Cloud computing is one of the emerging technologies in which a huge amount of storage, data and services are available over the internet. The main advantage of cloud computing environment is the users have to pay only for what they use. Cloud services are distributed in nature so they can be sharable by millions of users. Because of this, the cloud environment has numerous security challenges. Distributed Denial of Service (DDoS) is most prominent security attack in cloud computing. DDOS is the largest threat which can impact on the availability of cloud services since it has multi-tenant architecture. This paper highlights various DDoS attacks and its countermeasures.
10. Cloud Attacks
Application
Level
Server Level
DDoS Attacks
Smurf Attack
PING of Death
Attack
IP Spoofing
Attack
Buffer overflow
Attack
Teardrop
Attack
Land Attack
SYN Flood
Attack
Network Level Browser Level
11.
12.
13.
14.
15.
16.
17.
18. S.No. Attack Defense/Prevention Mechanism Cloud Layer
1 SMURF Attack 1. Configure the router to disable the IP directed broadcast
address.
2. Configure the operating system.
IAAS
2 IP Spoofing Attack 1. Implement Hop-Count-Filtering Techniques
2. Implement (IP2HC) IP-to-Hop-Count-Filtering technique.
PAAS
3 Teardrop Attack Use of recent networking device and operating system. IAAS & PAAS
4 SYN Flood Attack 1. SYN cache/Syn Cookies Approach. PAAS
2. Firewall Monitoring & Filtering techniques. IAAS
5 Ping of Death Attack Use of recent networking device and operating system. IAAS & PAAS
6 Buffer Overflow Attack 1. Writing the source code to avoid overflows.
2. Time consummation limitation.
3. Performing the check the array of boundaries.
4. Defense mechanism in the SAAS layer.
SAAS
7 LAND Attack Recent Network devices and operating system drops the
packets that contains the same IP address in the source and
destination fields.
IAAS & PAAS
Editor's Notes
Cloud computing is one of the emerging technologies in which a huge amount of storage, data and services are available over the internet. The main advantage of cloud computing environment is the users have to pay only for what they use. Cloud services are distributed in nature so they can be sharable by millions of users. Because of this, the cloud environment has numerous security challenges. Distributed Denial of Service (DDoS) is most prominent security attack in cloud computing. DDOS is the largest threat which can impact on the availability of cloud services since it has multi-tenant architecture. This paper highlights various DDoS attacks and its countermeasures.
Keep in mind that a DDoS attack not only takes you down— it can also bring down sites and services that rely on your system.
SaaS, PaaS, and IaaS are simply three ways to describe how you can use the cloud for your business.
SaaS (Software as a Service): software that’s available via a third-party over the internet.
SaaS examples: BigCommerce, Google Apps, Salesforce, Dropbox, MailChimp, ZenDesk, DocuSign, Slack, Hubspot.
is a model in which software is used and purchased by an online subscription rather than getting license, installing and using it as desktop software. SaaS is centrally hosted. It is also called “on-demand-software” and “software plus services”. In this model a third party provider hosts the application and make this application available to subscribed users over the internet. This model gives a quick access to web applications. Maintenance and support is provided by the service provider.
PaaS (Platform as a Service)hardware and software tools available over the internet.
PaaS examples: AWS Elastic Beanstalk, Heroku, Windows Azure (mostly used as PaaS), Force.com, OpenShift, Apache Stratos, Magento Commerce Cloud.
is a cloud computing model which provides a cloud base where you can test and run your applications. It simplifies the process of software development. Basically it is a model which provides hardware and software tools which are needed for application development process on the internet to the users. A Platform as a Service provider hosts hardware and software on its own infrastructure.
IaaS (Infrastructure as a Service): cloud-based services, pay-as-you-go for services such as storage, networking, and virtualization.
IaaS examples: AWS EC2, Rackspace, Google Compute Engine (GCE), Digital Ocean, Magento 1 Enterprise Edition*.
is a model by which computing resources are provided virtually. An IaaS cloud provider can give you the entire range of resources needed for an enterprise. It provides servers, storage and networking hard drive. It also provides maintenance and support. Businesses can fulfill there requirements without installing any hardware. It provides resources on outsourced basis for enterprise operations. It also provides data center space and network components.
DOS Stands for Denial of service attack.
DDOS Stands for Distributed Denial of service attack.
In Dos attack single system targets the victims system.
In DDos multiple system attacks the victims system.
Victim PC is loaded from the packet of data sent from a single location.
Victim PC is loaded from the packet of data sent from Multiple location.
Dos attack is slower as compared to ddos.
DDos attack is faster than Dos Attack.
Can be blocked easily as only one system is used.
It is difficult to block this attack as multiple devices are sending packets and attacking from multiple locations.
In DOS Attack only single device is used with DOS Attack tools.
In DDos attack Bots are used to attack at the same time. DOS Attcaks are Easy to trace.
DDOS Attacks are Difficult to trace. Volume of traffic in Dos attack is less as compared to DDos.
