Cloud Security Countermeasures against Distributed Denial of Service Attacks

Transcription

1 International Journal of Computer Systems (ISSN: ), Volume 02 Issue 11, November, 2015 Available at Priyanka Porwal A, Ankit Kumar B Ȧ Department of Computer Science and Engineering, Integral University Lucknow, U.P., India Ḃ Department of GIS and Remote Sensing Motilal Nehru national Institute of Technology Allahabad, U.P., India Abstract Cloud Computing is a distributed scenario that centralizes server resources on a platform which is scalable as to provide on demand services. Cloud service providers (CSP s) offer cloud platforms for their clients to use and generate their web services, much like internet service providers offer costumers high speed broadband to access the internet. As one of the very important security problems in the current Internet, is denial-of-service (DoS) attack for all time attempts the network as well as provide the solution to reduce the execution time over the network. The objective of this work is to provide security in cloud computing network. My proposed work uses cloud guard framework. This framework we use two types of filter one is traceback and another is hop-count filter which is implemented on the nodes to discontinue the victim from serving services to authenticated users. The proposed work will identify the attack over in the network. This filter will identify the malicious activity in the network. The proposed framework is implemented using OPNET MODELER & its results show its effectiveness. Keywords: Cloud Computing, DDoS, Cloud Guard, Pop, Botnet, TCPack, UDP, Network Security. I. INTRODUCTION Cloud Computing is a distributed scenario that centralizes server resources on a platform which is scalable as to provide on demand services. Today, cloud computing systems are providing a wide variety of services and interfaces to enable vendors to rent out spaces on their physical machines at an hourly rate for a tidy profit. Cloud computing safety is the foremost concern (amazon EC2 2009; INetu, 2009; Elastic Hosts, 2009) and has numerous tests that essential attention from the current studies on IT managers and CIO's directed by IDC it was perfect the cloud computing. Denial of service outbreaks is possible in cloud computing environment which can exist a risk to records under program. Nothing like by transient defensive and safety Excruciating, payload alteration, shell-code change and identical supplement. Denial of service invaders harms accessibility of a facility. If an occurrence in cloud service provider is flooded with moreover much work burden, additional facilities consecutively run on the similar cloud server may face problems with accessibility As one of the very important security problems in the current Internet, is denial-of-service (DoS) attack for all time attempts to discontinue the victim from serving services to authenticated users. A distributed denial-ofservice (DDoS) attack is a part of denial of service attack which relies on several compromised users in the network to attack the victim. There are two types of Distributed denial of service attacks. The primary first type of DDoS attack has the aim of attacking the victim machine to compel it out of service for authenticate users by exploiting software vulnerabilities of the system. The second type of Distributed denial of service attack is dependent on a large volume of attack traffic, which is also called as a floodingbased Distributed DoS attack. II. LITERATURE SURVEY Previous research on SOTA, which is base on serviceoriented architecture as well as service-oriented grid architecture. To conclude this section, we briefly cover up the research done on X-DoS which is a DDoS attack that might have an effect on cloud computing. SOTA is a web protection service function that is product neutral (Chonka et al., 2008a, 2008b, 2009). Its major objective is to relate a SOA approach to traceback method. This is in sort to recognize a forged message characteristic, since one of the major objectives of X-DoS and DX-DoS is to conceal the attacker s true information. The beginning of SOTA is found upon the Deterministic Packet Marking (DPM) algorithm (Belenky and Ansari, 2003). DPM marks the ID field and reserved flag within the IP header. As every arriving packet enters the edge ingress router it is noticeable. The marked packets will stay unchanged as they go across the network. Outgoing packets are disregarded. DPM methodology is applied to our SOTA structure by placing the Service oriented traceback Mark (SOTM) contained by web service messages. If any supplementary web safety services (WS-Security, for example) are already engaged, SOTM would change the token that contains the user identification. Real source message detection is stored contained by SOTM, and located inside the SOAP message. SOTM, as in DPM tag, will not modify as it traverse in the course of the network. The composition of SOTM is completed up of one XML tag, so not to meditate down the message. It is then put within a SOAP header. Discovery of an X-DoS or DX-DoS attack, SOTM be able to be used to recognize the correct source of bogus messages. SOTA does not openly remove an X-DoS or DX-DoS attack message. This is left for the filter section of a defence method called Cloud Protector 494 International Journal of Computer Systems, ISSN-( ), Vol. 02, Issue 11, November, 2015

2 III. RESEARCH BACKGROUND AND CONTEXT The proposed cloud guard model for cloud computing is consists of two filters namely traceback and hop-count filter to detect malicious activity. This research work explains the design, confirmation and future perception of the Cloud Guard, with an emphasis on the distributed processing of the flow data. Cloud Guard is a distributed filter platform on the network backbone to facilitate protecting our connecting institutions against malevolent DDoS attacks. The Distributed DoS analyzer wants to know the source routers of all flow records beforehand this incomplete information can be collected into the occupied path of the flow. However the header and the payload of the movement of record do not have the IP address of the router, therefore the source of the flow of record data can single be recognized by the source IP of the UDP datagram in that case the flow record is directly sent in the principal place. A. CLOUD TRACEBACK Cloud computing has restricted resources so it takes to offer an exceedingly excellence facility however these facilities could be exhausted by an appropriate figure of consumers. With this specific information, invaders can originate a DDoS attack. For example, an invader could open up a number of browsers so that it can direct send several requests to the target s web server over a period of time. In a DDoS attack, the invader would command their agents to originate a flood attack of oversized requests, in contrast to the web server. That again would consequence in the web server deafening from either one implementing the oversized requests from communication bottleneck created from the overflow. Cloud TraceBack could be used in one or the other a network structure, such as a LAN. It is prepared within a computer-generated machine to make locate within the cloud system compatible, elastic and accessible. B. HOPCOUNT FILTER We use a filtering technique, called Hop-Count Filtering to clear out spoofed IP packets at very starting point of network handling, thus effectually defending victim servers assets from abuse. The validation ahead hop-count filtering is that most arbitrarily spoofed IP packets, when incoming at victims, do not convey hopcount values that are reliable by the IP addresses actuality spoofed. A receiver an Internet server can deduce the information of hop-count and check for the stability of source IP addresses. My study work exhausting network measurement volume of data, we display that HCF can distinguish nearby to 90% of spoofed data packets. In addition our hop-count based group significantly decreases the amount of incorrect positives. Thus, we can abort spoofed IP packets with minute collateral harm in the filtering state. To assurance that the cleaning methodology itself ensures that attack packets our strategy wants only a controlled amount of storing data. We estimate the advantage of HCF with new experimental dimensions and shows that HCF is certainly actual in countering IP spoofing by providing substantial resource investments. Although HCF is very simple and actual in thwarting IP spoofing, it is not a whole solution to the general DDoS problem. Hop-count information is not openly stored in the IP header one has to calculate it established on the final TTL value. Time to live is an 8-bit field value in the IP header firstly introduced to identify the extreme lifetime of each and every packet in the Internet. Each intermediary router decrements the value of TTL in transit IP packet by one earlier dispatching it to the next-hop. The finishing TTL value while a packet reaches its destination point is the primary TTL reduced by the amount of intermediary hops. The big challenge in hop count calculation is that an endpoint only realizes the final value of TTL. It would ensure simple and all operating systems used the similar initial TTL value but in