Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ntxissacsc5 yellow 7 protecting the cloud with cep

NTXISSACSC5

  • Login to see the comments

Ntxissacsc5 yellow 7 protecting the cloud with cep

  1. 1. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Protecting the Cloud Computing Environment with CEP Shield against DDoS Attacks Venkatesan Pillai (aka VP) Cybersecurity Practitioner & Instructor Way11 Consulting 11/10/2017
  2. 2. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Bio • Cybersecurity Practitioner & Instructor • Specialized in Network Security, Data Security & Application Security • Independ Technology Evaluator • Cybersecurity Instructor @ Collin College • Served member of EC Council review board • Working group member of Healthcare cybersecurity 2
  3. 3. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Outline •Introduction •Problem •Objectives •Existing System •Proposed System •Implementation •References 3
  4. 4. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Introduction • Cloud computing environment is the most popular business model adopted by organizations worldwide. • As cloud deployment is increasing in the recent years, there is a paradigm shift of the attackers taking benefit of cloud resources for unintended purpose. • DDoS is the one of the security attack in the cloud that needs efficient detection and prevention mechanisms. 4
  5. 5. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Top Cloud Threats 5
  6. 6. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 DDoS Targets 6 45% 23% Q2 2016 DDoS Trends Report by Verisign 14%
  7. 7. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 DDoS Attacks 7 2016 2015 2013
  8. 8. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Problem • Cloud environment is exposed to threats and the security risk is very high when the virtual machines patches are not updated frequently. • Anomalies in the computing environment affect the normal functioning of the cloud services. 8
  9. 9. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Objectives • Develop DDoS Detection system with high detection accuracy. • Respond to the attack traffic with fast response time. 9
  10. 10. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 DDoS Attack Taxonomy DDoS Attack Bandwidth Depletion Attacks Flood Attack ICMP Attack UDP Attack Specified Port Random Port Amplification Attack Smurf Fraggle Direct Loop Resource Depletion Attacks Protocol Exploit Attack TCP SYN PUSH-ACK Malformed Packet Attack IP Address IP Packet Options 10 B. Prabadevi and N.Jeyanthi, Distributed Denial of service Attacks and its effects in Cloud Environment- a Survey , IEEE, 2014
  11. 11. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Cloud Attacks 11 Cloud Attacks Browser level attacks 1.Cache poisoning 2.Hidden field manipulation 3.SQL injection attacks 4. Man-in-middle attacks 5.Cloud malware injection attack Application level attacks 1.Backdoor and debug options 2. CAPTCHA breaking 3. Google hacking 4. Cross site scripting attack 5.Hypervisor level attacks 6. Dictionary attack Network level attacks 1. Sybil attack 2. BGP prefix hijacking 3. Port scanning 4. DNS attacks 5. Sniffer attacks 6. Amplification attack 7. Reflector attack 8. Smurf attack 9. Bandwidth attack 10. ICMP flood Server level attacks 1. DoS attacks 2. DDoS attack 3. XML signature element wrapping B. Prabadevi and N.Jeyanthi, Distributed Denial of service Attacks and its effects in Cloud Environment- a Survey , IEEE, 2014
  12. 12. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Cloud Attacks 12 Attack Type Definition Detection/Prevention technique VM level attacks Vulnerabilities in the hypervisor Advanced cloud protection system Bandwidth attack Consumes target resources MULTOPS detects disproportional packets both incoming and outgoing ICMP flood Variation of bandwidth due to ICMP packets ScreenOS Amplification attack Induces the device to generate large responses High performance OS, load balancer, rate limiting Reflector attack Third parties bounce the traffic from the attacker Deterministic edge router marking
  13. 13. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Cloud Attacks 13 Attack Type Definition Detection/Prevention technique SMURF ICMP echo request to generate DoS attacks Ingress filtering DNS attack DNS server name poisoning Radware carrier solution, DNS Security Extensions BGP Prefix hijacking Flawed announcement about the IP addresses in Autonomous system (AS) is made Autonomous security system Port scanning Due to open ports Encrypted security ports Firewall against port attacks Sniffer attack Data loss by capturing sensitive data transferred through the over the transmission channel Detection based on ARP and RTT
  14. 14. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Cloud Attacks 14 Attack Type Definition Detection/Prevention technique Issue of reused IP Remains in the DNS cache memory each insertion and when it is assigned to new user DNS cache cookies need to be cleared Cookie poisoning Impersonates the legitimate user Encryption, Web application firewall Hidden field manipulation Retrieve contents in the hidden fields of web page Security policies and session token SQL injection attacks Malicious SQL query Parametrized queries Man-in-middle Overhear the information in communication channel Encryption
  15. 15. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Cloud Attacks 15 Attack Type Definition Detection/Prevention technique Cloud malware injection attack Malicious code in the cloud Utilization of the file allocation table Backdoor and debug options unauthorized use of the website in the debug mode to hack the website Should be disabled after use CAPTCHA breaking Audio system to track the CAPTCHA Increase string length Cross site scripting Disguising the script in the URL Active content filtering. Content based data leakage prevention Dictionary attack Possible word combinations for successful decryption of the data residing in/flowing over the network Encryption, challenge-response system
