Survey on DDoS Attack in Cloud Environment

Transcription

1 Available online at International Journal of Innovative and Emerging Research in Engineering e-issn: p-issn: Survey on DDoS in Cloud Environment Kirtesh Agrawal and Nikita Bhatt Kirtesh Agrawal, Navsari and India Nikita Bhatt, Nadiad and India ABSTRACT: Cloud computing has become popular and a huge platform for computing where large number of data are available online. Nature of cloud computing is distributed, due to this kind of nature they have become easy target for attackers to exploits the security vulnerability. Availability of data is most important part of cloud computing and even for economic growth of the society. name Denial of Service (DoS) is an attempt to make the resource unavailable to its intended user by flooding network with malicious packets. er spoof IP to hide the source of attack, however if the IP (Internet Protocol) address is kept same throughout the attack even it is spoofed DoS can be prevented. Modified form of DoS attack name Distributed Denial of Service (DDoS) helps to overcome the limitation of DoS attack. In DDoS instead of using attackers own IP it will use some compromised machine (bot machine) which will flood the targeting server in synchronized way. This paper contains survey on DDoS in cloud environment. Keywords: Cloud Computing, DDoS, Distributed Denial of Service, attack, Detection I. INTRODUCTION Cloud computing is a centralized pool of configurable computing resource which is outsourced to different people so they can get benefit of it. Cloud computing is an emerging new technology and it s becoming dominant day by day. Advantage of cloud computing are high availability, flexibility, cost savings and easy scalability. Today most of the world are moving to the cloud due to its numerous advantages it is very important for vendors to keep them available throughout but as cloud is distributed in nature it becomes very easy for intruders to find the exploit and intrude to the system. DoS attack is the most dangerous attack over the internet as it doesn t aim to modify data or gaining illegal access, but it targets to the availability of the server which is the most important factor of cloud computing. DoS attack is hard to detect if attacker use the spoofed IP. Spoofed IP is used by attacker to ensure that compromised machine remains undetected and attacker can use it for other different kinds of attacks. But even if the source of attack is kept constant, then it is possible to stop the attack and block it. To overcome the limitation of DoS attack it takes a new form by being distributed in nature. In Distributed Denial of Service, attacker gain illegal access to some of the compromised system all over the world and use them synchronically to flood a particular target at the same instance of time. Here in DDoS, traffic is less on the source node so it is not possible to detect it over there. Meanwhile, the synchronize attack by multiple compromised system at the same instance of time is sufficient to make the target network overwhelmed and deny its service to their legitimate user. II. DIFFERENT TYPES OF DDOS ATTACK Distributed Denial of Service (DDoS attack) is a modified form of DoS attack. DoS attack is triggered to make unavailable the targeted system to its intended users by flooding the targeted system with malicious traffic using a single node. While DDoS attack are initiated by gaining illegal remote access to some compromised machine called Zombies. With the help of zombies attacker will target the single system at same instance of time to make targeted system unavailable [1]. DDoS attacks are prone to Network level and Cloud Infrastructure level threats [3]. DDoS attacks are mainly of three types Network Depletion attack, Resource Depletion attack and Application attack. A. Network Depletion : In network depletion attack, attacker attempts to consume all the targeted network bandwidth by flooding targeted network with malicious traffic which will eventually prevent the legitimate traffic from reaching the targeted network. Network depletion attack can further classified into two types a) Flood b) Amplification. a) Flood : Huge traffic volume with the help of zombies (compromised machines) is triggered by an attacker to overwhelm the targeted network [1]. b) Amplification : Most internetworking devices like routers have inbuilt Broadcast feature, attacker takes advantage of that feature to initiate the attack. er broadcast packets to the internetworking device using broadcast address. 18

