Large-scale coordinated attacks: Impact on the cloud security

Transcription

1 Large-scale coordinated attacks: Impact on the cloud security Damien Riquet Gilles Grimaud M. Hauspie Team 2xS Université Lille 1, France MCNCS, Palermo, 2012 D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...1/26

2 Study on the impact of distributed attacks on Cloud Computing Cloud Computing: a popular model to process large data set Several layers according to the needs of customers Store confidential data Growing concern about its security Attacks on the cloud Distributed attacks to evade security solutions Weaknesses of cloud structure D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...2/26

3 D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...3/26

4 D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...3/26

5 D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...3/26

6 D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...3/26

7 Goals of this paper Study security solutions used by Cloud Computing Show that distributed attacks could be very efficient 1-path architecture Use case: distributed portscan D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...4/26

8 Outline How Cloud Computing can be secured 1 How Cloud Computing can be secured D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...5/26

9 Outline How Cloud Computing can be secured Security solutions commonly used Detection methods 1 How Cloud Computing can be secured Security solutions commonly used Detection methods D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...6/26

10 Security solutions commonly used Detection methods Cloud security - Security solutions commonly used Firewalls [BC94] At the border of the network Analyze traffic between two networks Security policies Intrusion Detection System (IDS) [Ped05] Network or Host based Passive device: raise alarms Pattern-matching, analyze traffic D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...7/26

11 Detection methods Security solutions commonly used Detection methods Misuse detection Look for known patterns of misuse Pattern-matching Need constant update of the database Anomaly detection Knowledge of standard Raise an alarm when an anomaly is detected Detect unknown attacks May raise a lot of false positive D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...8/26

12 Outline How Cloud Computing can be secured Definition Distribution methods 1 How Cloud Computing can be secured 2 Definition Distribution methods 3 4 D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...9/26

13 : a use case Definition Distribution methods [Shi00] A portscan is... «an attack that sends client requests to a range of server port addresses on a host, with the goal of finding an active port and exploiting a known vulnerability of that service.» Usage and goals Reconnaissance phase Discover weaknesses of a network Used by worms, malicious hackers D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...10/26

14 How to distribute a portscan Definition Distribution methods Naive distribution [KCS07] Sequential utilization of scanners Use a scanner until it is detected then select another one Parallel distribution Distribute ports among scanners Execute portscan on scanners Process results afterwards D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...11/26

15 Outline How Cloud Computing can be secured Security solutions Network architecture Benchmark configurations 1 How Cloud Computing can be secured 2 3 Security solutions Network architecture Benchmark configurations 4 D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...12/26

16 Tested security solutions Security solutions Network architecture Benchmark configurations Snort Popular open source IDS Detection methods Signature-based (written by the community) Threshold-based (sfportscan module) Commercial firewall United Threat Management (network firewall and an IDS) Detection methods Anomaly-based (TCP Automaton) Threshold-based D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...13/26

17 Network architecture Security solutions Network architecture Benchmark configurations Cloud Computing Internet host Cloud host Firewall / IDS D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...14/26

18 Benchmark configurations Security solutions Network architecture Benchmark configurations Network architecture Portscan Number of scanners: 2 n, with 1 n 6 Number of targets (Snort): 2 n, with 1 n 6 Number of targets (Commercial): 4 Security solution configuration: default Portscan timing: insane aggressive normal polite 5 ms 10 ms 0.4 s 0.4 s Number of ports: 100 per target (most used ports) Distribution methods: Naive and Parallel Portscan techniques: Connect, SYN, RPC, FIN, Xmas and Null D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...15/26

19 Outline How Cloud Computing can be secured Evaluation Connect scanning Null scanning wrap up 1 How Cloud Computing can be secured Evaluation Connect scanning Null scanning wrap up D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...16/26

