2. Layers in a Cloud Platform
.
1)Infrastructure as a Service (IaaS)
● The basic layer of cloud is the infrastructure –IaaS (Infrastructure as a service).
● This layer is basically hardware and network. What distinguishes this from a regular server or hosting company are mainly
two things: scalability and virtualisation.
● The second difference from traditional hosting is virtualisation. This is a piece of software that virtualises all the hardware.
Virtualisation lets the IaaS vendor utilise their computing resources to as high as 90 %, compared to an individual company
having their own servers idle most of the time.
3. 2)Platform as a Service (PaaS)
● The second layer of the cloud is the platform –
the PaaS (Platform as a service). The platform
layer provides resources to actually build
applications.
● In combination with IaaS, PaaS provides the
ability to develop, test, run, and host
applications.
● The platform layer opens up for third parties to
add their software (or integrations) to a cloud
service.
● An example of a well-known PaaS is Microsoft
Azure. This platform provides developers with
swift access to a full development and
deployment environment and even let you host
the application you are building
4. 3) Software as a Service (SaaS)
● The third cloud layer is the actual Software (application layer) – the
SaaS (Software as a service). SaaS has been used for many years, but
in a Cloud setting, it is the layer in which the user consumes the offering
from the service provider.
● The SaaS layer must be web-based and hence accessible from
everywhere and preferably on any device. The key is to understand that
it makes no sense to ask whether a service is cloud or SaaS, as SaaS is
a layer in the cloud stack.
● On the other hand, it is important to understand that cloud is much more
than SaaS, due to the other layers that bundled together makes out the
whole cloud stack.
Business Process Outsourcing (BPO)
● The top layer of the cloud is Business Process Outsourcing (BPO). As
BPO is not technology, there are discussions about whether BPO can
be regarded as a cloud layer. But the cloud is more about business
models and not technology.
● Whereas the other layers of the cloud are concerned with consuming
services from a vendor, BPO is about outsourcing services to a vendor
and hence the same logic applies as the other layers.
5. Classification of DDoS Attacks:
All forms of attacks fall under these two categories
1)Connection-based attack: This type of attacks can be carried out
through an established connection of any client and server by using
certain connection-oriented protocols.
2)Connection-less attack: An attack that doesn’t require a standard
protocol-based session. Connection-less meant to be formally
established before a server can send the “data packets” — typically a
the basic unit of communication information which is transferred over a
digital network to a client.
6. Major Types of Attack
1)Volumetric Attack: The Specific goal of this type of attack is to
cause congestion traffic while sending the data packets over the
line and it would cause bandwidth to overwhelm the scenario. Especially,
most of the attacks are executed using botnets. a botnet is a group of
agent handlers in a DDoS attack that provides the attacker with the
ability to wage a much larger and more wild attack than a DoS attack
while remaining anonymous on the Internet. It is measured by the
number of received bits per second (bps).
2)Protocol Attack: In general, this type of attack focal point is
on actual web/DNS/FTP servers, core Routers and switch, firewall
devices and LB (load balancers) to disrupt the well-established
connections, and also causing the exhaustion of their limited number
of concurrent sessions on the device. It is measured by the number of
received packets per second (PPS).
3)Application Layer Attack: It is also known as Connection-oriented
attacks. Application attacks occur in Layer 7 of an OSI Model.
Most of the Applications are under vulnerable scenarios by consisting
of many loopholes. This specific type of attack is pretty much hard to
detect because these sophisticated threats are generated from the
limited number of attack machines, on top of that it's only generating
a low traffic rate that appears to be legitimate for the victim to realize.
It is measured by the number of received requests per second (RPS).
7. How Volumetric Attacks Work On Cloud
● Botnets: Attackers use a network of compromised computers, also
known as a botnet, to flood the target cloud platform with a high
volume of traffic, data or requests.
● Amplification: Attackers may also use amplification techniques to
increase the volume of traffic being sent to the cloud platform.
● Application Layer: In some cases, attackers may target specific
applications running on the cloud platform, rather than the entire
platform.
● Mirai and IoT Devices: One of the most notorious volumetric attacks
in recent years was carried out by the Mirai botnet.