preparation there is no consent on the preliminary TTL value. Additionally, since the operating system for a given IP address might change with time period we cannot accept a particular stationary TTL value for IP address. Most modern operating system uses only a few particular initial TTL values, 30, 32, 60, 64, 128, and 255. This regular of initial values covers maximum of the current operating system such as Microsoft Windows, Linux and many commercial UNIX systems. We perceive that most of these primaries TTL values are apart except between the numbers 30 and 32, 60 and 64, and between 32 and 60. Internet traces must shown that limited Internet clouds are separately by more than 30 hops which is also established by our own comment one can regulate the initial TTL values of a packets by picking the minimum initial value in the fixed set that is greater than its closing TTL. For example if the final value of TTL is 112 the initial TTL value is 128. To resolve an obscurities in the circumstances of {30, 32}, {60, 64}, and {32, 60} we resolve calculate a hop-count assessment for each of the possible initial values of TTL and accept the packet if around is a match with either one of the possible hop-counts values. Hop count filter that we are using calculate the number of hopes taken by message. It works on the basis of TTL (Time to Live) value. It takes initial TTL value as TTLi and final TTL value as TTLf, then it subtract both Time to live value and calculates Hop Count value Hop Count = TTLf TTLi Now it compares this Hop Count value with the value save in the IP to Hop Count table. If value does not equivalent then it means the coming message is spoofed and it will be drop otherwise send to the next filter. IV. RESULTS AND DISCUSSION Here we will evaluate our model cloud guard in using opnet modeler. This framework is developed to operate anywhere in any situation. Our choice is using OPNET MODELER The proposed framework is not a serverside detection mechanism. It is rather a partial and delegated server-side DDoS prevention system, because each component has its own functionality in detecting the flooding attack type. Therefore, any flooding threat is detected, are mitigated by filtering the attackers requests at firewall before reaching Cloud. 495 International Journal of Computer Systems, ISSN-( ), Vol. 02, Issue 11, November, 2015

3 packet rate and packet length of the attack packet to be a series of distributions, such as constant, exponential distribution, in order to imitate some possible attack situations. Figure1. DDoS attack scenario analyses Using OPNET A. Flooding by attacker DDoS is flooding by malicious/incompatible packets by the attackers towards the Data Center. This kind of overload threat could be easily detected by a backtrace mechanism. If the attacker characteristic is found, then the user could be filtered by the firewall. B. Flooding by spoofing attacker Caused by impersonation that can be detected by acknowledging each request and by maintaining the sequence number of the requests and requesters IP (Internet Protocol) address. C. Flooding by aggressive legitimates Caused by aggressive users, it is an overload condition where the legitimate users flood the server with the requests that slow down the performance of cloud guard. This condition is critical to detect, because the overload has legitimate characteristics. By maintaining the inter-arrival time of users packets by a back-off timer, this attack can be detected. Figure3. Firewall for trace back mechanism Whenever the requester sends a request for cloud guard resource access, the first step is to direct the requests to the traffic analyzer. When the incoming traffic exceeds the link capacity, the abnormal traffic is detected and it is passed onto customized Routers. Figure 2.Traffic generator node creation In this simulation, the clients located as attacker set out the DDoS Flooding attack and send out DDoS attack packets to the target system, which is the main server located in the cloud in Figure 5 the attacker module will initiate the attack traffic. We adjusted the intensity of the attack traffic by the packet rate and packet length of the packet sent out by attacker. Moreover, we design the D. Performance evaluation Figure4.Hop-Count Filter The performance evaluation on three scenarios namely simulation of network traffic only with legitimate requests, simulation of DDoS attack and deployment of traceback and hop-count under DDoS attack. E. Attacker strength towards a Victim cloud guard The traffic rate is the average number of packets forwarded per second to the application, Remote login application, and simulated application to each cloud guard. The Flooding Traffic Rate, generated by distributed attackers is identified towards the victim Data Center, cloud guard. Request load of cloud guard. The request load is the rates at which requests, Remote login requests, simulate requests arrive at the server. The requests could belong to different the application requesters try to reach. Cloud guard simultaneously and once the traffic overload is identified, they are controlled by switching the traffic to 496 International Journal of Computer Systems, ISSN-( ), Vol. 02, Issue 11, November, 2015

