A SURVEY of MITIGATION TECHNIQUES AGAINST ECONOMIC DENIAL of SUSTAINABILITY (EDOS) ATTACK on CLOUD COMPUTING ARCHITECTURE Parminder Singh#, Selvakumar Manickam#, Shafiq Ul Rehman# #
National Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia Penang, Malaysia 1
[email protected] 2
[email protected] 3
[email protected]
Abstract— Cloud computing is the next revolution in the Information and Communication Technology arena. It is a model in which computing is delivered as a commoditized service similar to electricity, water and telecommunication. Cloud computing provides software, platform, infrastructure and other hybrid models which are delivered as subscription-based services in which customers pay based on usage. Nevertheless, security is one of the main factors that inhibit the proliferation of cloud computing. Economic Denial of Sustainability (EDoS) is a new breed of security and economical threats to the cloud computing. Unlike the traditional Distributed Denial of Service (DDoS) which brings down a particular service by exhausting the resources of the server in traditional setup, EDoS takes advantage of the elasticity of the cloud service. This causes the resources to dynamically scale to meet the demand (as a result of EDoS attack) resulting in a hefty bill for the customer. In this survey, we review various EDoS mitigation techniques that have been introduced in recent years. Keywords— EDoS, Cloud Computing, Security, Survey, DDoS
I. INTRODUCTION Cloud computing (CC) is a highly scalable, elastic and dynamically resource allocation service, in a distributed computing environment. Resources from a large pool of resources can be dynamically allocated to an application in the cloud environment. Cloud service providers (e.g. Google, Amazon) leverage virtualization in addition to self–service provisioning capabilities of cloud resource over the Internet. Over CC infrastructure, virtual computing machines from various organizations can be co-located on the same physical server in order to utilize the optimum resource in terms of efficiencies. As with any new technology, CC is not spared from security threat and vulnerabilities. In fact, the main reason many do not embrace CC is due to security. These concerns range from data breaches to cloud service attacks. Kresimir Popovie [1] provide insight about the security related issues in the cloud computing. Dimitrios Zissis,
978-1-4799-6896-1/14/$31.00 ©2014 IEEE
Dimitrios Lekkas [2] has defined the security threats and guidelines exist at various stages of cloud implementation. NIST’s [7] reference architecture define the essential characteristics of CC that get adopted as the de facto standard for CC. (Fig. 1). CC is also prone to numerous attacks such as Malware injection, SQL Injection, Cross-site scripting, Wrapping Attack, DDoS & DNS attacks. Among these attacks, according to various research studies[3], DDoS is the most common type of attack that has been carried out against cloud infrastructure. According to Arbor Network’s eighth annual Worldwide Infrastructure Security Report[4], the new trends in offensive security disclosed. Key findings follow: • 94 % of Data Centre managers reported some variety of security attacks • 76 % had to contend with DDoS attacks on their customers network • 43 % had partial or total infrastructure outages result of DDoS • 14 % had to cope with attacks targeting a cloud service As within the conventional computing, it is very tedious to find legitimate traffic from attack traffic and mitigation techniques, thus far has not been able to fully circumvent this issue. Due to the nature of CC in which the resources will be expanded when allocation of current resource is no longer sufficient, i.e. elastic resource allocation. A variant of DDoS attacks, specific to subscription-based CC infrastructure and services, has been discovered. It is called Economic Denial of Sustainability (EDoS). While DDoS attacks are meant to bring a particular service down, EDoS cause financial implications by consuming resources and leading to a hefty bill. In this paper, we will review EDoS attacks and the work that has been done in an effort to mitigate these attacks.
II. DDOS ATTACK ON AMAZZON Based on the report from web site[5]], Bitbucket codesharing website went through nineteen hours h of downtime after a DDoS on the CC infrastructure hosted by Amazon. Many developers failed to access the projeect codes hosted on service provider’s site. Cloud push malicioous users to design new techniques of DDoS to bring web site down. Once distinguishing the actual cause in sixteen hours of attack reported, Amazon begin filtering the DDoS D traffic that normalize the services. As per Nohr, DDoS initiated by a TCP SYN flood attack, rather than UDP flood [55]. Because the CC is elastics in nature which may re-allocate resources on demand, it become be easier to defend against DoS. The promptness of the cloud plays a significaant role while DoS attack in progress, which undoubtedly triggers t Economic Denial of Sustainability (EDoS). In this paper p we will only focus on Economic denial of Sustainability (EDoS) Attacks.
