A Survey on Mitigation Techniques against DDoS Attacks on Cloud Computing Architecture

(1)

A Survey on Mitigation Techniques against DDoS Attacks on Cloud Computing Architecture

Ahmed Bakr¹, A. A. Abd El-Aziz², and Hesham A. Hefny³

1

Dept. of Information Systems and Technology, Faculty of Graduate Studies for Statistical Research, Cairo University, Egypt.

2

Dept. of Information Systems, College of Computer and Information Sciences Jouf University, Saudi Arabia.

2

Dept. of Information Systems and Technology, Faculty of Graduate Studies for

Statistical Research, Cairo University, Egypt.

3

Vice-Dean. Faculty of Graduate Studies for Statistical Research, Cairo University, Egypt

Abstract

Service availability is one of the most important aspects of cloud environments. The threat to availability of Distributed Denial of Service (DDoS) attacks plays an important role when designing the security architecture. A successful DDoS attack might result in service degradation or complete outage. The methods and techniques used against DDoS attacks in cloud environment are sometimes different from those used within the traditional networks, and on other times they are the same. In this paper, we are going to investigate challenges and mitigation techniques against DDoS attacks in cloud and compare between them in cloud environment. This survey will support the future research and development work as well as to raise the awareness about the presented approaches.

Keywords: DDoS, Cloud computing, IDS, EDoS.

1. Introduction

The CIA triad which stands for Conﬁdentiality, Integrity and Availability represents the basis for information security and risk management. The DDoS attacks target the availability part of the CIA, although it could affect integrity and conﬁdentiality if accompanied by other types of attacks. Availability is not a true or false state; it consists of range. Attack goals can make the service partially available, decrease its performance or complete outage of the attacked service. Therefore, a successful DDoS attack doesn’t necessarily mean the resource will be completely unavailable, it can just slow the performance of the target systems under attacks. DDoS attacks or as it’s called the weapon of mass destruction are considered one of the most dangerous attacks that can affect business environment. An attack could come from a single source or device which called Denial of Service (DoS) or multiple sources which then called a DDoS attack. DoS attacks are not so popular today due to the increased computing power of systems, however DDoS attacks gained a lot of attention over the past few years. An example of that 50% of businesses surveyed in this report [27] experienced some level of disruption due to a DDoS. Cloud computing offers a low-cost approach to handle computing workloads. It has a five essential characteristic and one of the important characteristics of cloud is elasticity. You can look to elasticity and any other cloud computing capability as a source of blessing and security risks as well. Elasticity enables cloud-based services to be scaled vertically and horizontally. However, if the load increased as a result of attacks, the attacker goal may not be to disrupt the services but to affect the consumer’s bill

(2)

amount. This has been called as fraudulent resource consumption (FRC) or Economic losses-based DDoS attacks (EDoS) [39] [20]. The results of that HTTP ﬂooding DDoS attacks, for example, against a corporation cloud resources can affect both server performance and result in extra cost. Another risk business might face in addition to previously mentioned increased cost and disrupting the service. DDoS attacks can also be used as a form of generating false positives to cover the use of sophisticated malware to steal sensitive company information [27]. In order to launch a DDoS attack, it requires access to many compromised systems which running malicious programs called bots, the device itself running a bot is called a zombie and the collection of devices running bots called Botnets. This Botnet is controlled through Botnet master or command and control server as shown in Figure 1. Bots often are distributed through phishing emails, fake and pirated software.

Figure 1. DDoS Attack Using Botnet [36]

To address the risk of DDoS attacks, preventative, detective and recovery controls must be in place. As in medicine, it’s better to prevent a disease than to cure it. In the information security profession, it’s always better to prevent an attack than to detect it after it’s already happened. A preventative control could be as simple as implementing second generation ﬁrewall or more complex as introducing fake systems using honeypots and padded cells. The problem with preventative controls is that the attacker performing DDoS attack is targeting the exact service that is provided to our legitimate users. A detective control is the most widely implemented countermeasure when dealing with DDoS attacks. Attackers are using Botnets to launch DDoS attacks to make it difﬁcult to prevent or even detect the attack. Detective controls when backed up with recovery controls can provide stability for the services in the cloud against DDoS attacks. The goal of this paper to address the main approaches of DDoS attacks in cloud environments and the tools and methodologies that can be used to protect cloud infrastructure against them.

