protected by the Ingress/Egress filtering. But, in our proposed solution, universal deployment of the MONITOR program can be done easily. Since every end system must connect to the internet via some router, and that router must connect to some big router (predecessor) (see Fig.5), which is directly/indirectly monitored by ISP, the MONITOR program will automatically be installed into each new router (during registration process), and only then a router proceeds it normal operation. Hence universal deployment of MONITOR program can be ensured (see Fig. 5). RES Publication 2012 Page 85

4 Figure 5. Connection between end system and ISP Ingress/Egress filtering: Drawback 2 According to Ingress/Egress filtering technique the edge router(s) at the CSP s end, monitors the incoming packets. In other words, with this filtering approach, a DDoS attack can only be traced and handled by edge routers of CSP. Thus, all the bogus packets travel through the entire network from attacker s end to the server s edge router, thus consuming and probably exhausting all the available bandwidths, creating network congestion and consequently preventing valid requests from authorized users to reach the server and hence resulting denial-of-service (DoS). Apart from that, the edge router becomes too busy in handling those false requests. As a further consequence, the server may crash. Proposed Solution of Drawback 2 The above mentioned problem can be overcome in our proposed solution. Our approach is to prevent the attack at its initial stage, so that it cannot propagate through the network and affect the network. As just mentioned above, the MONITOR program is installed in every router that is connected to the internet. Thus, if an attacker tries to initiate DDoS attack, then it is being prevented by the very first router, at which the packets have arrived first. The MONITOR program at the router(s) will do this task. As a result, the flood of attack cannot flow through the entire network and not able to reach to the server. This approach not only prevents a server from being flooded with too many requests, but also, it prevents the rest of the network being flooded. The only network path that is affected is, from the attacker s end system to the router, to which it is connected directly. The MONITOR program (firmware) must be designed and programmed very well, in the sense that, an attacker must not be able to tamper with any router. Besides, the MONITOR program must be up-to-date, so that it must be able to prevent any new type of DDoS attack. Updating the MONITOR program is the responsibility of the ISP, and it must be done on periodic basis. Upgrading MONITOR program can be thought of as a process of upgrading softwares in PCs or laptops or cell phones (i.e. end systems). Using the above mentioned approaches, not only it is possible to ensure that presence and effect of DDoS attack is very low, but also make global networking system more secure, since, every internet user must be a subscriber of some ISPs/NSPs (directly or indirectly). It is assumed that collaboration exists between ISPs/NSPs as and when required. The above mentioned approach can also prevent an attacker who initiates an attack using too many bots. DDoS attack through bots can be prevented; since to initiate an attack, the attacker needs to send several attack initiation messages during a very short span to all the bots (assuming there is no intermediate node between an attacker and the bots). This can be detected and prevented by the MONITOR program of the router, through which the attacker tries to send messages to bots. Case 2: An insider (authorized cloud consumer) attacks the cloud system to which he is an authorized consumer. Proposed Defense Mechanism for Case2 This type of attack is easy to detect. Since, the attacker is an authorized user; hence it becomes easy for CSP, to monitor that user s activity. Every activity of an authorized user within the cloud system can be easily and thoroughly tracked. Any activity that is considered as suspicious and may lead to any kind of malicious attack must be suspended and if needed that user may be warned and blocked for definite/indefinite time. Another significant aspect is, a CSP can observe what type of authorized users are vulnerable or can initiate DDoS attack. It has been mentioned that there are mainly, three types (SaaS, PaaS, and IaaS) of users in a cloud system. A SaaS user or IaaS user is less vulnerable to the cloud system with respect to DDoS attack, since each of these types of users has got less control over currently owned cloud instances in terms of generation of DDoS attack. Between all of them, in case of a PaaS user, the risk of attack generation is high. Since a PaaS user is able to write code (programs), creating different kinds of applications and executing them within the cloud, using cloud resources and affecting it. In that case, there is high chance of writing and executing some malicious code; which may lead to DDoS or other types of malicious attack. To defend against this type of attack made by PaaS user, a hardware based solution is proposed in this paper. A small chip, named as SCANNER, is embedded into every physical system of the cloud. When a cloud user uses cloud RES Publication 2012 Page 86

