Cloud-based DDoS attacks and defenses

Cloud-based DDoS Attacks and Defenses Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz Department of Electrical and Computer Engineering University of Western Ontario London, Canada {mdarwis3, aouda, lcapretz}@uwo.ca Abstract Safety and reliability are important in the cloud computing environment. This is especially true today as distributed denial-of-service (DDoS) attacks constitute one of the largest threats faced by Internet users and cloud computing services. DDoS attacks target the resources of these services, lowering their ability to provide optimum usage of the network infrastructure. Due to the nature of cloud computing, the methodologies for preventing or stopping DDoS attacks are quite different compared to those used in traditional networks. In this paper, we investigate the effect of DDoS attacks on cloud resources and recommend practical defense mechanisms against different types of DDoS attacks in the cloud environment. - Keywords: vulnerabilities. cloud computing; network; securiy; DDoS; DDoS attacks are major security risks in a cloud computing environment, where resources are shared by many users. A DDoS attack targets resources or services in an attempt to render them unavailable by looding system resources with heavy amounts of unreal trafic. The objective of DDoS attacks is to consume resources, such as memory, CPU processing space, or network bandwidth, in an attempt to make them unreachable to end users by blocking network communication or denying access to services. Dealing with DDoS attacks at all layers in cloud systems is a major challenge due to the dificulty of distinguishing the attacker's requests rom legitimate user requests, even though the former come rom a large number of disributed machines. In this paper, we present an in-depth analysis of DDoS attacks in cloud computing and discuss the challenges in I. Cloud computing INTRODUCTION is the utilization defending against these attacks. Section 2 provides an overview of hardware and sotware combined to provide services to end users over a network like the intenet. It includes a set of virtual machines that simulate physical computers and provide services, such as operating systems and applications. However, coniguring of DDoS attacks. Section 3 examines the effects of different types of DDoS attack and the recommended defense mechanisms for each type. Section 4 summarizes the results of investigations on DDoS attacks in the cloud system. Finally, Section 5 presents a brief summary of the paper. virtualization in a cloud computing environment is critical when deploying a cloud computing system. A cloud computing structure relies on three service layers: Inrastructure as a Service (IaaS), Platform as a Service (PaaS), and Sotware as a Service (SaaS) (Fig. 1). IaaS gives users access to physical resources, networks, bandwidth, and storage. PaaS builds on IaaS and gives end users access to the operating systems and platforms necessary to build and develop applications, such as databases. SaaS provides end users with access to sotware applications. II. DDoS OVERVIEW DDoS attacks have become more sophisticated. Many websites and large companies are targeted by these types of attacks. The irst DDoS attack was reported in 1999 [1]. In 2000, large resource companies, such as Yahoo, Amazon, CNN.com and eBay, were targeted by DDoS attacks, and their services were stopped for hours [2]. Register.com was targeted by a DDoS in 2001; this was the irst DDoS attack to use DNS servers as relectors [3]. In 2002, service disruption was reported at 9 of 13 DNS root servers due to DNS backbone DDoS attacks. This attack recurred in 2007 and disrupted two DNS root servers. In 2003, Microsot was targeted by Wom Blaster. One million computers were attacked by MyDoom in 2004. In 2007, a DDoS attack was caried out by thousands of computers, targeting more than 10,000 online game servers. In 2008, a DDoS attack targeting Wordpress.com caused 15 minutes of denial [4]. In 2009, GoGrid, a cloud computing provider, was targeted by a large DDoS attack, affecting approximately half of its thousands of customers. In 2009, Register.com was affected again