The paper is organized as the following, the next section contains the background study about DDoS attacks with the motivation and techniques behind them, Then we will move to DDoS mitigation techniques to address ﬁve different approaches to handle DDoS attacks, then the last session will include the conclusion and future work.

2. Background

In this section, we will investigate the previous works that have been done concerning this topic.

2.1. The Effects of DDoS attacks

DDoS attacks are getting stronger overtime, last for a longer period and will continue to occur due to their effectiveness. The effects of a successful DDoS attack against a corporation’s web site or back-end resources will lead to both a loss of millions of dollars

(3)

in revenue and/or a negative impact on the corporation reputation depending on its size.

The impact might be different based on the attack method it could be simple as service interruption or massive as bringing the entire network down for an extended period.

Another way to impact the cloud environments is by attacking the elasticity feature of the cloud. Making even the simple services consume a large amount of resources which will result in a very expensive service bill. This bill sometimes will exceed the beneﬁts of using information technology in the ﬁrst place. Our goal in this research is to address how we can prevent, detect and recover from DDoS attack. This paper goal is to provide a discussion of DDoS attacks risk and how it could be mitigated.

2.2. Means, Motives, and Opportunities of DDoS Attack

The reasons for launching a DDoS attack could be one of the following:

 Script kiddies: New enthusiastic attackers who are trying some of the new tools on the Internet. They could use a bot master that manages a network of bots or become part of Botnet that is involved in the attack.

 Hacktivists: They are recruited over social media websites. They are ﬁghting for a cause which gives them a sense of purpose.

 Business issues: A competitor might play a dirty game. As Somani mentioned [38] DDoS attacks can be launched easily to the degree of stopping the web services of competitors, through utilizing attack services from a Botnet provider.

The Botnet provider have fields to ﬁll about the target, after that with one click thousands of nodes can start to ﬂood the competitor servers.

 Thrill attacks: Where the attacker doing this just to feel a sense of pride about his accomplishment.

 Extortion or Ransom [3]: Criminals who are willing to do anything malicious in exchange for money.

 Cyber conﬂict: They might fall under a military or terrorist association of a country. They assault a wide range of security systems of the target country or organization [10].

There are widely available DDoS attack tools can be utilized for the very purpose of launching a powerful attack without the need of technical knowledge nor its consequences [15].

2.3. Methods of Denial of Service Attacks

DDoS attacks are classified into two types namely bandwidth and resource depletion attacks [15]. Bandwidth depletion focuses on sending a large amount of traffic from single powerful or distributed devices, the most common methods utilize UDP protocol, since UDP packets reply are much larger than their requests. On the other hand, resource depletion is utilizing a wide variety of methods, sometimes it can rely on how the protocol is structured like TCP flood attacks, other times it might rely on how certain applications are written like in buffer overflow attacks. In the past, Layer 4 was the main target for a flooding connection resource. However, recently web applications and services have become the main target. The corresponding DDoS solutions can’t sometimes effectively respond to existing DDoS attacks, because application-level DDoS attacks can emulate the same characteristics of legitimate clients, which makes them much harder to detect and mitigate [13].

2.4. Taxonomy of DDoS Attack Tools

(4)

The taxonomy of DDoS tools can be related to attributes (as shown in Figure 2) could be categorized by the following

 Interface: graphical or GUI.

 Attack rate dynamics: varied or ﬁxed length packets.

 The operating system: the platform for which tools run on.

 Attack model: two types, the agent handler which utilizes bot-nets and the IRC based attack which uses public chat networks.

 Protocol: depending on the attack targeting which layer 3/4/7.

 DDoS category: what resource are you trying to exhaust the network, system or both.

 The target area: The concern is the link itself or endpoint.

Figure 2. Taxonomy of DDoS Attack Tools [6]

2.5. Resources and Network Layer as Attack Target

At the area of cloud computing, we have different resources to protect which are CPU, memory, disk space and bandwidth. These resources present another challenge, if your protection plan is based on adding more resources approach. The most important resource in the area of cloud computing is the CPU cycles [38]. On the other hand, DDoS attacks in the cloud target different layers, and it could be categorized in two categories [17]:

 Application layer DDoS attacks.