It is very difficult to isolatee or priorities, legitimate traffic as no single defense mechanism m available to deny the DDoS attack. Service provider may alllocate more resources to meet his SLA requirement in case of DDOS attack. Additional services instance may be executed to meet the SLA, as the over utilization of resources are chaargeable to the customer. This way DDoS could be utilized for an Economic Denial of Sustainability attack (EDoS). The cloud computing is susceptible to EDoS attack and is only possible in public cloud because private cloud infrastruccture is owned and operated by individual organization. While in public cloud, the services are provided over Interrnet and serviced as a pay-perusage model making it vulnerable to attacks.
III. ECONOMICAL DENIAL OF SUSTAINA ABILITY ATTACK DDoS attack on CC environment leeads to the EDoS (Economic Denial of Service), where the services offered to the legitimate user never get any restrictionn and utilization of cloud resources are dynamically expandeed to serve excess traffic. The organisations opted for cloud will w incur an inflated bills for using auto scaling feature to address a a flood of malicious traffic in order to meet the requuirement to defined SLA. m cloud costing Main motivation behind EDoS attack is to make model unsustainable or no longer viable too afford the use or pay for their cloud infrastructure. Most of organisations opt for cloud infrasttructure because of the following: • • • •
No investment (Capex) on the infrastruucture. Low cost of maintenance (Opex). Only pay for the resources in use. Service level agreements (SLA)
An SLA[6] ensure that consumer’s expeectation should be fulfilled. SLA includes terms of QoS, avaailability, reliability and performance, the billing methods, serrvice cost and the penalty terms. Thus the penalty is im mposed on service providers if any of the services listed in SLA S does not meet expectations. Service provider executes technical requests initiated by a customer within the responsse time mention as per SLA. Penalty to the service outage geneerally calculated on per hour basis since the outage of service reported. Based on SLA, cloud resources are providded to customer in restricted or unrestricted mode. The resoource consumption (e.g. RAM, disk storage) and the computingg power is billed to the client. The DDoS attacker utilize the coomputing resources along with legitimate users. As no apppropriate defence mechanism available to eliminate DDoS, thhe resources can be dynamically allocated to the malicious requuests.
Fig. 1 NIST Cloud Computing Refference Architecture overview[7]
IV. COUNTER R MEASURES While working with CC,, awareness of the security requirements or the security obbjective is important so that it should fulfil the main security guidelines. g • • • • •
To maintain integrity of infformation. To maintain the service inteegrity. To provide Secure and conttrolled access to services Confidentiality of systems information. i Isolation of processes and data d on the virtualization level.
There are two basic mitigationn approach available to defend against EDoS attacks, proactivee and reactive. Reactive approach complete in i three steps: First step, use traffic monitoring to identify attacks in progress. On the confirmation of attack, the secoond step triggered the sequence to locate the source of attack.. In the third step, mitigation methods are implemented to eliiminate or reduce impact of the DDoS.
Proactive approach use to eliminate or reduce the occurrence of attacks by provisioning various methods before the actual attacks. E.g. spoof source address can be rejected using ingress filtering[8] of a network. Ingress filtering may add resource and management overheads on service providers by maintaining filtering rules but also make most of attacks ineffective. There are many mechanisms available to counter attacks, which hinders security requirement and objectives of Cloud. Few of these methods used in the cloud e.g. Packet Filtering, Puzzle generation and verification, Packet marking and trace back, are discussed in the following section. Table 1 shows the comparison between EDoS mitigation mechanisms. A. EDoS-Shield[9] This mechanism has two main components, virtual firewall and the cloud verifier node. Packet filtration performed by the virtual firewall. The whitelist and Blacklist method used for making decisions by virtual firewall. CAPTCHA (Graphic turning test) used to verify legitimate requests at the Application layer by cloud verifier node. B. sPoW [10] This method used an application layer mitigation mechanism. The main function is to filter the attack traffic before it start overcommitting of resources. The concept of self-verifying Proof of- Work (sPoW) is introduced to transform the network level EDoS traffic to distinguish the EDoS attack. On-demand network and filter and prioritize legitimate traffic. Table 1.
