Executive summaryCloudcomputing is a model that include service provider and service consumerinteract with each other over a network.
it provides a lots of benefits forservice consumers as they can use resources on cloud. Clients can useapplications on cloud, can use any platform on cloud, and can also use anyinfrastructure without maintaining it. Other benefits are: Storage CPUutilization etc. Security is big issue in cloud computing and with the passageof time attacks on security are increasing so, many researchers are working topropose a solution that eliminate security issues in cloud. One of mostfrequent security problem is DDOS attack. In DDOS attack, the attacker intendseither to occupy the bandwidth of server so that legitimate users can notaccess it, or send a large amount of traffic on particular resource to keep it busyin handling requests of attackers so that legitimate users can not use them.
AsCloud computing provides pay per use facility so, attackers using the resourceswill not pay for it. It causes economical losses to cloud providers. Detectingattacks can also cause economical loss to some extent because attacker will keep on using resources andcausing problem for legitimate users till it is detected.. So it is required toprevent DDOS attacks from accessing the server. Many attackers make use ofspoofed(i-e: fake) IP addresses. Majority of DDOS prevention techniquesinvolves detection of attacks when requests from a particular source are abovethreshold level within a particular time frame. So it is also needed to detectattacks if they are within threshold level.
This research proposal aims topropose techniques for: Detecting Spoofed IP addresses and detecting DDOSattacks within threshold level. For detection of spoofed IP addresses, twotechniques will be used: “Double TCP connection” and “Packet sniffing”.Wireshark will be used as packet sniffer. Both of these techniques will becompared to see which one give better results for detecting attacks. And todetect DDOS attack within threshold a technique named as “Auto Scaling” will beused. Keywords: Cloudcomputing, DDOS attacks, Prevention, Security Spoofed IP address, Auto ScalingIntroductionCloudcomputing enable users to access and use resources like servers, networks,storage, services and applications, on remote servers by using internet.Services offered by cloud computing are software as a service (SAAS), user canuse the application that is running on cloud of the provider. Infrastructure asa service(IAAS), users can use any kind of infrastructure to run any applicationon that, application can be operating system.
Platform as a service(PAAS.) ,users can implement their application on cloud and run it.. Benefits providedby cloud are resources on demand, pay per use, user have to pay according toresources that are used, it reducesmaintenance overhead etc. Although many benefits are provided by cloudcomputing, but it has some security problems.
Data security or business logicsecurity. As passage of time, many attacks have been influencing the securityof cloud and so cloud providers have to take security measures to prevent theircloud from such threats. The second 1most frequent attack after information left is DDOS attack. More than 20%companies2reported atleast one DDOs attack on their infrastructure. .
DDOS attacks caneffect two things3.Bandwidth and Resources. When affecting bandwidth, attackers sent the largeamount of traffic to target server to consume bandwidth, so that legitimateusers’ request cannot reach the server and while in effecting resource, theattacker send large amount of traffic to target resource so that it cannotresponse to legitimate user because of resource being busy in respondingattackers’ requests.
The traffic sent by attackers is sometimes referred to aszombie army or botnet attacks. Botnet is the combination of robot and network.Some special viruses like torjon are installed on computers and a bot networkis generated. A host machine controls this network. and attack is generated ona target server or resource. Some companies sell or rent this zombie network to other users.
Manytechniques have been generated for detection of DDOS attacks but when attack isdetected, economical losses have accrued. As DDOS attack leads to economiclosses so, it is also referred as EDOS attack. EDOS attack is specific type ofDDOS attack where the attackers’ intention is to provide economical loss to aparticular cloud provider. One of the techniques like Auto Scaling4involves increasing resources as their need increased. But if resources areincreasing for attackers then this may cause economic loss. So some techniquesare needed to prevent these attacks from using the or even accessing theresources. Techniques should be generated that detect the packet before accessingresource and drop it or filter it according to need.
.This research proposal aims to prevent DDOS attacks in cloud computing by proposing techniques to detect DDOSattacks from spoofed IP addresses and DDOS attacks within the threshold level. Twotechniques i.e: Double TCP connection and packet sniffing, to detect spoofed IPaddresses will be used, and Wiresharkwill be used to achieve packet sniffing. And it will be examined later throughexperiments,that which technique works better in detecting DDOS attacks. AutoScaling will be used to detect attacks within threshold . Literature surveyDDOSattacks are increasing day by day, so many techniques have been developed.Secureoverlay services (SOS) architecture was proposed by5,this architecture has three parts: Secure overly tunneling, Routing viaconsistent hashing, Filtering.