 Network and transport layer DDoS attacks

Statistics [4] show that transport layer was the main player of DDoS attacks over the period of 2017 and (Q1,2) of 2018 as in Figure 3. Transport layer DDoS attacks mainly have four varieties that are flooding attacks, protocol exploitation, reflection-based and amplification based flooding attack. [17]

(5)

Figure 3. DDoS Attack Statistics

3. DDoS Mitigation Techniques

Over the past few years, new tools and techniques have been developed, and they encountered enhancements to make them more efﬁcient. This paper is going to discuss some of these techniques, the challenges they address, and the issues related to proposed techniques. This research divided the existing defense technologies into the following categories as summarized in Table 1.

Table 1. Summary of Mitigation Techniques

Category Technique Reference

Preventative MTD [11], [25], [22], [26]

CAPTCHA [37], [8]

EDoS-Shield Mitigation [5], [40]

Resource quota [21], [2], [37]

sPoW [37]

DNS based techniques [30]

Detective Bot cloud detection [16]

Signature based detection [23]

Anomaly based detection [7], [9],[14], [12],[34], [31],[41]

Hybrid FC and HR DDoS [35]

Cloudﬂare [1]

Traceback IP traceback [24]

Packet marking and logging [24]

SOA based Traceback [42], [32]

(6)

DDoS tolerance Fault Tolerance [29]

Quality of service [19]

4. DDoS Preventative Controls

Prevention techniques are proactive, unlike detection and recovery which are reactive.

The preventative controls should contain or eliminate the effects of DDoS attack, and below some of the used techniques to achieve that.

4.1. Moving Target Defense (MTD)

MTD is considered a new approach to protect Information Technology assets, it is used to enhance all security areas and considered as one of the “game changing” themes in cybersecurity [11].The Idea is rather than using layered defense by building static walls around your IT assets, it’s working on making the attack surface dynamic. For example, if an attacker discovered vulnerabilities within a system, by the time he or she will try to exploit the system, he/she won’t ﬁnd the target at the previously discovered location and might ﬁnd a new system with a different attack surface. MTD increase the work factor for an attacker to exploit system vulnerabilities. The distance is constantly increasing between the attacker and its victim. Since the target is moving, the attack becomes uncertain of the exiting environment [25]. MTD implementation also might utilize the use of proxies to accomplish that.

Authors in [22], provided another framework for MTD called moving target defense against DDoS attacks (MOTAG), the implementation of this framework utilize dynamic, hidden proxies. When a DDoS attack is launched against MOTAG proxies, it will split the trafﬁc into trusted and untrusted parts, therefore once the environment is under attack, alternative proxies will be assigned to authenticated clients at runtime, which will enable them to avoid the ongoing attack and retain access to the protected service.

Early Detection and Isolation Policy (EDIP) [26], is another MTD approach, which focus on mitigating insider-assisted DDoS attacks. As preventative proactive approach DDoS attack can be mitigated at the proxy level efficiently. This approach requires the implementation of two types of proxies. The first one is the head proxy; this is assigned randomly to clients and the second one is an attack proxy which is activated during attack time. When combined with load balancing techniques based on specific criteria the attacker traffic could be routed to attack proxy. The problem with that approach is how we can detect the attacker traffic, and if we can define the attacker traffic early enough to be considered as a proactive rather than reactive.

Dynamically changing the port number in use by the application is another approach, it can be utilized to prevent application layer based DDOS attacks. These port numbers are constantly changing and available within time slots, i.e. in given time slot a random port number will be generated using a random number generator. These random port numbers will be created using shared cryptographic keys. In this approach, the server starts by exchanging the cryptographic keys with his clients. These keys will be used for generating random port numbers. Secondly, the clients utilize these keys to calculate the generated port numbers, and at the end the connections are made to service ports with the server and constantly changes depending on the agreed upon duration.

Authors in [33], mentioned that the movement could be achieved by changing IP address, and introducing honey pots and padded cells as an intrusion prevention method to understand the attacker patterns. Honey pots help in enhancing the knowledge of the methods attackers utilize for DDoS attacks.

(7)

4.2. Completely Automated Public Turing Test (CAPTCHA)

CAPTCHA is considered the most widely used prevention control by web applications.

It is the shield that can be used to protect web applications from malicious programs like Bot which is a short name for robots. CAPTCHA uses an authentication process based on challenge response. If the user can’t pass this test then he/she is a machine or robot, if the user passed the test, then the trafﬁc is marked as coming from an authentic user or a human being [37]. This is also a technique that is commonly used to differentiate between DDoS attacks and ﬂash-crowd events in websites like multimedia or search engines, however, some researchers found out that it’s considered annoying to legitimate users [8].