DDoS attacks allow the attacker to send massive volumes of traffic to the victim network.
1.
A host sends many requests with a spoofed source address to a service on an intermediate host
The host generates a reply to each request and sends these replies to the spoofed address
Examples of reflector services: echo, chargen, DNS, SNMP, ISAKMP
2.
Involves sending requests (such as ICMP or UDP) with a spoofed source address to an expected broadcast address hoping that many hosts will receive and it and respond to it.
Example: DNS recursion attack
3.
Makes a resource unavailable by initiating large numbers of incomplete connection requests. Overwhelms the capacity and prevents new connections from being made.
Examples: Peer-to-peer attack, synflood attack
Internet security is highly interdependent
The launch of DDoS attack depends upon the global internet security.
2. Limited Internet resources
Each Internet host has limited resources that can be consumed by a sufficient number of users.
3. Control is distributed
Due to privacy concerns of the Internet, sometimes it is nearly impossible to investigate the cross network behavior and to deploy certain global security mechanism.
4. Multipath routing
This causes authentication process difficult and hence it may leads to unauthorized activities. Intermediate router forwards IP packet from source to destination without knowledge about the IP packet whether it is genuine or not
DDOS attack is a large scale coordinated attack on the availability of service of a target system or network bandwidth. There are various DDoS attacks to disrupt the cloud services. Among these attacks, ICMP (ping) flood where the attackers consumes bandwidth that use ICMP packets, ping of death attack in which the attackers sends multiple malicious pings to a cloud resources (servers), HTTP GET Flood, attackers send huge flood of requests to the cloud servers and consume all the resources and the smurf attack where the attackers use ICMP echo request packet to generate the denial of service attack.
In this attack, the attacker sends a large number of Internet Control Message Protocol (ICMP) echo requests to the server. The victim server will be flooded with broad cast addresses since the sender IP address is the broad cast IP address.
The Smurf attack is caused by following steps:
Attacker sends packets to a network device that supports broadcast addressing technique e.g. Network amplifier. The return address in these packets are forged or spoofed with victim’s address.
2. ICMP_ECHO_RESPONSE packets are sent by the network amplifier to all the systems in the broadcast IP address range.
3. An ICMP_ECHO_REPLY message from all the systems in the range reaches the victim
Internet Protocol (IP) spoofing attack occurs when the attacker modifies the headers of source IP field either by a legitimate IP address or by an unreachable IP address. When this happens, the cloud server will be misguided to the legitimate client and in turn it affects the genuine user or the server will be unable to complete the task to the unreachable IP address [8], which affects server resources. Preventing this type of attack is difficult due to the fake IP address of the source IP.
In a network transmission, IP packets are broken down into smaller chunks and each fragment will have the original IP packet’s header that will be useful to re assemble at the destination host. When the TCP/IP stack is overlapped with IP fragments, the re assembling will be a very difficult and sometimes it can quickly fail. To avoid this attack, most of networks use firewalls which can block tear drop packets in return since this makes it disregard all broken packets [9]. Of course, if you throw a ton of Teardrop busted packets at a system, it can still crash many other variants such as Targa, SynDrop, Boink, Nestea Bonk, TearDrop2 and NewTearare available to accomplish this kind of attack.
The SYN Flood attack happens when the attacker machine sends a flood of TCP/SYN packets with a fake IP address. In a TCP/IP handshaking process, each of these packets is treated like connection request. So the server sends back a TCP/SYN_ACK packet and waits for a packet in response from the sender IP address. Since the sender IP is a fake, the response to the ACK packet never comes. As a result, it causes to half-open connections. These half-open connections saturate the number of connections to the server so that it avoids responding to the legitimate requests.
A ping of death involves sending a malicious ping to a computer. The pin is generally of 32 bytes in size. The attacker sends a packet with a size greater than the limit of the IP protocol 65,535. Handling an oversized packet affects the victim’s machine inside the cloud environment and its resources. Many operating systems had problems of what to do when they received an oversized packet, so crashed, or rebooted. Many new variants of ping of death include jolt, sPING, ICMP bug, IceNewk, Ping o' Death.
The attacker sends an executable code to the targeted system in order to create buffer overflow attack [5]. In such way, the victim’s machine will be controlled by the attacker. As a result, the attacker can use the infected machine to perform cloud based DDoS attack.
It is similar to ping attack where it uses “land.c” program to send the modified TCP/SYN packets with the victim’s IP address in both source and destination IP fields [2]. As a result, the machine itself sends the requests and crashes.DDoS attacks are highly distributed, offensive assaults on services, hosts and infrastructure of the Internet. The following table shows the effective mitigation/ defense countermeasures to various DDoS attacks.