20 Evaluation How Cloud Computing can be secured Evaluation Connect scanning Null scanning wrap up Attacker Success Rate n = Number of ports successfully scanned before detection T = Total number of ports to scan ASR = n T The lower is the ASR, the better is the security solution Successful portscan : undetected correct port state generated traffic reaches targets D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...17/26

21 Connect scanning - 4 targets Evaluation Connect scanning Null scanning wrap up Naive Parallel 100 ASR insane aggressive normal polite insane aggressive normal polite Snort Naive Parallel 100 ASR insane aggressive normal polite insane aggressive normal polite Commercial firewall D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...18/26

22 Connect scanning - 4 targets Evaluation Connect scanning Null scanning wrap up Naive Parallel 100 ASR insane aggressive normal polite insane aggressive normal polite Snort Naive Parallel 100 ASR insane aggressive normal polite insane aggressive normal polite Commercial firewall D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...18/26

23 Connect scanning - 4 targets Evaluation Connect scanning Null scanning wrap up Naive Parallel 100 ASR insane aggressive normal polite insane aggressive normal polite Snort Naive Parallel 100 ASR insane aggressive normal polite insane aggressive normal polite Commercial firewall D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...18/26

24 Connect scanning - Snort Evaluation Connect scanning Null scanning wrap up Naive Parallel 100 ASR insane aggressive normal polite insane aggressive normal polite Snort - 8 targets Naive Parallel 100 ASR insane aggressive normal polite insane aggressive normal polite Snort - 32 targets D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...19/26

25 Connect scanning - Snort Evaluation Connect scanning Null scanning wrap up Naive Parallel 100 ASR insane aggressive normal polite insane aggressive normal polite Snort - 8 targets Naive Parallel 100 ASR insane aggressive normal polite insane aggressive normal polite Snort - 32 targets D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...19/26

26 Null scanning - 4 targets Evaluation Connect scanning Null scanning wrap up Naive Parallel 100 ASR insane aggressive normal polite insane aggressive normal polite Snort Naive Parallel 100 ASR insane aggressive normal polite insane aggressive normal polite Commercial firewall D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...20/26

27 Null scanning - 4 targets Evaluation Connect scanning Null scanning wrap up Naive Parallel 100 ASR insane aggressive normal polite insane aggressive normal polite Snort Naive Parallel 100 ASR insane aggressive normal polite insane aggressive normal polite Commercial firewall D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...20/26

28 wrap up Evaluation Connect scanning Null scanning wrap up Distributed attacks could be very efficient: 32/64 scanners are enough to remain undetected Weaknesses of security solution (timing, outdated database) Parallel distribution succeeds in obfuscating the attack Commercial firewall has better results D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...21/26

29 Study of security solutions commonly used Impact of distributed attacks on Cloud Computing 32 scanners are enough to remain undetected No network noise Future work Multipath attacks Collaborative IDS using virtual and physical probes D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...22/26

30 Questions Large-scale coordinated attacks: Impact on the cloud security Damien Riquet - damien.riquet@lifl.fr Gilles Grimaud - gilles.grimaud@lifl.fr Michaël Hauspie - michael.hauspie@lifl.fr riquetd/ D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...23/26

31 References I S. M Bellovin and W. R Cheswick, Network firewalls, IEEE Communications Magazine 32 (1994), no. 9, Min Gyung Kang, Juan Caballero, and Dawn Song, Distributed evasive scan techniques and countermeasures, Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment (Berlin, Heidelberg), DIMVA 07, Springer-Verlag, 2007, p Naga Raju Peddisetty, State-of-the-art intrusion detection: Technology, challenges, and evaluation, R. Shirey, RFC Internet Security Glossary, May D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...24/26

32 Multipath attacks Attackers Targets Attackers Targets D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...25/26

33 Collaborative security system DSL Host Hypervisor Virtual probe FPGA Guest OS Guest OS Physical probe Virtual probe D. Riquet, G. Grimaud, M. Hauspie Large-scale coordinated attacks: Impact on the cloud...26/26