Usability has been always the main driver behind the security solution. Creating CAPTCHA that a bot cannot ever parse is doable, however, this CAPTCHA must be red also by humans. In order to further increase the protection against DDoS attacks while using CAPTCHA. The test engine itself could be delegated or ofﬂoaded to a third party.

4.3. EDoS-Shield Mitigation

The EDoS-Shield Mitigation Technique is also considered challenge response preventative control. This approach relies on implementing front-end virtual firewall that maintains white and blacklist for IP addresses. If a request comes from an unknown IP address it must go first through a graphical Turing test to confirm if the sender is human or bot. If the correct response has been sent to the Turing test, then the request is highly likely to be issued by a human user [5] [40]. The challenge here is related to the nature of DDoS attacks, most of the time it is based on either spoofing identities when utilizing reflective attacks or taking advantages of zombies which are normal computer users who usually don’t know they are participating in the DDoS attack. The act of blacklisting a user might result into blocking traffic from a percentage of legitimate or future users, considering also the fact that some ISPs rely on dynamic IP address assignment or have their IP addresses ranges published. Using the quality of service (QoS) based approach might help in identifying regular users based on the history of header information and lowering the priority of identified suspicious traffic.

4.4. Using Resources Quota

Cloud computing uses shared responsibility model when it comes to responding attacks. However, one of its essential characteristics is rapid elasticity, where resources can expand as the load increases. Putting resource utilization quota or limit can stop EDoS attack from achieving its objectives, however it will be a disabling force for one of the cloud computing advantages. Quotas in general should be handled carefully as it might slow down the service or completely stop servicing new request, therefore achieving the DDoS attack objectives, however it will still provide protection against EDoS attacks.

Google cloud platform [21] suggest resource quota as a best practice for DDoS mitigation, especially with unplanned or expected usage spikes. Amazon web services (AWS) [2] suggest hiding resources or “resource obfuscation” as a method to reduce the attack surface. Another method is to utilize cloud watch to automatically respond to changes in your resource’s usages by defining an upper limit, but this will again defeat one of the essential characteristics of cloud computing [37]. As a result of that Using MTD, QoS based approaches for preventing DDoS attacks will have a positive impact on the user experience compared to resource’s management.

4.5. sPoW (self-verifying Proof of Work)

This is an application layer mitigation technique. It works by ﬁltering the incoming trafﬁc before committing resources. By using this method, you can still have the advantage of elasticity and get more enhancement over network level EDoS attacks [37].

(8)

4.6. DNS based techniques

In [30], author discussed the use of DNS based mitigation technique. Command and control servers “CnC” are part of many DDoS attacks, which is responsible for launching the zombies. The CnC is hosted on top of webservers, and uses one directory at the root, which will refer to the CnC server, however the rest of the website will look and feel legitimate. By blocking these malicious name spaces through ISP or web ﬁltering agents, it will help with preventing launching bots to perform DDoS attacks.

5. DDoS Detective Controls

As mentioned earlier, it’s hard to prevent all DDoS attacks, however, it’s possible to detect and recover from them whenever preventative controls aren’t possible. Below we will check some of these techniques.

5.1. Bot-Cloud Detection

Authors in [16], suggested that cloud infrastructure could be utilized for installing bots or creating botnets. These clouds are known as Bot-Clouds. The detection of whether any bots are running inside VMs within the cloud might require the support of cloud service provider CSP according to the agreed upon the responsibility model and it will be able to only prevent attack at its origins.

5.2. Signature Based Detection

Signature based techniques also named as misuse detection. This method examines several exploits patterns or signatures of these exploits. If the check resulted in a similar pattern, then it is marked as an attack [23]. It is generally accepted by many researches that misuse detection is not efﬁcient against DDoS attacks [23].

5.3. Anomaly based detection

Anomalies are events that deviate from the normal expected behavior and are suspected from a security standpoint. Anomalies are categorized in two basic categories:

performance-related and security-related [7]. Anomalies caused by security-related reasons may be at one of below six categories as per Table 2.

Table 2. Summary of Anomalies.

