In the previous post, we discussed major attacks on cloud computing with countermeasures, in this post, we are going to discuss one of the most important attacks on cloud computing i.e. DDoS attack and its prevention and detection techniques.
As distributed denial-of-service (DDoS) attacks form one of the biggest threats encountered by Internet users and cloud computing services, we are going to examine the effects of DDoS attack and defense mechanisms against different types of DDoS attacks on cloud computing environment.
Distributed denial-of-service (DDoS) attacks affect all layers of the cloud system (IaaS,
PaaS and SaaS) and can occur internally or externally.
An internal cloud-based DDoS attack occurs inside the cloud system, essentially in the PaaS and IaaS layers.
An external cloud-based DDoS attack originates from outside the cloud environment and targets cloud-based services which affect the availability of services. The most affected layers in the cloud system by an external DDoS attack are the SaaS and PaaS layers.
The major types include Bandwidth based and resource-based attacks. Both types consume the entire bandwidth and resources of the network that’s been exploited.
A.Bandwidth Depletion Attacks:
This type of attack consumes the bandwidth of the victim or target system by flooding the unwanted traffic to prevent the legitimate traffic from reaching the victim network. Bandwidth depletion attacks are categorized further as:
- Flooding Attacks
- Amplification Attacks
- Flood Attacks:
This attack is launched by an attacker sending a large volume of traffic to the victim with the help of zombies that clogs up the victim’s network bandwidth with IP traffic.This is induced by UDP (User Datagram packets) and ICMP (Internet Control Message Protocol) packets.
In this attack, an attacker sends a large number of UDP packets or ICMP ECHO REPLY i.e. ping packets to the victim’s system with the help of zombies.
The aim of this attack is to deplete the available bandwidth without servicing the legitimate users.Other variations of this attack include Fragmentation, DNS flood attack, VoIP flood attack, Media data flood attack etc.
The attacker sends a large number of packets to a broadcast IP address. In turn, causes the systems in the broadcast address range to send a reply to the victim system thereby resulting in a malicious traffic.This kind of DDoS attack can be launched either the attacker directly or with the help of zombies. The well-known attacks of this kind are Smurf and Fraggle attacks.The Fraggle attack is the variation of Smurf attacks where the UDP echo packets are sent to the ports that support character generation.
A variant of these attacks is the reflector attack, which involves a set of reflectors to accomplish the specified task.
B.Resource Depletion Attacks:
The DDoS Resource depletion attack is targeted to exhaust the victim system’s resources so that the legitimate users are not serviced. The following are the types of Resource depletion attacks:
1.Protocol Exploit Attacks: The goal of these attacks is to consume the surplus quantity of resources from the victim by exploiting the specific feature of the protocol installed in the victim. TCP SYN attacks are the best example of this type. The other examples of Protocol exploit attacks are PUSH + ACK attack, authentication server attack, and CGI request attack.
2.Malformed Packet Attacks: The term malformed packet refers to the packet wrapped with malicious information or data. The attacker sends these packets to the victim to crash it. This can be performed in two ways:
IP Address attack: The malformed packet is wrapped with the same source and destination IP address thus creating chaos in the operating system of the victim. By this way, it rapidly slows down and crashes the victim.
IP packet options attack: Each of the IP packets consists of the optional fields to carry additional information. This attack makes use of these fields to form the malformed packet. The optional fields are filled by setting all the quality of service bits to one. So the victim spends additional time to process this packet. This attack is more vulnerable when attacked by more than one zombie.
ATTACK PREVENTION TECHNIQUES:
- Challenge Response-Effective and usable methods using puzzles to differentiate human and bots
- Hidden Servers/ports.-Service is being offered to legitimate users while no direct connection is established with the real server in the first instance
- Ingress filtering- This process stops the incoming packets with a not legitimate source address
- Egress filtering-This technique allows the packets having valid IP address in the network- specified range to leave the network.
- Restrictive Access- Admission control or instead of blocking/dropping responses
are prioritized for different classes of users
- Resource Limit-Limiting the economic losses by restricting the maximum usable resources by a Virtual Machine.
ATTACK DETECTION TECHNIQUES:
- Anomaly detection: This method detects the attacks by recognizing the abnormal behaviors or anomalies in performance of the system
- Misuse detection: This method detects the DDoS attacks by maintaining the database of well-known signatures or patterns of exploits
- Source and Spoof Trace:-Identifying the source of web requests to stop spoofing
- Count Based Filtering:-Hop count, number of connections or number of requests based threshold filtering
- BotCloud Detection: Detecting the attack sources inside the cloud by monitoring the features of VMs and the network
- Resource Usage: OS level/hypervisor level detection methods to monitor abnormal usage