by a DDoS attack. In the same year, some social networking sites, including Facebook and Twitter, were targeted by a DDoS. Many websites were Figure 1. Cloud Computing Architecture attacked by DDoS in 2010, including the Australian Prliament House website, Optus, Web24, Vocus, and Burma's main Intenet provider. In 2011, Visa, MasterCard, PayPal, and 978-1-908320-13/1/$25.00©2013 IEEE 67 PostFinance were targeted by a DDoS that aimed to support the number of hops depending on the value of the Time to Live WikiLeaks founder [4]. In the same year, the site of the (TTL) ield in the IP header. IP-to-hop-count (IP2HC) mapping National Election Commission of South Korea was targeted by is built to detect the spoofed packet. An analysis concluded by DDoS attacks. Furthermore, thousands of infected computers Wang et al. [5] indicated that 90% of spoofed addresses can be participated in a DDoS attack that targeted the Asian E­ detected using the HCF method. One drawback of this method Commerce Company in 2011 [4]. In 2012, the oficial website is that attackers can build their own IP2HC mapping to avoid of the oice of the vice-president of Russia was unavailable for HCF. A rust-based approach to detect spoofed IP addresses 15 hours due to a DDoS attack [4]. In the same year, many can be used in the access routers on the laaS layer [6], but South Korean and United States (US) websites were targeted another compatible solution should be proposed to detect IP by a DDoS. Godaddy.com websites reported service outages spooing in disribution routers. because of such an attack. In 2012, major US banks and fmancial institutions became the target of a DDoS attack. DDoS attacks are evolving rapidly and are targeting large companies, which cause huge fmancial losses to those companies and websites globally. Consequently, investigating DDoS attacks in the cloud system is vital along S with recommending mechanisms to mitigate such attacks. III. Atacker (196.15.10.5) DDoS ATTACKS AND DEFENSES DDoS attacks affect all layers of the cloud system (laaS, Figure 2. TP spooing atack PaaS, and SaaS) and can occur intenally or extenally. An extenal cloud-based DDoS attack starts rom outside the cloud environment and targets cloud-based services. This type of Server (123.12.1.1) B. SYN looding attack attack affects the availability of services. The most affected A Transmission Control Protocol (TCP) connection starts layers in the cloud system by an extenal DDoS attack are the with a three-way handshake, as shown in Fig. 3(a). A typical SaaS and PaaS layers. An intenal cloud-based DDoS attack three-way handshake between a legitimate user and the server occurs within the cloud system, primarily in the PaaS and laaS begins by sending a connection request rom the legitimate user layers, and can occur in several ways. For example, the to the server in the form of a synchronization (SYN) message. attackers may take advantage of the trial periods of cloud Then, the server acknowledges the SYN by sending back services of some vendors. As a result, an authorized user within (SYN-ACK) a request to the legitimate user. Finally, the the cloud environment can launch a DoS attack on the victim's legitimate user sends an ACK request to the server to establish machine intenally. On the other hand, sharing infected virtual the connection. SYN looding occurs when the attacker sends a machine images could allow an attacker to control and use the huge number of packets to the server but does not complete the infected virtual machines to cary out an intenal DDoS attack process of the three-way handshake. As a result, the server on the targeted machine within the same cloud computing waits to complete the process for all of those packets, which system. attacks. makes the server unable to process legitimate requests, as Descriptions of those attacks and recommended practical A DDoS includes different types of shown in Fig. 3(b). Also, SYN looding can be crried out by defense mechanisms in the cloud system are presented in the sending packets with a spoofed IP address. A snifing attack is following sections. considered a type of SYN looding attack. In a sniffmg attack, the attacker sends a packet with