Anomaly Explanation Example

Infection Distributing malicious code through the network

Worms and Viruses

Explosion Overﬂowing systems with bugs Buffer overﬂow Probe Gathering information about targets NMAP scan Cheating Identity impersonation MAC spoofing Traverse Try every possible key Brute force attacks Concurrency Multiple connections DDoS attacks

DDoS attacks detection focuses on concurrency and explosion. Anomaly detection is finding the patterns that don’t conform to expected behavior. The techniques used as the following, first monitor the normal traffic and create a baseline of how the stable

(9)

environment looks like, then any deviation from what’s considered normal is the potential threat. The challenges with this method are:

 The number of false positive alerts due to ﬂash-crowd event.

 Low rate DDoS attacks could go undetected.

Authors in [9], deﬁned network anomaly detection methods as the following:

 Statistical (Entropy, Chi-Square and Kolmogorov-Smirnov).

 Classiﬁcation.

 Clustering and out-lier based.

 Soft computing.

 Knowledge based.

 Combination Learners.

Using classification methods k-nearest neighbor, support vector machines, and decision trees. Authors in [14], used three techniques to detect two types on SYN flood attack, both semantic and spoofed packets. Classification techniques were naïve-Bayesian, decision trees and C4.5. The authors found C4.5 to be the most appropriate method, even though it blocks some of the legitimate traffic, but it’s more accurate in detecting DDoS attack than the others. And as mentioned [12], c4.5 found to require less training time than the others.

The problem with this approach is that you need to train the intrusion detection systems with new packets. The main issue with behavior analysis is the attackers’ patterns are hard to predict. CLASSIE [34], is another classiﬁcation technique that is utilized to detect some DDoS attacks like XML injection or XML payload overload. CLASSIE checks incoming packets and compare them against the rule set. It then drops the packets if they do not match the rule set. Another anomaly detection method is combination learners, authors in [31], discussed an approach to detect HTTP ﬂood attacks using server logs, and while analyzing the browsing behavior.

DOW (Defense and Offense Wall) DOW [41], this model uses the combination of detection and concurrency technologies to mitigate application layer DDoS. In order to detect and filter request flooding attacks, an anomaly detection method is being utilized based on K-means clustering. DOW contains three phases. First, using K-means clustering to understand the normal client behavior profiles with normal data. Second, a cluster distance-based method is utilized to detect anomalies. Finally, the filtering engine drop suspicious sessions based on the trust value of the session.

5.4. Anomaly Based IDS Challenges

All these engines could support detection methods, however, there is no clarity about which method is more accurate than others. This is because most of the experimental researches focus on signature-based IDS like Snort. The topology of a DDoS attack is many to one mapping, all the attack traffic is flooded to one destination (the target system). A collaborative IDS approach utilizes a collection of IDSs in the cloud that helps correlate events from different cloud services providers. This approach works first by integrating virtual machine introspection (VMI) with IDS and then place it on separate VM. The IDSs should be configured in a way that is attacks resilient. The IDS help in detecting if any VM within the cloud environment runs some hidden process and participate as bot in the DDoS attack [28]. The problem with this approach it focuses attack sources rather than victim hosts.

The location of IDS deployment is a major contributor for accurate detection and response to attacks. For IDS to monitor all trafﬁc. it must be deployed at the front end

(10)

where the network address translation (NAT) takes place. This architecture is done to provide security only for Infrastructure layer [18]. The problem with this approach it’s purely detection and doesn’t have recovery mechanism, what to do after the DDoS attack is detected. And, the issue of placing the IDS to perform stateful inspection before NAT could be solved by Security information and event management (SIEM) solution which can correlate events and send alerts accordingly.

6. Using Hybrid Approaches

One of the proposed solutions [35], provides a framework that delivers three layered controls. The first layer consists of preventative control. It contains a blacklisted IP addresses database which is learned from the next two layers. The second layer is used for detecting the source of traffic, if it’s human or bot. The third layer consists of detective and recovery controls. This layer detection mechanism differentiates between flash crowd (FC) event and high rate DDoS (HR-DDoS). After that recovery will be based on the detection classification. For HR-DDoS, it will be communicated to the first layer to start blocking the requests, however if it’s a flash crowd it will lower the maximum connections timeout duration and the maximum allowed requests per this timeout. This approach includes scale down only with no scale up consideration. One of the issues it’s concerned with is that it might end up considering flash-crowd as HR-DDoS, another issue is the slow performance as a result of flash-crowd being present.

