A Review on DDoS and its Detection and
Defence Methods
Shika Mandeep kaur Rohini Sharma M.tech Student Astt. Prof COE Landran Astt. Prof COE Landran COE Landran 9814896827 9530763945
Abstract
Cloud computing has a great potential to improve productivity and reduce costs, but at the same time it possesses many new security risks like DDOS.Distributed Denial-of-Service (DDoS) attacks are very unacceptable and significant problem because they are very hard to detect, there is no inclusive or complete solution for the regarding problem and as result it can lead down any organization by internet. The primary goal of an attacker to attack is to deny the victim's access to a particular resource. In this paper, we want to review the current DoS and DDoS detection and defence mechanism. In this paper we identify the DDOS attacks on clouds data. We identify the root causes of these attacks and propose specific solutions.
1. Introduction
Cloud computing is currently one of the most attractive and widely used information technology fields and also become one of the fastest growing segments of IT. Cloud computing allows us to scale our servers in magnitude and availability in order to provide services to larger number of end users. Cloud Computing offer lower coast, increase availability and accessibility. It is also beneficial to small and medium sized businesses by supporting in outsourcing the data centre. Cloud computing is a model of information processing, storage, and delivery in which physical resources are provided on clients demand. Instead of purchasing actual physical devices servers, storage, or any networking equipment, clients lease these
resources from a cloud provider as an outsourced service. Cloud computing is a model for providing convenient and on demand network accessibility to a shared group of computing resources that can be rapidly released with minimal management effort or service provider interaction. Cloud Computing provides different layers of computing utilities, from storage and networking to tools and applications, through three main service models: software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS).[1][2] Cloud computing relies on sharing of resources to achieve coherence and economies of scale, similar to a utility (like the electricity grid) over a network. Cloud resources are usually not only shared by multiple users but are also dynamically reallocated per demand. This can work for allocating resources to users. For example, a cloud computer facility that serves European users during European business hours with a specific application (e.g., email) may reallocate the same resources to serve North American users during North America's business hours with a different application (e.g., a web server) also through VM (virtual machines) on same hardware we can make many virtual servers/machines heaving different operating systems. This approach should maximize the use of computing power thus reducing environmental damage as well since less power, air conditioning, rack space, etc. are required for a variety of functions. With cloud computing, multiple users can access a single server to retrieve and update their data without
purchasing licenses for different applications.[13]
The Cloud Services has two perspectives to view, one as Cloud Service Provider and the other one is Cloud Service Consumer. Security assurance in the Cloud Service is a major challenge for the Providers, as it’s the biggest concern for the Consumers to opt for the service. The Security can be administered in the Cloud at various levels and for several types of attacks. The threats and the attacks on the Cloud service can be common prevailing attacks in the internet or can be cloud specific. Recently, Distributed Denial of service attack on cloud has become one of the perilous threat for the scurry technology[7].This paper deals about the DDOS attack and the counter measures of the prevailing DDoS attacks on the Cloud Environment as well as the Cloud Specific Vulnerabilities to these attacks.
2.DDOS and EDOS
DDOS
A denial-of-service (DoS) attack is malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet, the resources may includes the network bandwidth, CPU time, etc. DDoS is simply to flood a network so to deney the authentic user services. To make the network and CPU resources overloaded, attackers tend to use a large number of machines to launch the Distributed DoS(DDoS) attacks. The DDoS attack in a network may not necessarily to disturb the services, but it may contribute to economic loss to the user as well as providers. As the cloud environment is highly scalable, the service will consume more resources during attack to maintain the SLA(service level agreement), which in turn contributes to the revenue loss. Thus the DDoS attack can be converts into an Economic Denial of Sustainability attack (EDoS) in the cloud Environment. [7].
DDoS attacks do not have any intend to modify data or gain illegal Access, but instead they target to crash the servers and whole networks, disrupting legitimate users communication. DoS attacks can be launched from either a single source or may from multiple sources. Distributed denial-of-service (DDoS) attacks commonly bury their victims by sending a vast amount of legitimate-like packets from multiple attack sites or infected machines. Firstly, whenever an attacker want to attack on a particular site, it creates its infected servers or machine(which are infected or having virus like trojen horse) makes the system under the control of attacker without knowledge of owner. Infected system creates botnets(collection of zombie system), attacker makes DDoS attack on victim by zombies or botnets and itself remain hidden. As a consequence the victim spends its key resources processing the attack packets and cannot attend to its legitimate clients. During very large attacks, DDoS traffic also creates a heavy congestion in the Internet which disrupts communication between all Internet users whose packets cross through that congested routers [3][6].