Summary of Countermeasures
Approaches
Focus
CloudWatch [11]
EDoS Traffic Monitoring attack EDoS attack Virtual firewall and authentication Packet marking and HTTP and XML based Traceback DoS Attack
EDoS-Shield [9] Cloud Traceback [13] sPoW: OnDemand Cloudbased eDDoS Mitigation [10] In-Cloud Scrubber [14] EDoS Armor [12]
Methodology
C. CloudWatch[11] CloudWatch is professional service from Amazon to reduce the impact of the EDoS attacks by providing monitoring service for cloud resources, which enable organisations to define upper limits to the elastic resource utilization of their cloud infrastructure. This is an inefficient solution against the EDoS as user can still be charged for over utilization in case of DDoS attempt. Also it defeat the purpose of cloud computing as the elasticity touches the upper limit, the cloud service freezes and users service access will not be available. D. EDoS Armor[12] This technique works on admission and congestion control, a twofold solution. It works by defining number of clients that can send requests and the prioritised clients based on the activity and type of resources they access. E. Cloud Trace back[13] This methodology use the packet marking and trace back mechanism to shield from the application level DoS attack. Using this mechanism, source of attack can be identified & filtered. This mechanising has two components, cloud trackback (CTB) and cloud protector (CP). Incoming traffic marked by CTB and packet filtration done by CP. F. In-cloud Scrubber[14] This Technique is based on Puzzle generation & verification process. Each client accessing Web based cloud resources will have to resolve the puzzle. Based on the result, scrubber service allow or deny the access to web service. Distributed approach
Learning ability
Scalability
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
EDoS attack Puzzle generation and Verification
No
Yes
Yes
EDoS attack Packet Filtering and authentication
No
Yes
Yes
EDoS attack Packet Filtering
[11] [12]
V. ANALYSIS The focus of this paper is: •
•
• • •
To study the various EDoS defense mechanism available and there limitation to defend against EDoS attack. To study the effectiveness of EDoS mitigation techniques as no mitigation techniques are up to the mark. To study the usability of mitigation methods available. To study the interoperability of EDoS mitigation techniques in various cloud environments. EDoS is an extension to a DDoS.
VI. CONCLUSION It is inevitable that CC is replacing traditional computing and this has brought about the new security challenges. DDoS has plagued traditional infrastructures and is still on the rise. To make matters worse, EDoS, a variant of DDoS attack specific to subscription-based CC services, is on the rise. Existing mechanisms put forward to address were reviewed in this paper and is evidently ineffective or insufficient in addressing security implications caused by EDoS. A more robust approach is required to ensure known and zero-day EDoS can be mitigated effectively.
REFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9]
[10]
Popovic, K. and Z. Hocenski. Cloud computing security issues and challenges. in MIPRO, 2010 proceedings of the 33rd international convention. 2010. IEEE. Zissis, D. and D. Lekkas, Addressing cloud computing security issues. Future Generation Computer Systems, 2012. 28(3): p. 583-592. Liu, W. Research on DoS attack and detection programming. in Intelligent Information Technology Application, 2009. IITA 2009. Third International Symposium on. 2009. IEEE. Arbor Networks. Available from: http://www.arbornetworks.com/resources/infrastructure-security-report. Metz, C., DDoS attack rains down on Amazon cloud. The Register, October 2009. 2009. Wu, L. and R. Buyya, Service level agreement (SLA) in utility computing systems. arXiv preprint arXiv:1010.2881, 2010. Fang Liu, J.T., Jian Mao, Robert Bohn, John Messina, Lee Badger and Dawn Leaf, NIST Cloud Computing Reference Architecture. 2011. Grobauer, B., T. Walloschek, and E. Stocker, Understanding cloud computing vulnerabilities. Security & privacy, IEEE, 2011. 9(2): p. 5057. Sqalli, M.H., F. Al-Haidari, and K. Salah. Edos-shield-a two-steps mitigation technique against edos attacks in cloud computing. in Utility and Cloud Computing (UCC), 2011 Fourth IEEE International Conference on. 2011. IEEE. Khor, S.H. and A. Nakao. spow: On-demand cloud-based eddos mitigation mechanism. in HotDep (Fifth Workshop on Hot Topics in System Dependability). 2009.
[13] [14]
CloudWatch, A., monitoring for AWS cloud resources. 2013. Masood, M., A Cost Effective Economic Denial of Sustainability (EDoS) Attack Mitigation Framework for E-Commerce Applications in Cloud Environments. 2013. Chonka, A., et al., Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks. Journal of Network and Computer Applications, 2011. 34(4): p. 1097-1107. Naresh Kumar, M., et al. Mitigating Economic Denial of Sustainability (EDoS) in Cloud Computing Using In-cloud Scrubber Service. in Computational Intelligence and Communication Networks (CICN), 2012 Fourth International Conference on. 2012. IEEE.