Cloudflare [1], also provide hybrid approach consists of four stages (Detection - Response - Routing - Adaption), in the detection phase flash crowd is distinguished from DDoS traffic based on multiple factors, an example of these factors are reputation and content access, after that the malicious traffic is dropped at the response phase which utilize web application firewall, and the third phase is routing where the traffic into congested chunks, and lastly adapting good practice based on attack criteria.

7. Traceback

Traceback methods are divided into two categories which are preventive and reactive.

A wide range of solutions utilized these methods but, this issue still open. Traceback technique could support in locating the original source of DDoS attacks, since DDoS attacks usually spoof their original source addresses (e.g. reflection attack) [32].

7.1. IP Traceback

DDoS attacks normally utilize IP spooﬁng techniques, and the goal of this technique is to defend against that. This approach is classiﬁed in two methods proactive and reactive [24].

The reactive approach is triggered when the attack is active and takes place. It is segregated the environment into two zones as the following, IDS and Non-IDS supported.

IDS supported zones are further classiﬁed into Network Based and Host Based.

The proactive approach traces the information of the packets as they pass in the network. The victim then constructs the attack path based on this data and identify the attacker.

7.2. Packet Marking and Logging

The traceback methods are sometimes backed up by packet marking. The main techniques are PPM and DPM [24].

Probabilistic packet marking (PPM), marks the packets while they are crossing the routers. It helps to discover the attackers as they will send spoofed marking information in

(11)

order to misguide the target. The target then reconstructs the way attack packets went through. This can be accomplished by two ways: Node Marking-It, which uses the router IP address and Edge Marking-It which uses the edges of paths. PPM requires a huge number of packets, which means high computational load in order to reconstruct attack diagram and also storage space for a big number of marked packets, another drawback for this technique it generates also a large number of false positives and has performance impact on the network convergence rate.

Deterministic packet marking (DPM), marks every incoming packet the router a unique identiﬁer. Any spoofed packets will be overwritten with correct marks. It requires less overhead and computation than PPM. It’s also converging very quickly, and it has zero false positive. A downside of this approach is some of the packets will not be overwritten by any routers [8].

7.3. SOA-Based Traceback Approach (SBTA)

Service oriented architecture is a concept based on reusable programmable services.

SBTA is used to identify the true source of the packet in cloud computing. For flexibility and scalability SBTA is placed on the virtual machine itself. Cloud traceback (CTB) aims to apply service-oriented architecture (SOA) for identifying the true source of traffic.

CTB uses (DPM) algorithm to mark the fields of the IP packet. Marked packets are used to reconstruct and traceback the route [42]. Another approach [32] SBTA performs DDoS attack traceback by deploying the technique before the web server. It uses advance packet marking based on Compressed Edge Fragment Sampling (CEFS) to determine path reconstruction of the source packet. A big drawback of this technique is using reactive approach and the high rate of false negatives.

8. DDoS Tolerance

DDoS attacks are based on ﬂooding the resources of the victim and one of these resources is the actual system used in detection and/or prevention as well, this system needs to be more resilient to tolerate DDoS attacks. Researchers at [29], classify DDoS tolerance and mitigation techniques into two categories, fault tolerance and Quality of Services (QoS).

Fault tolerance has three essential levels, hardware, software and system, for the hardware it can be maximized by adding extra hardware components like multiple ethernet interfaces, for the software the system needs to check itself when it notices an issue, for example, killing a process when it’s no longer responsive, and the system level fault tolerance can be achieved by having redundant systems or duplicating its resources.

Quality of Services (QoS), is an approach to provide services without a degradation of quality for certain types of applications and trafﬁc. In a DDoS defense system, attack tolerance is essential because ﬂooding attacks can exhaust the resources of a server in a very short time. The tolerance system should be able to provide services to legitimate users without affecting the quality at the presence of attacks [19].

9. Conclusion and Future Work

This work provides a survey about the DDoS attacks and mitigation techniques available in the cloud computing environment. We have found out that EDoS attack is a primary form of DDoS attack in the cloud. There are many solutions fall into the category of three controls preventative, detective and recovery. We have showed guidelines for effective solution design. Multilevel solutions speciﬁcally designed for cloud and its features would surely perform better as compared to traditional DDoS solutions. By using cost and attack aware resource allocation algorithms in the cloud would help in mitigating

(12)

EDoS attacks. The multi-layer solution guideline-based solutions can be tested to have their effective evaluation in cloud infrastructure. The future work will include:

 The new state of art methods for prevention, detection and recovery of DDoS attacks.