EDOS ATTACK
Many organizations precede their business into cloud for the same reasons. They do not need to buy the entire infrastructure and no maintenance cost. There by the organization can easily reduce their purchasing and operational costs. They need to pay for only the resources which they want to use or used. Cloud services are provided in the form of service level agreements (SLA).The SLA defines the level of service required by the user. Some SLA restrict the use of cloud resources to the customers and some SLA provides infinite amount of resources to customers. The Cloud services are provided as Pay-per-Use (pay according to the usage of resourse). Therefore the resource utilization and the processing power are charged to the customer by the service providers. The DDoS
attack aims to utilize the cloud resources there by denying the service to the authorised users. In the absence of any proper mechanisms to counter DDoS attack the resources can be allocated to the DDoS requests by the attacker[14].
The identifying the DDoS attack is a difficult one and also there is no one technique which will completely eliminate the DDoS attacks. Therefore the DDoS attack may deplete the cloud resources rapidly. To provide maximum availability the provider may allocate more and more resources to the attack itself and more instances of the services may be launched according to the customers SLA. Then finally the resource utilization and the processing power are charged to the customer. Thus a traditional DDoS attack can be transformed into an Economic Denial of Sustainability attack (EDoS) in the cloud Environment. If vulnerability is prevalent in the state-of-the-art cloud offerings, it must be regarded as cloud-specific. Thus the cloud is vulnerable to EDoS attack, the EDoS attack can be cloud specific.
Fig1. DoS attack[11]
3.Manifestations of DDos attack[9]
The United States Computer Emergency Readiness Team (US-CERT) defines traits of denial-of-service attacks to include:
Unusual slow network performance (opening files or accessing web sites is
unexpectedly slow or nearly no accessibility)
Inaccessibility of a particular web sites
Disastrous increase in the number of spam emails received(this type of DoS attack is considered an e-mail bomb)[5]
Disconnection or discontinuous network of a wireless or wired internet connection
Long term denial of access to the web. Denial-of-service attacks can also lead to many problems in the network 'branches'(as network is interconnected) around the actual computer being attacked. For example, the bandwidth of a router between the Internet and a LAN may be consumed by an attack, compromising not only the intended computer, but also the entire network or other computers on the LAN[8].
If the attack is conducted on a large scale, entire geographical regions of Internet connectivity can be compromised without the attacker's knowledge or intent by incorrectly configured or shaky network infrastructure equipment.
Methods of attack
A denial-of-service attack is an explicit attempt by attackers to prevent legitimate users of a service from using particular service. There are two general forms of DoS attacks: first is crash services(unavaiblity of sevice) and second one is flood services. A DoS attack can be perpetrated in a number of ways. Attacks can fundamentally be classified into five families:
Consumption of computational resources, such as bandwidth, memory, disk space, or processor time.
Disordering of configuration information, such as routing information, routing tables.
Disruption of state information, such as unsolicited resetting of TCP sessions.
Disruption of physical network components.
Obstruct the communication media between the expected users and the victim so that they can no longer communicate adequately.
In most cases DoS attacks involve forging of IP sender addresses e.g. IP address spoofing, so that the location of the attacking systems cannot be easily identified and also to prevent filtering of the packets based on the source address. The primary goal of an attacker is to decline the victim's access to a particular resource. It is very hard to detect DDoS attack when it is done by using IP spoofing. IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks: 1) Conceal flooding sources and dilute localities in flooding traffic.
2) Temp legitimate hosts into become reflectors, redirecting and amplifying flooding traffic.
Thus, to filter spoofed IP packets near victim servers is very essential to their own protection and prevention for becoming involuntary DDoS reflectors. DDoS attack using IP spoofing is shown in fig1.Smurf(The use of forged ICMP echo request packets/ The direction of packets to IP broadcast addresses), TCP SYN Attack, UDP flood Attack are various DDoS Attack which are implemented using IP Spoofing.[2]
4. DETECTION AND DEFENSE MECHANISM
1. Ingress /Egress Filtering [15][2]
Here network administrator analyze attack logs then they create rules on their router and firewalls for incoming and outgoing traffic policies on source and destination IP base also in policy they can block or permit traffic
having specific source and destination port (application layer protocols ports , TCP ports ,UDP ports ) But as we know attackers can change IP address and source and destination ports thus this is not good solution. Also we can use BCP 38 & BCP 84 technique. 2 .Defend Against Denial of Service Attack with VMM
VMM is a virtual machine monitoring mechanism which is proposed to protect the cloud from the DoS attacks. The VMM works in an isolated environment (allows a single computer to support multiple, identical execution environments) and detects the attack whenever it occurs. Systems acts as self-contained computers isolated from other users, even though every user is served by the same machine If the available resources are less than the threshold, the VMM immediately suspects the existence of the DoS attack in network. Then the guest OS and the application are duplicated in the isolated environment. [7]
3. EDoS-Shield [10][7]
Basically it is a two-steps mitigation technique against EDoS Attacks in Cloud. EDoS-Shield is a mechanism to protect the cloud from the EDoS attack. The mechanism is basd on two components: 1.Virtual firewall 2.Cloud verifier node
The virtual firewal acts as a filter and distinguishes or filter out the intended data from infected data. The VF(Virtual Firewall) uses the whitelist and Blacklist for making decision. The VN(Verifier Nodes)use the graphic Turing tests such as CAPTCHA or puzzle solving to verify legitimate requests at the application.