2 Internetworking devices further send those packets in range of broadcast address, afterwards those machine will send a reply to targeted system. This will lead targeted machine with malicious traffic [1]. B. Resource Depletion : In this kind of attack, attacker goal is to exhaust server s processing capabilities or memory. Two types of attack which target Server resources are as follows: a) Protocol Exploit attack: The idea behind this kind of attack is to find an exploit in specific feature of the protocol used by victim and then consume the excess amount of resources from it [1]. The best example of this kind of attack is TCP SYN attacks. b) Malformed Packet attack: Data Packet is wrapped with the malicious information. This kind of packet is send to the victim s server by an attacker to crash it. IP Address attack and IP Packet options attack are best example for this kind of attack [1]. C. Application : In this kind of attack, attacker finds an exploit in the application protocol. er can target any of the application protocol like HTTP, HTTPS, DNS, SMTP, FTP, VOIP, and other application protocols which possess exploitable weakness. DDoS Bandwidth Depletion Resource Depletion Appliction Flood Amplification Protocol Exploit Malformed Packet HTTP FLood UDP Flood (User Datagram Protocol) Smurf Fraggle TCP SYN IP Address DNS Flood ICMP Flood (Internet Control Message Protocol) Direct PUSH + ACK IP Packet Option FTP Loop VOIP SMTP Figure 1. DDoS Taxonomy III. CURRENT DETECTION AND DEFENSE MECHANISM DDoS attack is most dangerous attack over the internet. If the system with no detection or defense mechanism from DDoS attack experience the DDoS attack, there is nothing can be done except to disconnect the cloud server from the network and then manually fix it. DDoS attack waste lot of network and computing resources of targeted cloud server. Therefore most important goal of any DDoS defense mechanism is to detect the attack as soon as possible and try to stop it [8]. Following are the few Defense mechanism discussed. A. Filter Tree Approach to Protect Cloud Computing against XML DDoS and HTTP DDoS attack: Filter tree approach is made up of five steps [9]: 1) Sensor Filtering 2) Hop Count Filter 3) IP Frequency Divergence 4) Double Signature 19

3 5) Puzzle Solver International Journal of Innovative and Emerging Research in Engineering Figure 3. Filter Tree Approach [9] Problem with this approach is it lack from practical application [3]. B. Hop Count Filtering Approach: This technique is used to classify the difference between legitimate and spoofed packet. As hop count value is not directly store we need to calculate it using TTL (Time to Leave) store in IP header. TTL defined the life of packet, every node packet is traveled its TTL value is decremented by 1. TTL field is use to prevent a packet from entering into infinite loop. Whenever TLL becomes 0 packet is dropped. Hop count using TTL value is calculated by assuming its initial value for e.g. If TTL = 112, so possible values can be 128 or 255. But we will consider the lowest first possible value. So hop count will be =117. The initial values are decide as follows[4]: Initial TTL=32 if final TTL <=32 Initial TTL =64 if 32 < final TTL <=64 Initial TTL =128 if 64 < final TTL <=128 Initial TTL =255 if 128 < final TTL <=255 By using above table it is possible to calculate hop count from the value of TTL. Using Hop Count a mapping table IP2HC is created. But IP2HC table should contain only legitimate entries, to achieve that IP2HC table need to be updated only when the TCP connection is established. HCF (Hop Count Filtering) work in 2 phases i) Learning Phase 20