5 instances, all the virtual machines (VM) are mapped into these physical systems. A SCANNER is a small chip, containing a small program (firmware) whose task is to scan a program and detect if it contains any malicious code. Thus, whenever a PaaS user initiates execution of some program, before the actual execution begins, the SCANNER will scan the entire program (code). If any malicious code snippet is found, then the execution of that program is suspended and if needed, necessary actions will be taken. The firmware embedded in the SCANNER must be updated in a regular basis, which must be done by CSP. One obvious reason to prefer the hardware based solution over any existing software based solution is that, the hardware based solution obviously much faster than any existing software based solutions. Solution for Case 3 The third type of DDoS attack can be detected and prevented by the MONITOR and SCANNER. Implementation Simulation of software based solution can be done. A brief of the implementation is as follows. Prevention Techniques Router-based packet filtering SAVE Protocol Ingress/Egress Filtering Proposed software approach (MONITOR program) based Proposed hardware based approach (SCANNER) VII. Implementation Possible if tier-1 ISPs are involved Difficult due to the need for routing protocol change Difficult for universal deployment Universal deployment is possible and much easier than other protocols. Can be easily implemented by Cloud Service Provider CONCLUSION In this paper, the above mentioned DDoS defense measurements, if taken properly then the chances of initiating DDoS attack is very less and hence its presence. In this paper, our aim is to kill the DDoS attack in its early stage, so that its effect is minimal in the network. For surely, in the coming years we will see many new researches in the field of DDoS attack (prevention, detection and recovery). Probably, it is a never ending battle between malevolent attackers and good will researchers. REFERENCES VI. COMPARISON Following table summarizes the comparison between different DDoS defense mechanisms: [1] A.R.Kumar, P.Selvakumar, S.Selvakumar, Distributed Denialof-Service (DDoS) Threat in Collaborative Environment-A Survey on DDoS Attack Tools and Traceback Mechanisms, IEEE International Advance Computing Conference (IACC 2009),2009. [2] S. M. Specht, R.B.Lee, Distributed Denial of Service: Taxonomies of Attack, Tools and Countermeasures, Proceedings of the 17th International Conference on Parallel and Distributed Computing Systems, 2004 International Workshop on Security in Parallel and Distributed Systems, pp , September [3] Shui Yu, Distributed Denial of Service Attack and Defense, Springer,October 23, [4] J. Latanicki, P. Massonet, S.Naqvi, B. Rochwerger, M.Villari, Scalable Cloud Defenses for Detection, Analysis and Mitigation of DDoS Attacks IOS Press,2010. [5] Qijun Gu,Peng Liu Denial of Service Attacks. [6] S. Farraposo, L. Gallon,P. Owezarski Network Security and DoS Attacks. Table 1. Comparison of DDoS Defense Mechanisms Techniques RES Publication 2012 Page 87

6 [7] M. Abliz, Internet Denial of Service Attacks and Defense Mechanisms, University of Pittsburgh Technical Report, No. TR , March 2011, Pages [8] A.Hussain, J. Heidemann, C. Papadopoulos, A Framework for Classifying Denial of Service Attacks. [9] J. K. Millen, A Resource Allocation Model for Denial of Service, IEEE, [10] L. Yang, T. Zhang, J.Song,J.Wang, P.Chen, Defense of DDoS attack for Cloud Computing, IEEE International Conference on Computer science and Automation engineering (CASE), Vol-2, May 2012, pp [11] J. Mirkovic, P. Reiher, A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, ACM, [12] B. Joshi, A. S. Vijayan, B.K.Joshi, Securing Cloud Computing Environment Against DDoS Attack, International Conference on Computer, Communication and informatics, Jan 2-12, Coimbatore, India. [13] Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher, Internet Denial of Service: Attack and Defense Mechanisms, Prentice Hall PTR, December 30, [14] V. D. GLIGOR, A Note on Denial-of-Service in Operating Systems, IEEE Transactions on Software Engineering, Vol. SE- 10, NO. 3, May [15] B. Joshi, A.S. Vijayan, B. K. Joshi, Securing Cloud Computing Environment Against DDoS Attacks, ICCCI-2012, Jan [16] Q. chen, W.Lin, W.Dou, S.Yu, CBF: A Packet Filtering Method for DDoS Attack Defense in Cloud Environment. [17] Akhil Behl, Emerging Security Challenges in Cloud Computing, IEEE, [18] J.J.Shah, L.G.Malik, Impact of DDoS Attacks on Cloud Environment, IJRCCT, Vol. 2, Issue 7, July [19] P.Du, A. Nakao, DDoS Defense Deployment with Network Egress and Igress Filtering, IEEE International Conference, [20] P.Ferguson, RFC 2267, Network Ingress Filtering:Defeating Denial of Service Attacks which employ IP source Address Spoofing, Jan RES Publication 2012 Page 88