4. IPS Based Prevention[11]
Intrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems
which work on content recognition cannot block behavior-based DoS attacks .An ASIC based IPS may detect and block denial-of-service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way.
A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic
5. DDS Based Defense
These are also hardware appliances more focused on the problem than IPS, a DoS Defense System (DDS) can block connection-based DoS attacks and those with legitimate content but bad intent. A DDS can also address both protocol attacks (such as Teardrop and Ping of death) and rate-based attacks (such as ICMP floods and SYN floods).
5. CONCLUSION
Cloud Computing provides a wide range of services. Existing Security mechanisms are not up to the mark .New approaches are needed which should be a distributed and scalable approach. New form of attacks is possible in the cloud. One such kind of attack is EDoS attack which is a new breed of DDoS attack. The EDoS attack exists only in the cloud so it can be termed as one of the cloud specific attack. A new security EDoS protection frame work is proposed. Also, an experiment is conducted to demonstrate the EDoS attack.The existing approaches are not capable of completely eliminating the EDoS attack. Research is still needed to provide a better mechanism to protect the cloud from EDoS attack.
Referencess
[1] Ayesha Malik, Muhammad MohsinNazir, “ Security Framework for Cloud Computing
Environment: A Review Journal of Emerging Trends in Computing and Information Sciences, “VOL. 3, NO. 3, March 2012. [2] Bhandari H. Nisha, “Survey on DDoS Attack and its Detection &Defence
Approaches,” International Journal of Science and Modern Engineering (IJISME) ISSN: 2319-6386, Volume-1, Issue-3, February 2013. [3] Booth Gehana, Sokanacki Andrew, and Somayaji Anil, “Cloud Security: Attack and Current Defenses, “Eighth Symposium on Information Assurance, June4-5, 2013, Albany, New York.
[4] Madarapu Naresh Kumar, P.Suthaja, Vamshi Kalva, “Mitigation Economic denial of Sustainability(EDoS)in Cloud Computing using In-Cloud Scrubber Service, “Fourth IEEE International Conference on Computational Intelligence and ommunication Networks,2012.
[5] McDowell, Mindi, "Cyber Security Tip ST04-015 - Understanding Denial-of-Service Attacks “,United States Computer Emergency Readiness Team, November 4, 2009.
[6] P.A.R. Kumar and S .Selvakumar, “Distributed Denial of Service(DDoS) Threat in Collaborative Envronment-A survey onDDoS Attack and Trace back Mechanisms,” in Advance Computing Conference,2009 IACC2009. IEEE International, 2009.
[7] Sandar S. Vivin, Shenai Sudhir, “Economic Denial of Sustainability(EDoS)in Cloud Services using HTTP and XML based DDoS Attacks, “ International Journal of Computer Applications (0975 – 8887)Volume 41– No.20, March 2012
[8] S. Kumar, “Denial of Service Due to Direct and Indirect ARP Storm Attacks in LAN Environment “, Journal of Information Security 01 (2): 88–80,International Journal of Science and Modern Engineering (IJISME)
ISSN: 2319-6386, Volume-1, Issue-3, February 2013
[9]
Source:http://www.slideshare.net/akmalh8/ip-spoofing-34258568
[10] Sqalli H.Mohammed, Al-HaidariKhaled Salah Fahad, “EDoS-Shield-A Two Steps Mitigation Technique against EDoS Attack in Cloud Computing “,Fourth IEEE International Conference on utility and Cloud Computing. [11]Source:http://www.cisco.com/web/about/s ecurity/intelligence/guide_ddos_defense.html. [12] Siqin Zhao, Kang Chen, WeiminZheng ,“Defend Against Denial of Service Attack with VMM” , Eighth International Conference on Grid and Cooperative Computing.
[13] The NIST Definition of Cloud Computing, “ National Institute of Standards and Technology” Retrieved 24 July 2011.
[14] Xue Jing, Jens Nimis, Zhang Jian-jun, “A Brief Survey on the Security Model of Cloud Computing, “Ninth International Symposium on Distributed Computing and Applications to Business, Engineering and Science 2010.
[15] XinLiu , “Mitigating Denial-of-Service Flooding Attacks with Source Authentication “, International Journal of Science and Modern Engineering (IJISME)ISSN: 2319-6386, Volume-1, Issue-3, February 2013