4 serial ordered requests to reach cloud guard. Fig. shows the traffic is uncontrolled and the request load shows the evidence of DDoS attack towards cloud guard. Fig. shows the request load that is trying to reach cloud guard. V. SIMULATION REPORT Figure8. Simulation speed Figure5. Simulation Progress Figure9.Memory usage Figure6. Throughput of local router VI. RESULTS STATISTICS The simulated proposed framework with Hop-Count Inspection with trace back defense Defending against Direct DDoS Flood Attack on OPNET simulator toolkit the various parameters set for the simulations are Simulation Time 180 s No of Nodes 2 Node Placement Uniform Computation Time For Computation Time simulation of both the algorithms the sample inputs are taken as rate of arrivals probability of malicious packets for proposed framework. The results are analyzed based on computational time and detection rate as performance matrics. Table1. Sample reports Figure7.Throughput of remote switch 497 International Journal of Computer Systems, ISSN-( ), Vol. 02, Issue 11, November, 2015

5 The table shows that the proposed approach saves potential computation time as compared to the Hop-Count over a much better rate and hence improves network performance. The Computation timer is a much relevant factor for the performance measurement of the cloud and there is minimum loss of the available resources which supports the network. The various recourses can to the clients if the computation speed will improve the simulation results in terms of a graph show better performance for our proposed Escape-on-Sight approach under DDoS. The results proved that our approach is suitable to deploy to cloud guard prone to DDoS attack. VII. LIMITATIONS DDoS attack is very dangerous in cloud environment because entire resources are at single situate they are not circulated so attackers need to focus at the single place to have an effect on all the services. As much simple to make attacks on cloud for attacker that much hard to resolve these attacks for researches so this paper filter requested message at dissimilar stages initially matching the call for client IP with previously stored doubtful IP address in Trace-Back and then cloud guard is only using for detect the HTTP DDoS, Coercive parsing DDoS, XML DDoS. Cloud guard is firstly identify doubtful messages and after that detecting attacks. VIII. CONCLUSION AND FUTURE SCOPE In this paper, we introduce an approach to simulate the Distributed Denial of Service attack on OPNET. Research simulation results indicate that this approach is a feasible way to get the simulation data for testing the performance of intrusion detection system, given that it is hard to collect the data with attack from a real network. In this scenario, the attackers tricked the reflector into thinking that the defender made a request. This resulted in the reflector sending a huge amount of data to the defender. Since the source address in the data traffic from the reflector to the defender was not spoofed, the defender is unable to identify and discard malicious traffic. As a result, all the traffic sent by the reflector is accepted by the protector node. This phenomenon is illustrated in Figures and, which shows the total amount of traffic generated by the reflector and accepted by the defender node. In both cases, when the hop count defense is enabled and disabled, the defender fails to filter out malicious flows and accepts all incoming traffic. We plan to continue our investigation of various DDoS attacks and defenses and examine the possibility of their implementation in OPNET Modeler. In particular, we would like to develop a signaling protocol which will allow the end nodes to notify the edge routers about identified malicious traffic that enters their network domain. We also would like to further refine the current implementation of the hop count defense by adding statistics for recording the number of identified malicious flows, the number of falsepositive and false-negative classifications, the number of queued, discarded, and