 More economical approach to face EDoS attacks and the how resources limitations can support it.

 Cloud based experiment with evaluation metrics for a variety of DDoS mitigation techniques with benchmarking of current and upcoming solutions.

 Examining the collaborative efforts of cloud service providers in order to detect and mitigate future DDoS attacks.

References

[1] DDoS Mitigation. https://www.cloudﬂare.com/learning/ddos/ddos-mitigation/

[2] AWS Best Practices for DDoS Resiliency, 2018.

[3] Abdulaziz Aldaej. Information Security and Distributed Denial of Service Attacks : A Survey. 2017.

[4] Ekaterina Badovskaya Alexander Khalimonenko, Oleg Kupreev. https://securelist.com.

[5] Saeed Alsowail, Mohammed H. Sqalli, Marwan Abu-Amara, Zubair Baig, and Khaled Salah. An Experimental Evaluation of the EDoS-Shield Mitigation Technique for Securing the Cloud. Arabian Journal for Science and Engineering, 41(12):5037–5047,2016.

[6] Sunny Behal and Krishan Kumar. Characterization and Comparison of DDoS Attack Tools and Trafﬁc Generators - A Review. International Journal of Network Security,19(3):383–393, 2017.

[7] Dhruba Kumar Bhattacharyya and Jugal Kumar Kalita. DDoS Attacks. 2016.

[8] Kriti Bhushan and B B Gupta. A novel approach to defend multimedia ﬂash crowd in cloud environment. Multimedia Tools and Applications, 2017.

[9] Monowar H Bhuyan, D K Bhattacharyya, and J K Kalita. Network Anomaly Detection: Methods , Systems and Tools. pages 1–34, 2013.

[10] M Poongodi S Bose. A Novel Intrusion Detection System Based on Trust Evaluation to Defend Against DDoS Attack in MANET. pages 3583–3594, 2015.

[11] Guilin Cai, Baosheng Wang, Yuebin Luo, and Xiaofeng Wang. Characterizing the Running Patterns of Moving Target Defense Mechanisms. 18th International Conference on Advanced Communication Technology (ICACT), pages 191–196, 2016.

[12] Y. Chen, Y. Li, X. Cheng, and Li Guo. Building efﬁcient intrusion detection model based on principal component analysis and c4.5. In 2006 International Conference on Communication Technology, pages 1–4, Nov 2006.

[13] Junho Choi, Chang Choi, Byeongkyu Ko, and Pankoo Kim. A method of DDoS attack detection using HTTP packet pattern and rule engine in cloud computing environment. pages 1697–1703, 2014.

[14] A. Degirmencioglu, H. T. Erdogan, M. A. Mizani, and O. Yılmaz. A classification approach for adaptive mitigation of syn flood attacks: Preventing performance loss due to syn flood attacks. In NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium, pages 1109–

1112, April 2016.

[15] B S Kiruthika Devi and T Subbulakshmi. A Comparative Analysis of Security Methods for DDoS Attacks in the Cloud Computing Environment. Indian Journal of Science and Technology, 9(September):1–7, 2016.

[16] Future Directions. DDoS Attacks in Cloud Computing: Issues, Taxonomy, and Future Directions.

2017.

[17] R. Divyasree and K. Selvamani. Defeating the Distributed Denial of Service Attack in Cloud Environment : A Survey. 2017.

(13)

[18] Sanchika Gupta, Susmita Horrow, and Anjali Sardana. A Hybrid Intrusion Detection Architecture for Defense against DDoS Attacks in Cloud Environment. pages 498–499, 2012.

[19] Nazrul Hoque, Dhruba K Bhattacharyya, and Jugal K Kalita. Botnet in DDoS Attacks: Trends and Challenges. X(X):1–29, 2015.

[20] M. Jacobson D. Idziorek J., Tannian. Attribution of fraudulent resource consumption in the cloud.