the predicted sequence number A. of an active TCP connection with a spoofed IP address. Thus, IP spoofing attack In the Intenet Protocol (lP) spooing attack, packet transmissions between the end user and the cloud server can be the server is unable to reply to that request, which affects the resource performance of the cloud system. intercepted and their headers modiied such that the IP source ield in the IP packet is forged by either a legitimate IP address, as shown in Fig. 2, or by an unreachable IP address. As a result, the server will respond to the legitimate user machine, which affects the legitimate user machine, or the server will be unable to complete the ransaction to the unreachable IP address, which affects the server resources. Tracing such an attack is dificult due to the fake IP address of the IP source ield in the IP packet. The methods for detecting an IP spoofmg attack can be applied in the PaaS layer or in the network resources on the laaS layer. Due to the dificulty of modiYing and upgrading different types of network resources in the cloud system, hop-count iltering (HCF) [5] can be used to distinguish legitimate IPs rom spoofed IPs in the PaaS layer. The HCF counts the 978-1-908320-13/1/$25.00©2013 IEEE Figure 3. SYN looding ttack 68 Many defense mechanisms against SN looding attack can be used in the PaaS and IaaS layers [7]. The SN cache �+-1 approach [8], which establishes a connection with a legitimate request, can be considered in the PaaS layer, but this causes an increase in latency by 15%. The SN cookies defense ' , mechanism [8] is another recommended defense mechanism in the PaaS layer to detect a SN looding attack, but it lowers the performance of the cloud system. Reducing the time of the " , " / , , ,' / " / / .. / / / " / / , / ../ , / ' / / , , / _ _ , _ / ' defense measure, but legitimate ACK packets could be lost. & Moreover, some detection mechanisms, including iltering, (196.15.10.5) SN received to degrade the timeout is a recommended PaaS � (123.12.1.1) Attacker Irewall, and active monitoring, can be used in the IaaS layer. Filtering is an effective method to prevent a SN looding � � . attack by conIguring intenal and extenal router interfaces, but this method is not reliable due to its limited use. The �- (210.21.1.5) Irewall mechanism in the IaaS layer depends on splitting the / -- - / .. "/ / / -- " � � - (123.12.1.252) - - -- -_ _ - � (123.12.1.254) -_ -- �W -_ TCP connection, but this could affect the performance of the (123.12.1.253) networking system. An active monitoring mechanism [9] can Figure 4. be used in the IaaS layer to monitor rafIc of the TCP/IP and react in cases of SN looding. However, this approach depends on the SN cookies mechanism, which leads to decreased performance of cloud resources. . In a smurf attack, the attacker sends a large number of These requests are spoofed such that its source IP address is the victim's IP, and the IP destination address is the broadcast IP address, as shown in Fig. 4. As a result, the victim will be looded with broadcasted addresses. The worst case occurs when the number of hosts who reply to the ICMP echo requests is too large. Preventing this type of attack is diIcult, but it can recommended by two defense different mechanism mechanisms. in the The IaaS fust layer is conIguring the routers to disable the IP-directed broadcast command; The fust mechanism is preventing such vulnerability when writing the source code [11]; however, time consumption is a recommended defense mechanism; this consists of checking Smurf attack mitigated this is disabled by default in curent routers. However, the attacker could use the compromised device in the cloud system as an intemediary to send ICMP echo requests to the broadcast IP address locally, thereby carrying out an intenal cloud-based DoS attack. ConIguring the router in the IaaS layer cannot prevent a smurf attack. Consequently, a the memory access and compiler and using safety language. The third defense mechanism is runtime insrumentation, which can either modiy the retun address to detect the vulnerability or estimate the buffer bounds then perfom a check of the runtime bounds. The fourth recommended defense