forwarded packet that were classified as malicious and as legitimate. In addition, we are studying machine learning and statistic-based techniques for identifying malicious traffic flows and looking into possible ways to implement and test these techniques in the OPNET Modeler environment. REFERENCES [1] Joshi B., Vijayan, A.S. ; Joshi, B.K., Securing Cloud Computing Environment Against DDoS Attacks 2012 international conference on computer communication and informatics(iccci-2012),pp: 1-5, [2] M. Kumar, A. Panwar, and A. Jain, "An Analysis of TCP SYN Flooding Attack and Defense Mechanism, " International Journal of Engineering Research & Technology (ljert), vol. I, no. 5, pp. 1-6, [3] Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, pages;: /1/2013 IEEE [4] H. Wang, C. Jin, and K. G. Shin, "Defense Against Spoofed IP Traffic Using Hop-Count Filtering, " IEEE/ACM Transactions on Networking, vol. 1 5, no. I, pp , Feb [5] Can We Beat DDoS Attacks in Clouds? Shui Yu, Senior Member, IEEE, Yonghong Tian, Senior Member, IEEE, Song Guo, Senior Member, IEEE, and Dapeng Oliver Wu, Fellow, IEEE 2012 [6] A.Belenky and N.Ansari (2003), Tracing multiple attackers with deterministic packet marking (DPM), Proceedings of IEEE Pacific Rim conference on communications, computers and signal processing, Vol. 1, pp [7] Priyanka porwal,parvez mahmood khan and Dhruba shankar ray, Cloud Computing Security Threats and Countermeasures in IJIESM, Volume 2, Issue 4, April [8] A.Chonka W. Zhou and Y.Xiang (2008a), Protecting web services with service oriented traceback architecture, Proceedings of the IEEE eighth international conference on computer and information technology, pp [9] A.Chonka, W.Zhou and Y.Xiang (2008b), Protecting web services from DDoS attacks by SOTA, Proceedings of the IEEE fifth international conference on information technology and applications, pp [10] A.Chonka, W.Zhou and Y.Xiang (2009a), Defending grid web services from X-DoS Attacks by SOTA, Proceedings of the third IEEE international workshop on web and pervasive security (WPS 2009), pp [11] A Comber Approach to Protect Cloud Computing against XML DDoS and HTTP DDoS attack 2012 IEEE Students Conference on Electrical, Electronics and Computer Science. [12] Cloud Security Alliance [13] Europe Network and Information Security Agency; see g- risk-assessment [14] Chonka A, et al. Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks. J Network Comput Appl (2010), doi: /j.jnca [15] Palvinder Singh Mann, Dinesh Kumar A Reactive Defense Mechanism based on an Analytical Approach to Mitigate DDoS Attacks and Improve Network Performance International Journal of Computer Applications, January [16] ne.com/file.php/1/pictures/network/ddos_attack.gif&imgrefurl. [17] N. Venkatesu, et al., "An Effective Defense Against Distributed Denial of Service in GRID," in Emerging Trends in Engineering and Technology, ICETET '08. First International Conference on, 2008, pp [18] Wikipedia, Cloudcomputing, omputing. [19] Distributed Denial of Service Prevention Techniques B. B. Gupta, Student Member, IEEE, R. C. Joshi, and Manoj Misra, Member, IEEE International Journal of Computer and Electrical Engineering, Vol. 2, No. 2, April, [20] Danish Jamil et al. Security Issues In Cloud Computing And Countermeasures, In International Journal of Engineering Science and Technology (IJEST). [21] Jitendra Amangi, Cloud Computing: Emergence, Relevance and Future in India, In International Journal of Computer Systems, Volume 01 Issue 02, November, pp: 68-71, [22] Vijay.G.R, Dr.A.Rama Mohan Reddy, Security Issue Analysis in Cloud Computing Environment International Journal of 498 International Journal of Computer Systems, ISSN-( ), Vol. 02, Issue 11, November, 2015

6 Engineering Research and Applications (IJERA) ISSN: Vol. 3, Issue 1, January -February 2013, pp [23] S.Subashini and V. Kavitha,A survey on security issues in service delivery models of cloud computing., Journal of Network and Computer Applications, Vol. 34, No. 1, Jul, [24] Mona Jammal and Nouf Alghamdi, "Increasing the Business Value through Cloud Computing Usage", In International Journal of Computer Systems, Volume 2, Issue 11, November, 2015, pages: [25] Sai Krishna Reddy Palwai, Pranit Kumar Pandey, Sandeep CVS, "Security Enhancement for Multi-party learning in Cloud Platform", In International Journal of Computer Systems, Volume 2, Issue 10, October, 2015, pages: [26] Jon Marler, Securing the Cloud: Addressing Cloud Computing Security Concerns with Private Cloud, Rackspace Knowledge Centre, March 27, 2011, Article Id: International Journal of Computer Systems, ISSN-( ), Vol. 02, Issue 11, November, 2015