2012 IEEE 5th International Conference on Cloud Computing (CLOUD), pages 99–106, 2012.

[21] Protecting Shared Infrastructure. Best Practices for DDoS Protection and Mitigation on Google Cloud Platform. https://cloud.google.com/ﬁles/GCPDDoSprotection-04122016.pdf, 2016.

[22] Quan Jia, Kun Sun, and Angelos Stavrou. MOTAG : Moving Target Defense Against Internet Denial of Service Attacks. 2013.

[23] Ieee Systems Journal. Filtering-Based Defense Mechanisms Against DDoS Attacks : A Survey.

pages 1–13, 2016.

[24] Priyanka Kamboj, Munesh Chandra Trivedi, Virendra Kumar Yadav, and Vikash Kumar Singh.

Detection Techniques of DDoS Attacks : A Survey. pages 675–679, 2017.

[25] Vaishali Kansal and Mayank Dave. DDoS Attack Isolation using Moving Target Defense. pages 511–514.

[26] Vaishali Kansal and Mayank Dave. Proactive DDoS Attack Detection and Isolation. 2017 International Conference on Computer, Communications and Electronics (Comptelix), 2017.

[27] Kaspersky Labs. Global it security risks survey 2015. https://media.kaspersky.com/en/business- security/it-security-risks-survey-2015.pdf.

[28] Nguyen Doan Man and Eui-nam Huh. Chapter 8 A Collaborative Intrusion Detection System Framework for Cloud Computing Collaborative IDS framework. 2012.

[29] Anupama Mishra. A Comparative study of Distributed Denial of Service Attacks ,Intrusion Tolerance and mitigation Techniques. 2011.

[30] Atif Mushtaq. Chasing CnC Servers - False positives.https://www.ﬁreeye.com/blog/threat- research/2010/09/chasing-cnc-servers-part-2.html, 2010.

[31] Maryam M Najafabadi, Taghi M Khoshgoftaar, Chad Calvert, and Clifford Kemp. User Behavior Anomaly Detection for Application Layer DDoS Attacks. 2017 IEEE International Conference on Information Reuse and Integration, 2017.

[32] Opeyemi Osanaiye, Kim-kwang Raymond Choo, and Mqhele Dlodlo. Distributed Denial of Service (DDoS) Resilience in Cloud: Review and Conceptual Cloud DDoS Mitigation Framework. Journal of Network and Computer Applications, 2016.

[33] B Prabadevi. Distributed Denial of service Attacks and its effects on Cloud Environment- a Survey.

2014.

[34] Ankur Rai. Survey on Recent DDoS Mitigation Techniques and Comparative Analysis.pages 96–

101, 2016.

[35] Mohammed A Saleh and Azizah Abdul Manaf. A Novel Protective Framework for Defeating HTTP-Based Denial of Service and Distributed Denial of Service Attacks A Novel Protective Framework for Defeating HTTP-Based Denial of Service and Distributed Denial of Service Attacks.

(June), 2015.

[36] Andrew Shoemaker. https://www.incapsula.com/blog/how-to-identify-a-mirai-style-ddos- attack.html.

[37] Ved Prakash Singh and Preet Pal. Survey of Different Types of CAPTCHA. (IJCSIT) International Journal of Computer Science and Information Technologies, 5(2):2242–2245, 2014.

[38] Gaurav Somani, Manoj Singh Gaur, and Dheeraj Sanghi. DDoS Protection and Security Assurance in Cloud. Guide to Security Assurance for Cloud Computing, Computer Communications and Networks, pages 171–191, 2015.

[39] Gaurav Somani, Abhinav Johri, Mohit Taneja, and Utkarsh Pyne. DARAC : DDoS Mitigation Using DDoS Aware Resource Allocation in Cloud. S. Jajodia and C.Mazumdar (Eds.): ICISS 2015, 2:263–282, 2015.

[40] Salah K. Sqalli M.H., Al-Haidari F. EDoS-shield-a two-steps mitigation technique against edos attacks in cloud computing. 2011 Fourth IEEE International Conference on Utility and Cloud Computing (UCC), pages 49–56, 2011.

(14)

[41] Yadong Wang and Lianzhong Liu. A Survey of Defense Mechanisms Against Application Layer Distributed Denial of Service Attacks.

[42] R K Yadav, Daya Gupta, and Devendra Dadoriya. Prevention Of DOS & DDOS Attack Using Count Based Filtering Method In Cloud Computing. 2(6):505–511, 2013.