mechanism in the SaaS layer is analyzing the static and dynamic code to detect application vulnerability in this layer. E. Ping ofdeath attack In the ping of death attack, the attacker sends an IP packet with a size larger than the limit of the IP protocol, which is 65,535 bytes, as shown in Fig. 5. Handling an oversized packet affects the victim's machine within the cloud system as well as the resources of the cloud system. Recent network resources and operating systems disregard any IP packets larger than 65,535 bytes. Therefore, such attacks are not currently affecting any cloud system layers. second defense mechanism is needed, which is conIguring the S operating systems in the PaaS layer so that there is no response to the ICMP packets sent to the IP broadcast addresses. D. Smurf attack limitation. Performing a check of the aray bounds is a second Intenet Control Message Protocol (lCMP) echo requests. be J � .. (123.12.1.3) .." ---=---� h"<::= ..------/ (123.12.1.2) Packet size 90,000 bytes Attacker (196.15.10.5) Bufer overlow attack Server (123.12.1.1) In a buffer overlow attack, the attacker sends an executable Figure 5. code to the victim in order to take advantage of buffer overlow vulnerability. As a result, the victim's machine will conrolled by the attacker. The attacker could either hm the victim's machine or use the infected machine to perform an intenal cloud-based DDoS attack. Four defense mechanisms to prevent buffer overlow vulnerability can be used in the SaaS layer [10]. Ping of death attack be . Land attack This attack uses the "Land.c" program to send forged TCP SN packets with the victim's IP address in the source and destination Ields, as shown in Fig. 6. In this case, the machine will receive the request rom itself and crash the system. Such an attack is prevented in recent networking devices and operating systems by dropping ICMP packets that contain the same IP address in the source and destination Ields. Consequently, there is no need for a land attack defense mechanism to be used in all layers of the cloud system. 978-1-908320-13/1/$25.00©2013 IEEE 69 However, the process of checking and dropping lrge amounts of ICMP requests could affect the resources of the victim's - Filtering mechnism in the IaaS layer - Not reliable due to the limited use of this method - Firewall mechanism in the IaaS layer - May afect the performance of the networking system in the cloud - Active monitoring mechanism in the laaS layer [9] - Decreases resource performance in the cloud machine in the PaaS layer or the networking resources in the IaaS layer. Victim (123.12.1.1) Figure 6. G. Land atack Smurf atack - Coniguring virtual machines in the PaaS layer Extenal Internal - Coniguring network resources in the IaaS layer Teardrop attack This kind of attack uses the "Teardrop.c" program to send - Preventing when writing source code mechanism in the SaaS layer [10] invalid overlapping values of IP ragments in the header of TCP packets. As a result, the victim's machine within the cloud system will crash in the re-assembly process. Recent operating systems and network resources can handle such attacks. - Performing the array bounds checking mechnism in the SaaS layer [10] Therefore, teardrop attacks no longer affect any layers of cloud computing. IV. Bufer overlow SUMMARY OF CLOUD-BASED DDoS ATTACK Extenal Internal - Runtime instrumentation mechanism in the SaaS layer [10] Based on an investigation of the major types of DDoS attacks, we derive a taxonomy of cloud-based DDoS attacks, as illustrated in Table l. Several taxonomies of DDoS attacks - Analyzing the static nd dynamic code mechanism in the SaaS layer [10] exist [4] [12] [13]. Our classiication is focused on cloud computing aspects, such as a cloud-based type of attack, recommended practical defense mechanisms, and the drawbacks of each defense mechanism. TABLET. Attack IP spooing SYN looding TYPES OF DDoS ATTACKS ON T HE CLOUD SYSTEM C1oudbased type Recommended Practical Defense Mechanism - Hop Count Filtering (HCF) in the PaaS layer [5] - The atacker cn build his own IP2HC mapping to avoid HCF - Trust-based approach in the laaS layer [6] - Another compatible solution should be proposed