Impact of Volumetric Attack on Cloud Platforms
● Downtime: A volumetric attack can cause a cloud platform to become
overloaded, leading to downtime.
● Slowdown: Even if the platform doesn't go down completely, a
volumetric attack can still slow it down.
● Increased Costs: A volumetric attack can cause an increase in costs
for cloud platforms.
● Data Loss: In some cases, a volumetric attack can result in data loss.
● Reputation Damage: A volumetric attack can also damage the
8. How Protocol Attacks Work On Cloud
● Protocol Exploitation: The attacker identifies vulnerabilities in the
protocols used by the cloud platform, such as TCP/IP or HTTP, and
exploits them to gain unauthorized access to the system.
● Packet Injection: The attacker sends packets of data to the cloud
system that contain malicious code or commands designed to
compromise the system or steal sensitive data.
● Man-in-the-Middle (MITM) Attack: The attacker intercepts the
communication between the cloud platform and its users, allowing
them to eavesdrop on the data being transferred or modify it for their
own purposes.
● DNS Spoofing: The attacker modifies the Domain Name System
(DNS) records used by the cloud platform, redirecting traffic to a fake
website or server under the attacker's control.
Impact of Protocol Attack on Cloud Platforms
● Service Disruption: Protocol attacks can disrupt the normal
functioning of cloud services by causing delays or service outages.
● Data Breaches: Protocol attacks can be used to gain unauthorized
access to sensitive data stored on cloud platforms.
● Resource Exhaustion: Protocol attacks can consume the computing
resources of cloud platforms, such as CPU, memory, and bandwidth,
resulting in denial-of-service (DoS) attacks.
9. How Application Layer Attacks Work On Cloud
● Malicious Requests: The attacker floods the cloud platform to
overwhelm the application layer. These requests may look real,
making them hard to spot.
● Protocol Manipulation: By manipulating cloud platform protocols
like HTTP or HTTPS, the attacker exploits application layer
vulnerabilities.
● Session Hijacking: An attacker hijacks a user session to access the
cloud platform. The attacker can change data, steal sensitive
information, or commit other crimes.
● Distributed Application Layer Attacks: A botnet is used to attack the
cloud platform's application layer. This can cause serious damage.
● Brute Force Attacks: The attacker frequently guesses passwords or
other authentication credentials to access the cloud platform.
Impact of Application Layer Attack on Cloud Platforms
● Service Interruptions: Cloud platforms can be downed by application
layer attacks. Productivity, revenue, and consumer confidence can
suffer.
● Breach of Information: Application layer attacks can undermine
cloud data privacy and integrity. Attackers can intercept, change, or
steal data, causing financial, legal, and reputational harm.
● Loss of Credibility:Application layer attacks can tarnish cloud
platforms. Downtime, data breaches, and other security issues can
damage customer trust and income.
10. TECHNIQUES FOR MONITORING TRAFFIC
● Network traffic monitoring: This technique involves analyzing
network traffic to identify unusual patterns, such as an
unusually high volume of traffic from a particular IP address or
network.
● Anomaly detection: This technique involves using machine
learning algorithms to identify abnormal traffic patterns. The
system learns what "normal" traffic looks like and then raises
an alert when it detects traffic that deviates significantly from
the norm.
● Signature-based detection: This technique involves using
predefined signatures to detect known DDoS attack methods.
The system looks for specific patterns in the traffic that match
the signature of a known attack.
● Behavioral analysis: This technique involves monitoring the
behavior of individual users or devices to detect unusual
activity.
● Flow-based analysis: This technique involves analyzing network
flows to identify patterns that are indicative of DDoS attacks.
● Packet inspection: This technique involves analyzing the
contents of individual packets to identify malicious traffic.
11. NETWORK TRAFFIC ANALYSIS
● An increase in traffic volume: DDoS attacks typically involve a large
volume of traffic directed at a target website or server. By monitoring
network traffic, it is possible to detect sudden increases in traffic
volume that may indicate a DDoS attack.