4 ii) Filtering phase [6]. Problem with HCF technique is there is lot of overhead in updating IP2HC table, because it need to update IP2HC table at every incoming packet. C. Packet monitoring Approach: Packet monitoring technique is designed to overcome the overhead updating problem of Hop Count Filtering approach. This approach continuously monitors packet travelling over the network. To reduce the overhead Vikas et al. used SYN flag from TCP header along with TTL field[4]. Four cases have been defined on the basis of SYN, TTL and IP address field to detect the malicious packet[4]: i. SYN = 1 and SRC = 1 in IP2HC Table then calculate current hop count by using TTL value of IP Packet. Check if it matches the stored hop count, if not then update the table. ii. SYN = 1 and SRC = 0 in IP2HC Table then calculate current hop count and add new entry to source IP address with corresponding hop count in IP2HC table iii. SYN = 0 and SRC = 1 in IP2HC Table then calculate current hop count if hop count does not matches then packet is malicious. iv. SYN = 0 and SRC = 0 in IP2HC Table means packet is spoofed because every valid TCP connection will have an entry in IP2HC table. D. VM-Based Intrusion Detection System using Dempster-Shafer theory operations in 3-valued logic and the faulttree analysis: This technique involves VM (Virtual Machine) based IDS (Intrusion Detection System). IDS are installed and configured into each virtual machine. Avoiding overloading problem and Effect of possible attack is minimized by using this technique. Alerts are generated and stored in database for future use. Using single database will leads to minimizing the risk of losing data. To improve the analysing capacity DST (Dempster-Shafer Theory) operations in 3 valued logic and the FTA (Fault Tree Analysis) for each VM-based IDS is used. Advantages of this technique are: Reduce in false alerts, increase detection rate and resolve conflicts generated by combination of information which are provided by multiple sensors [7]. E. Dynamically resource allocation mechanism: This technique focuses on DDoS attack which target individual cloud customer. There are many access points between data center and internet, where IPS (Intrusion Prevention System) can be placed to monitor packets. This technique will start allocating the idle resources of cloud dynamically to victim s machine, when cloud hosted server is under DDoS attack. Therefore QoS(Quality of Service) is assured. Figure 2. (a) Cloud hosted server in a non-attack scenario. (b) Cloud hosted server under DDoS attack with the mitigation strategy in place [2] Problem with this technique is when the cloud runs out of the idle resources no further allocation will take place, after that DDoS attack will be effective. This solution can be used as a short time Defence against DDoS attack [2]. 21

5 IV. CONCLUSIONS Cloud computing is a fast growing network and becoming the dominant part of today s internet and along with data security, availability is also the important part of it. Therefore it is very necessary to provide Detection and Prevention mechanism for the attack which targets the availability. There is lot of work going around to provide cloud an effective way to defeat DDoS attack. This paper provides an overview of different kind of DDOS attack and brief study about different Detection and Prevention mechanism for DDoS attack. The future work is to provide an effective way which can defeat DDoS attack in cloud. REFERENCES [1] B.Prabadevi, N.Jeyanthi, Distributed Denial of service s and its effects on Cloud Environment- a Survey, IEEE, June 2014 [2] Shui Yu, Senior Member, IEEE, Yonghong Tian and Song Guo,, and Dapeng Oliver Wu, Can We Beat DDoS s in Clouds?, IEEE, 24 July 2013 [3] Issa M. Khalil, Abdallah Khreishah and Muhmmad Azeem Cloud Computing Security: A Survey", MDPI [4] Vikas Chouhan & Sateesh Kumar Peddoju, Packet Monitoring Approach to Prevent DDoS in Cloud Computing, International Journal of Computer Science and Electrical Engineering (IJCSEE) ISSN No , Vol-1 Iss-1, 2012 [5] Jaswinder Singh, Krishan Kumar, Monika Sachdeva and Navjot Sidhu, DDoS s Simulation using Legitimate Real Data Sets [6] Mr. I. B. Mopari, Prof S. G.Pukaleand Prof M. L. Dhore, Detection and Defense Against DDoS attack with IP Spoofing, International Conference on Computing, Communication and Networking, 2008 [7] A.M. Lonea, D.E. Popescu and H. Tianfield, Detecting DDoS s in Cloud Computing Environment, by CCC Publication [8] Saman Taghavi Zargar, Jamesh Joshi and David Tipper, A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding s, IEEE, 2013 [9] Tarun Karnwal, T. Sivakumar and G. Aghila, A Comber Approach to Protect Cloud Computing against XML DDoS and HTTP DDoS attack, IEEE, 1-2 March