to detect IP spooing in distribution routers Extenal Internal Extenal Internal Drawback - SYN cache approach in the PaaS layer [8] - Increase in latency - SYN cookies defense approach in the PaaS layer [8] - Lowers the performance of the cloud system - Reducing the time of SYN-received in the PaaS layer - Some of the legitimate ACK packets could be lost - Time consumption Ping of death Land.c Teardrop.c - Diicult to afect any layers of the cloud system currently, but the atack could be developed in the future Extenal Internal - Diicult to afect any layers of the cloud system currently, but the atack could be developed in the future Extenal Internal - Diicult to afect any layers of the cloud system currently, but the atack could be developed in the future Extenal Internal V. CONCLUSION DDoS attacks are curently a major threat and work against the availability of cloud services. With each developed defense mechanism against DDoS attacks, an improved attack appears. Defense mechanisms to protect against DDoS attacks are not always effective on their own. Combining different mechanisms to build hybrid defense mechanisms, in particular 978-1-908320-13/1/$25.00©2013 IEEE 70 with different cloud computing layers, is highly recommended. It is exremely important to investigate the effects of these different types of DDoS attacks on the cloud system. In this paper, historical examples of DDoS attacks have been presented. We also investigated the effect of different types of DDoS attacks on the cloud environment. Finally, we analyzed and identiied recommended defense mechanisms against DDoS attacks in cloud-based systems. ACKNOWLEDGMENT This work was partially supported by King Abdulaziz University through the Cultural Bureau of Saudi Arabia in Canada. This support is greatly appreciated. REFERENCES [I] J. Nazario, "DDoS attack evolution, " Network Security, vol. 2008, no. 7, pp. 7-10, 2008. [2] P. G. Neumann, "Inside Risks: denial-of-service attacks, " Commun. ACM, vol. 43, no. 4, p. 136, Apr. 2000. [3] D. Ditrich, 1. Mirkovic, P. Reiher, and S. Dietrich, Internet Denial of Service: Attack and Defense Mechanisms. Pearson Education, 2004. [4] C. M. Patel nd V. H. Borisagar, "Survey On Txonomy Of Ddos Attacks With Impact And Mitigation Techniques, " International Journal of Engineering Research & Technology (IJERT), vol. I, no. 9, pp. 1-8, 2012. [5] H. Wang, C. Jin, nd K. G. Shin, "Defense Against Spoofed IP Traic Using Hop-Count Filtering, " IEEE/ACM Transactions on Networking, vol. 1 5, no. I, pp. 40-53, Feb. 2007. [6] [7] 1. M. Gonzalez, M. Anwar, and J. B. D. Joshi, "A trust-based approach against IP-spooing attacks, " 2011 Ninth Annual International Conference on Privacy, Security and Trust, pp. 63-70, Jul. 2011. M. Kumar, A. Panwar, nd A. Jain, "An Analysis of TCP SYN Flooding Attack and Defense Mechanism, " International Journal of Engineering Research & Technology (lJERT), vol. I, no. 5, pp. 1-6, 2012. [8] J. Lemon, "Resisting SYN lood DoS attacks with a SYN cache, " in Proceedings of the BSD Conference 2002 on BSD Conference, 2002, p. 10. [9] C. L. Schuba, I. V. Krsul, M. G. Kuhn, E. H. Spaford, A. Sundaram, and D. Zamboni, "Analysis of a denial of service attack on TCP, " Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097), pp. 208-223, 1997. [10] D. Fu and F. Shi, "Bufer Overlow Exploit nd Defensive Techniques, " 2012 Fourth International Conference on Multimedia Information Networking and Security, pp. 87-90, Nov. 2012. [II] L. F. Capretz and F. Ahmed, "Why do we need personality diversity in sotware engineering?, " ACM SIGSOFT Sotware Engineering Notes, vol. 35, no. 2, pp. I-II, Mar. 2010. [12] A. Keshariya and N. Foukia, "DDoS Defense Mechanisms: A New Taxonomy, " in Data Privacy Mnagement and Autonomous Spontaneous Security SE - 17, vol. 5939, J. Garcia-Alfaro, G. Navarro­ Arribas, N. Cuppens-Boulahia, nd Y. Roudier, Eds. Springer Berlin Heidelberg, 2010, pp. 222-236. [13] S. M. Specht and R. B. Lee, "Distributed denial of service Taxonomies of atacks, tools, and countermeasures, " in Proceedings of the 17th International Conference on Parallel and Distributed Computing Systems, 2004, pp. 543-550. 978-1-908320-13/1/$25.00©2013 IEEE 71