  16. 16. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Cloud Attacks 16 Attack Type Definition Detection/Prevention technique Sybil attack Malicious code in the cloud Firewall Google hijacking Sensitive information through google search Standard security DoS No.of requests that exceeds the server capacity IDS DDoS DoS attack with multiple nodes IDS XML signature element wrapping Hacker changes the message and signature value in XML document Digital signature
  17. 17. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 IP Spoofing 17 Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
  18. 18. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 SYN Flooding 18 Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
  19. 19. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 SMURF 19 Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
  20. 20. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Ping of Death 20 Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
  21. 21. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Land 21 Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
  22. 22. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Existing System 22 Type of Attack External Internal Defense Mechanism Disadvantages IP Spoofing   Hop count filtering in PaaS IP2HC table can be built by the attacker Trust based in IaaS SYN Flooding   SYN cache in PaaS Increased latency SYN cookies in PaaS Low performance of the cloud Reduced time in SYN- Rx in PaaS Possibility of legitimate packet dropping Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
  23. 23. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Existing System 23 Type of Attack External Internal Defense Mechanism Disadvantages SYN Flooding   Filtering in IaaS Not reliable Firewall in PaaS Performance of the cloud is affected Monitoring in IaaS Possibility of legitimate packet dropping SMURF   Configuring virtual machines in PaaS Configuring network resources in IaaS Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
  24. 24. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Existing System 24 Type of Attack External Internal Defense Mechanism Disadvantages Buffer overflow   Analysing static and dynamic code in SaaS Time consumption Array bound checking in SaaS Runtime instrumentation in SaaS Ping of death Land Teardrop   Layered filtering Attack may propagate to other layers if is unnoticed in the previous layers Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
  25. 25. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Complex Event Processing 25 • Complex event processing or CEP is an event processing method to combine information from multiple sources to understand an event or patterns. • In networked systems, the event correlation technique analyses the huge events and detects the attacks with event patterns. • CEP can link low level events with low significance to high level events with criticality. • CEP is the aggregation of multiple simple events into complex event. Event Action CEP
  26. 26. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Complex Event Processing 26 Event Sources CEP Engine System, Processes and Sensors Event Output Alerts and triggered and actions CEP Query Select src.IP and dest.IP where pkt.cnt>threshold #window time 30s
  27. 27. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 CEP Applications • Monitoring and security • Object and Inventory tracking • Financial Trading • Fraud detection 27
  28. 28. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Proposed System 28 Event Tracking Event Detection EventProcessing Event Sources Prediction Analysis Statistical Data Event Patterns Knowledge Base GUI
  29. 29. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Proposed System • Cloud Dataset: Cloud environment is used to generate DDoS attack traffic with selected virtual machines installed with DDoS attack tools to send flooding packets against target. • DDoS Detection: The parameters of the traffic such as source address, source port, protocol, destination address, destination port is fed into the CEP engine to classify the attack and legitimate sources. • DDoS Response: The alerts contain the source IP that need to blocked immediately. The block list is passed to the attack response system to block the attack traffic. 29
  30. 30. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Implementation • Openstack Cloud • Esper engine • Machine learning algorithms 30
  31. 31. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Metrics • Memory usage • CPU utilization • Bandwidth • Response time • Availability 31
  32. 32. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Future Directions • Collaborative detection system for DDoS attacks using learning algorithms 32
  33. 33. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 References • https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf • https://blog.verisign.com/security/verisign-q2-2016-ddos-trends- layer-7-ddos-attacks-a-growing-trend/ • http://www.datacenterdynamics.com/content-tracks/security- risk/major-ddos-attack-on-dyn-disrupts-aws-twitter-spotify-and- more/97176.fullarticle • https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet- mirai-released/, • http://www.theregister.co.uk/2015/12/17/hackers_threaten_xbox _live_psn • http://www.darkreading.com/attacks-breaches/wave-of-ddos- attacks-down-cloud-based-services/d/d-id/1269614, November 6, 2014. 33
  34. 34. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 References • http://www.infosecurity- magazine.com/news/ddos-ers-launch-attacks- from-amazon-ec2/ • https://blogs.microsoft.com/cybertrust/2014/02/0 6/threats-in-the-cloud-part-2-distributed-denial- of-service-attacks/ • http://www.darkreading.com/attacks-and- breaches/bank-attackers-restart-operation-ababil- ddos-disruptions/d/d-id/1108955? 34
  35. 35. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Contact Email : Venkatesan.P@Outlook.com www.linkedin.com/in/venkatesanpillai/ 35
  36. 36. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 36 Thank you

×