In extended cloud computing, resources limitedly provisioned in the a set of clusters near user that are called smart edge. You can find any type of resources in smart edge ranging from computation to FPGA boards. If an application needs more resources, remote datacenters are used where similar resources but in large amount are provided. The set of APIs that are offered in smart edge may be different from the remote resources.
Some security challenges has been established before the advent of cloud computing. Like phishing where a trusted entity is masqueraded. Downtime that a system is out of service. Password weakness due to uneducated user (like using only digit or letter for password). Botnet where a lot of computer throughout the world are compromised and are used to lauch a specific type of attack. However what is important here is that botnet is more serious in cloud computing due huge amount of resources that cloud provider provisions for the user.
This cloud model promotes availability and is composed of five essential characteristics, three service models, and three deployment models.
Denial of Service in Software Defined Netoworks
Denial of Service in Software DefinedNetworksMohammad Farajims.email@example.comSupervisor: Alberto Leon-Garcia
Cloud Computing• Cloud computing is a model for – on-demand network access – shared pool of configurable computing resources – rapidly provisioned and – released with minimal management effort. 2
Denial Of Service• Denial of Service : explicit attempt by attackers to prevent legitimate users of a service from using that service. (CERT)• Examples: – Flooding a network• Denial Of Service is considered as the largest security threat
Problem• Application is distributed throughout the network (ECC)• Isolating application traffic reduce probability of denial of service significantly• Network isolation through VLAN• Limitation: – Scalability (4k VLAN id space) – Complicated Network Management – Per user policy control
Policy Unit model • Keystone (Openstack Identity Manager) • Attribute Based Access Control Policy Enforcement Authorization and Access Control Attribute Assertion Authentication Assertion (single sign-on)
Implementation Platform SOAP/WS-API Control (BPEL) Resource Manager Storage Manager AAA(BPEL) (BPEL) (BPEL) Dynamic Link Generator (BPEL) Data Store(BPEL) Resources Resources Storage Resources (WS) Storage Query DB Result Fabric Programmable (WS) (WS)Storage Generator (WS) Processor (WS) Resources (WS) Resource (WS) (WS) (WS,BPEL) (WS,BPEL) Fabric MySQ Agent L Resource Resource SNMP Resource Resource File Resource Servers Fabric
Outcome• A software Platform on OpenFlow switches• It decreases chance of denial of service by: – Application is able to define their network topology – Each application can have its own policy – Policy control is fine-grained• DoS does not affect other’s traffic• Attack can be easily interrupted
References1. Karig, David and Ruby Lee. Remote Denial of Service Attacks and Countermeasures, Princeton University Department of Electrical Engineering Technical Report CE-L2001-002, October 2001.2. M. Jensen, N. Gruschka, and N. Luttenberger, “The impact of flooding attacks on network-based services,” in Availability, Reliability and Security, 2008. ARES 08. Third International Conference on, march 2008, pp. 509 –513.3. B. Kerns, “Amazon: Hey spammers, get off my cloud!” Jul. 2008. [Online]. Availabhttp://voices.washingtonpost.com/securityfix/2008/07/4. P. Mell and T. Grance, “The nist definition of cloud computing,” National Institute of Standards and Technology, vol. 53, no. 6, p. 50, 2009. [Online]. Available: http://csrc.nist.gov/groups/SNS/cloud- computing/cloud-def-v15.doc5. S. Shankland, “Hps hurd dings cloud computing, ibm,” Oct. 2009.6. D. Catteddu and G. Hogben, “Cloud Computing Risk Assessment,” Nov. 2009. [Online]. Available: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment7. B. Kerns, “Amazon: Hey spammers, get off my cloud!” Jul. 2008. [Online]. Available: http://voices.washingtonpost.com/securityfix/2008/07/8. M. C. Ferrer, “Zeus in-the-cloud,” CA Community Blog, Dec. 2009.9. M. Price, “The paradox of security in virtual environments,” Computer, vol. 41, no. 11, pp. 22 – 28, nov. 2008.10. S. King and P. Chen, “Subvirt: implementing malware with virtual machines,” in Security and Privacy, 2006 IEEE Symposium on, may 2006, pp. 14 pp. –327.
The NIST Cloud Definition Framework Hybrid CloudsDeploymentModels Private Community Public Cloud Cloud CloudService Software as a Platform as a Infrastructure as aModels Service (SaaS) Service (PaaS) Service (IaaS) On Demand Self-ServiceEssential Broad Network Access Rapid ElasticityCharacteristics Resource Pooling Measured Service Massive Scale Resilient ComputingCommon Homogeneity Geographic DistributionCharacteristics Virtualization Service Orientation Low Cost Software Advanced Security Based upon original chart created by Alex Dowbor - http://ornot.wordpress.com 17
Classification of DoS Attacks Attack Affected Area Example DescriptionNetwork Level Routers, IP Ascend Kill II, Attack attempts to exhaust hardwareDevice Switches, “Christmas Tree Packets” resources using multiple duplicate packets Firewalls or a software bug.OS Level Equipment Ping of Death, Attack takes advantage of the way operating Vendor OS, End- ICMP Echo Attacks, systems implement protocols. User Equipment. TeardropApplication Finger Bomb Finger Bomb, Attack a service or machine by using anLevel Attacks Windows NT RealServer application attack to exhaust resources. G2 6.0Data Flood Host computer or Smurf Attack (amplifier Attack in which massive quantities of data(Amplification, network attack) are sent to a target with the intention ofOscillation, Simple using up bandwidth/processing resources.Flooding) UDP Echo (oscillation attack)Protocol Feature Servers, Client SYN (connection Attack in which “bugs” in protocol areAttacks PC, DNS Servers depletion) utilized to take down network resources. Methods of attack include: IP address spoofing, and corrupting DNS server cache.