Author says that (SOS) can reduces the attackprobability by using filtering for secure edge and randomness for front endIn6, author proposes correlation-baseddetection(RCD), which identify whether the requests are from legitimate usersor attackers. this scheme directs the requests from legitimate users to serverand requests from malicious users willbe dropped.ALPialgorithm is introduced in 7 ,this algorithms aims to improve the accuracyof detection and attack recognition. ALPi Algorithm uses extended concept ofpacket scoring to improve packet flow and functionality.Anotherscheme known as confidence-based filtering(CBF)8 was introduced.
It involvesgathering packets from legitimate users during non-attack periods to extractfeatures. During attacks, CBF uses packet scoring calculation to decide whichpacket should be dropped.In9,a lightweight approach for detecting flood attacks was proposed. In thisapproach SNMP-MIB protocol was used and instead of raw data, statistical datawas used and attack classification was done by SVM classifier.
Cloudtrace back(CBT)10approach was generated to identify the attackers’ source. This scheme alsoproposed Cloud Protector(CP) to detect attacks, by using a classifier named as,back-propagation.Anew framework proposed in 11efficiently detect the defected packets. It uses perimeter-based approach toprevents DDOS attacks at router end. Anew technique for mitigation of EDOS attacks is proposed in12.The scheme includes three components: packet filtering, proof of work, edgefiltering. In this scheme crypto puzzle is solved by users to access the cloudservices.
The shortcomings are puzzle accumulation attacks.AnotherEDOS mitigation technique was developed in13,named as cloud scrubber, user legitimacy is checked by crypto puzzles to accessserver services. The techniques contains two modes. Normal and Suspected. Andthe technique is enabled when cloud service is on suspected mode.
During normalmode, incoming packets are directed to cloud service but during suspected modethe packets are directed to cloud scrubber which further verifies the packet.Here, the problem arises when large number of attackers access client puzzlesto utilize bandwidth of the server so that legitimate user cannot access theserver. EDOS-Sheild14architecture was developed to differentiate between malicious and legitimateusers. It involves two things: Virtual firewall, for filtering incoming requestand to generate black list and white list depending on legitimate and malicioususers. Verifier node, for verifying incoming request through turing test. Asthe user passes the turing test, its ip address will be added to the whitelist and request from that user will be sentto server. If user fails to pass turingtest. Its request will be added in blacklist.
And request from that client willbe dropped by firewall. The technique has two shortcomings. First, spoofed ipaddress detection mechanism is not considered and second, the white list andblacklist updation is not defined. If any user in whitelist attacks, thenproblem of false positives will arrive.
EnhancedEDOS-Sheild15was proposed as extended version of EDOS-Sheild14.Here Time-To-Live (TTL) field isappended on both sides of IP address of user, to detect spoofed IP addresses ofusers requesting for services on cloud. This methods fails if standard valuesare not used by attacker for initial TTL packets .
Aclassifier system named as CS_DDOS1was developed for securing records in eHealth systems. It consists of two subsystems, detection and prevention. Initially the packet enters in detection subsystem, where it checked that whether the source of this packet was previouslysubjected in blacklist. If YES, then packet will be sent directly to preventionsubsystem. If packet source is not found in blacklist, incoming packet will besent to classifier for further verification. A packet source is considered to be malicious, if its requestsare more frequent than threshold level.
Threshold will be assumed by cloudprovider. Depending on classification results, packet will be sent toprevention subsystem(in case of malicious user) or cloud serve(in case oflegitimate user). On the other hand, an alert message by prevention subsystemis sent to administrator about this malicious request and IP address of sourceis added to blacklist(if not added previously), this blacklist will be used bydetection system each time when a new request arrives. The shortcomings of thissystem are: it is assumed that spoofed IP address will not be used by attackerand if attack arrives within a threshold, then there is no way to detect ormitigate attack. Some DDOS prevention techniques have been surveyed. The Table1 shows the Strength, Challenges, Limitations and Contributions of thesetechniques. Techniques Strength Challenges Limitations Contribution Challenge response protocol Puzzles are used to distinguish legitimate user and attackers. Graph generation and Storage overhead.
If user is not solving first puzzle properly, he will be assigned another one, until the threshold is reached. Puzzle accumulation attacks, parsing and dictionary attacks, image segmentation. 13, 15, 16 Hidden servers/ ports Direct connection between server and client is not established in the first instance and services are offered to legitimate users. Load balancing among servers and additional server ports are needed. Redirections and additional security layers can cause overhead.