DDoS attacks are major threats against the availability of cloud services. Defense/prevention mechanisms to protect against DDoS attacks are not always effective on their own. Combining different mechanisms (load balancing, throttling and Honey pots) to build hybrid defense mechanisms, in particular with different cloud computing layers, is highly recommended. In this paper, various DDoS attacks have been presented. We also highlighted the defense mechanism to counter attack different types DDoS attacks in the cloud environment.
like a new virulent strain of flu, the impact of a distributed denial of service (DDoS) attack is very easy to see – you always know when your applications are down. However, obtaining a firm diagnosis quickly is often difficult and panic usually prevails until experts finally uncover the cause and develop a cure.
Many companies have incorporated DDoS mitigation as part of their disaster recovery plan. However, disaster implies that something unexpected or accidental threatens business continuity. DDoS attacks are deliberate, targeted events occurring on a daily basis. As such, a preparedness plan is essential. Having developed and tested a viable incident response in advance, it is possible to respond quickly and calmly to any attack and minimize any potential operational and financial damage.
Think like a DDoS attacker
Attackers share common behaviors. Typically, they will change attack vectors if they realize that their efforts are beginning to be blocked or they will move on to easier targets if a strong defense is in place. When you think like an attacker, you will start to plan for all possible types of attacks and understand all of the mitigation options at your disposal. Ask yourself: Are all vulnerabilities in the infrastructure protected against attack? If not, make sure any vulnerability is addressed ahead of time.
Don’t rely on your ISP
You may have a great relationship with your ISP, but ISPs are generally not known for their flexibility when providing DDoS protection. Ask the tough questions: If your network is hit with 10 Gbps of traffic from a reflection attack, how long will it take for the ISP to block it using an Access Control List (ACL)? More importantly, how large of an attack will the ISP attempt to mitigate before it decides to black hole all traffic to your applications upstream? The bottom line is that if an attack on your site puts all of the ISP’s customers at risk, the ISP will black hole your traffic – and your site will be down indefinitely. Again, having a DDoS mitigation solution in place from a proven service provider is always the best defense against cyber threats.
Don’t overestimate your infrastructure capabilities
Your current edge network hardware may serve you well during “peacetime,” but may easily fail during a DDoS attack because the network edge has been under-resourced. Determine and ensure that infrastructure has sufficient balance with overhead – headroom above and beyond what its peak requirements are – and has robust networking hardware that can handle extra traffic if needed. In addition, stay up-to-date on changing DDoS trends and attack sizes – the average size of a DDoS attack was 7 Gbps in early 2015 – and confirm that your infrastructure can still withstand new vectors and rising attack volumes.
Ensure operational readiness
How robust is your organizational response to a DDoS attack and how fast will you be able to respond? The best way to determine operational readiness is through testing and tabletop exercise. A dry-run rehearsal of a simulated attack is an ideal way to validate your mitigation solution and DDoS defense. Once you confirm that all of the processes and procedures for communicating, decision making, and solution execution are firmly in place, you can bring this validated solution to executive management with confidence.
Deploy a DDoS solution before you need it
An emergency DDoS mitigation solution can usually be deployed within an hour or less in typical cases. However, the best way to avoid site and web application downtime in the first place is to have a DDoS mitigation solution in place before any attacks occur. As part of your incident response plan, this solution can help give you peace of mind that your network is always protected by your DDoS mitigation provider, who will be prepared to defend your Internet-facing network and web applications.
Communicate with your DDoS mitigation service provider
Engage a cyber security services provider and keep communications flowing. Ask plenty of questions. A good service provider will have best practices for infrastructure discovery, so you’ll know if you have gaps in security, routing leaks, network vulnerabilities you may have missed, and more. Your provider should explain the different approaches to DDoS protection that meet your specific needs – whether network, application, DNS, or IP protection. Establish this dialog before a DDoS emergency hits and you will be well prepared, not panicked, to defend your network. Akamai’s managed services customers are always encouraged to call the Security Operations Center (SOC) when they suspect they may be receiving a DDoS attack.
Keep the DDoS mitigation playbook up-to-date
Collaborate with your security services provider to keep your DDoS mitigation playbook consistently up-to-date and current with all key information, such as the communications tree contacts and names of authorized contacts with the service provider. Do this on a regular basis, as well as when staff members change departments or new people come on board, or a new vendor is added or replaced. In addition, consistently review and update information related to your network’s infrastructure, website, and web applications. Working with current information translates to a faster, more controlled, and calm response to DDoS.
Maintain tight relationships with your vendors
DDoS attacks require a calm, rehearsed response from everyone involved – especially from your security vendor, hosting provider, ISP, and other third-party application providers. Don’t wait until there is a DDoS emergency to start a relationship with your service reps. Build tight relationships now – and incorporate them into your incident response plan – so that they will be ready to calmly respond and know what to do when your emergency call comes in.
Validate. Validate. Validate.
Test and validate your DDoS mitigation solution at least once a year, preferably twice a year, to ensure that the solution is continuing to meet the requirements of your incident response plan. Plus, validation enables quality assurance testing to verify that no systems or applications are being adversely affected while traffic routes over the mitigation infrastructure. This process may also reveal any application or networking issues that can be addressed immediately for optimizing routing in particularly large network infrastructures.