● An increase in traffic from a specific IP address or network: DDoS
attacks often use multiple compromised devices or computers to
generate traffic. By monitoring network traffic, it is possible to detect
sudden increases in traffic from a particular IP address or network
that may indicate a DDoS attack.
● An increase in traffic from a specific port: DDoS attacks often target
specific ports used by web servers or other online services. By
monitoring network traffic, it is possible to detect sudden increases
in traffic to a particular port that may indicate a DDoS attack.
● An increase in traffic with a specific protocol: DDoS attacks often
use specific protocols to generate traffic. By monitoring network
traffic, it is possible to detect sudden increases in traffic using a
particular protocol that may indicate a DDoS attack.
12. ANOMALY DETECTION
● Establishing a baseline: Before anomaly detection can be
used to detect potential DDoS attacks, a baseline of normal
network behavior needs to be established. This baseline is
typically created by analyzing network traffic over a period of
time and identifying normal traffic patterns.
● Identifying anomalies: Once a baseline of normal network
behavior has been established, it is possible to identify
anomalies in network traffic. Anomalies may include sudden
spikes in traffic volume, unusual traffic patterns, or traffic from
suspicious IP addresses or networks.
● Analyzing anomalies: Once anomalies have been identified,
they need to be analyzed to determine whether they represent
potential DDoS attacks. This may involve comparing anomalies
to known DDoS attack patterns, analyzing the source and
destination of traffic, and determining whether traffic is
consistent with normal user behavior.
● Responding to anomalies: Once potential DDoS attacks have
been identified, appropriate action needs to be taken to mitigate
them. This may include blocking traffic from suspicious IP
addresses or networks, redirecting traffic to other servers, or
deploying additional resources to handle increased traffic
volume.
13. INCIDENT RESPONSE
❖ Detection: The first step in incident response is to detect the
DDoS attack.
❖ Notification: Once a DDoS attack has been detected, it is
important to notify relevant stakeholders, such as IT staff,
security personnel, and business leaders, about the attack.
❖ Assessment: After notification, an assessment of the DDoS
attack should be carried out to determine the nature and scope
of the attack.
❖ Mitigation: Once the DDoS attack has been assessed,
appropriate mitigation measures should be implemented.
❖ Monitoring: After mitigation, it is important to continue
monitoring the network for any signs of continued DDoS
activity. This may involve ongoing traffic analysis and
monitoring, as well as regular security audits and testing.
❖ Analysis: After the attack has been mitigated, a post-incident
analysis should be carried out to identify any weaknesses in the
organization's security posture and incident response
capabilities, and to develop a plan to address these
weaknesses.
14. CLOUD DDOS MITIGATION
This cloud DDoS mitigation service uses over 20 different mitigation
and analysis technologies, but the main forms of defence can be
broken down into two main key areas:
Proxy Protection Service –
This is a DNS redirection on-demand service for HTTP/HTTPS traffic
that provides rapid DDoS protection when your domain or website is
under attack. When deployed, traffic from your domain is attracted to
the nearest online scrubbing centre where it is either verified and
passed through, or silently terminated, depending on the legitimacy of
the traffic. Service provider acts as an intermediary for all
communication during a period of attack. Patterns of traffic are
analysed and managed across a common profile of all customers to
optimise the service’s performance. A simple DNS name IP address
remapping is all that is required to set this solution up.
15. CLOUD DDOS MITIGATION
This cloud DDoS mitigation service uses over 20 different mitigation
and analysis technologies, but the main forms of defence can be
broken down into two main key areas:
Routed Protection Service :This is a routing service that provides
complete protection of all forms of IP traffic, not just HTTP/HTTPS.
Services and routers are connected via a virtual tunnel. BGP is
used to communicate network routes from you to service provider
and then use this information to activate or deactivate the service
as needed. When there is an attack and the service is active, your
network routes are advertised to service provider. Then they attract
all incoming traffic bound for your network towards the nearest
global scrubbing centre. Traffic is then cleaned and forwarded over
the virtual tunnel. Traffic outbound from your sites is sent out over
your normal upstream ISPs, minimising the impact to your normal
traffic patterns. Larger volume sites can make of a dedicated MPLS
connection to the service.