17, 18 Restrictive access Admission control mechanism provides access only to users whose past reputation is good and can solve the crypto-puzzle correctly and prioritization is used instead of droping packets. The users with good reputation or past behavior are allowed to access resources first. In this way the user with bad reputation will be delayed every time. Maintaining number of connections for long period is challenging Not scalable when large number of sources with spoofed IP address causing DDOS attack. 17, 19 Resource Limits Put limitation on number of resources a client can use.
In this way economic losses can be reduced Determination of resource limits and planning the capacity of server This technique does not prevent or detect attacks but it only reduces economic losses. 19 Table: 1, Description of Techniques used toprevent DDOS attacks. MethodologyFirst methodology that will be used forspoofed IP address detection is “packet sniffing”20.
Packet sniffer or analyzer can be viewed as a software or computer hardwarethat looks at the traffic passing over a network. in other terms it capturesthe data that passes through a network analyze it and convert it in humanreadable form. Usually computer looks at the packet addressed to it and ignoresrest of traffic on the networks but packet sniffer looks at each of the packeton network. fig1 shows the packet sniffing process, where a network analyzer,analyzes all the packets over a network. It helps in identifying packets frommalicious users and legitimate users.
Thetool that will be used for packet sniffing is “WireShark”. Secondtechnique to detect spoofed IP address is Double-TCP mechanism21.Some DDOS attackers send large number of connection requests and never completethem.
These are called Half open connections. Fig 1 shows the half open connectionwhere the attackers consume the bandwidth and makes the server busy by sendinghalf open connections. DoubleTCP connection not only solves the problem of Half open connection but also spoofed IP address detection. Double TCPconnection not only solves the problem of Half open connection but also spoofed IP address detection. Whilespoofing IP address the attacker duplicates the IP address of legitimate userand sends request through that. This method helps in identifying that also.
Fig2 shows the Double TCP connection process. · Client initiates connection process bysending SYN request to server. · Server receives the request from client andsends the ACK message to IP address of packet source along with 16 bit identityfiled.· If IP address is not spoofed, client willreceive the message from server and may or may not send final ACK message.Final ACK is ignored by server. In case of spoof IP address, client will notreceive the message.· Now, Client again establishes theconnection with server by sending SYN message with 16 bit identity fieldpreviously received from server to.· Server then checks the IP address andidentity field value, if value is correct then server sends ACK message toclient otherwise the it will drop the request.
· After receiving ACK message from server,client then sends the final ACK message and the connection will be successfullyestablished.Withhis techniques, the problem of half open connection can be avoided and spoofedIP address can be detected as well.Anotherproblem to be solved is detection of DDOS attacks that are within the thresholdlevel. For example if a source is sending 60 requests in a minute and thresholdis set to 40 request per minute then the system will drop these request andwill block the source.
Now if requests from attackers are within the thresholdlevel, it will try to keep the server busy so that it cannot serve legitimateusers. Oneof the technique is Auto Scaling21.In terms of cloud computing, Auto Scaling is scaling up the resources accordingto need. If attackers are using the resources they will try to keep theresource busy so that legitimate users can not use that resource. By scaling upresources to a certain limit, allow legitimate users to use the resource and ifany user is using resources more than a selected time limit and resource limit,connection should be dropped or blocked.
Auto scaling involves limitations onscaling up of resources and on duration. For example if scaling limit21is set to 80% of CPU utilization then if utilization increases from 80% for theduration of one minute, additional CPUs will be allocated. And similarly if CPUutilization is less than 80% for duration of one minute, additional CPUs willbe scaled down.
ContributionWewill propose techniques to detect spoofed IP address and technique to detectthe DDOS attack within threshold because in most of the literature only attackswithin threshold are detected. For IP address detection, two techniques will beproposed and will be tested on Wireshark. The report on comparison results willbe generated.Aims and Objectives To Prevent DDOS attacks in cloudcomputing by proposing techniques for:· Detection of packets from spoofed IP addresses · Detecion of DDOS attacks within thethreshold level. Reporttime and Deliverables S.
no Time duration Deliverables 1. 1st JAN – 5th AUG Framework for preventing DDOS attacks 2. 6th AUG -10th OCT Masters thesis 3. 11th OCT – 10th NOV Research paper on preventing DDOS attacks by detecting spoofed IP addresses.
.Re
