Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
CSEIT17222 | Received: 05 March 2017 | Accepted: 17 March 2017 | March-April-2017 [(2)2: 62-68]
International Journal of Scientific Research in Computer Science, Engineering and Information Technology
© 2017 IJSRCSEIT | Volume 2 | Issue 2 | ISSN : 2456-3307
62
Handling DDOS attacks in Cloud Computing based on SDM System
S. Akhilesh Kumar1, A. Sundersingh2
¹PG Scholar, Department of M.Sc(Software Engineering), PSN College of Engineering & Technology, Tirunelveli, Tamilnadu, India
² Research Supervisor, Department of M.Sc(Software Engineering), PSN College of Engineering & Technology, Tirunelveli, Tamilnadu,
India
ABSTRACT
Distributed Denial Of Service (DDoS) attacks in cloud computing environments are growing due to the essential
characteristics of cloud computing. With recent advances in Software Defined Networking (SDN),SDN-based cloud
brings us new chances to defeat DDoS attacks in cloud computing environments. Nevertheless, there is a
contradictory relationship between SDN and DDoS attacks. On one hand, the capabilities of SDN, including
software-based traffic analysis, centralized control, and global view of the network, dynamic updating of forwarding
rules, make it easier to detect and react to DDoS attacks. On the other hand, the security of SDN itself remains to be
addressed, and potential DDoS vulnerabilities exist across SDN platforms. In this paper, we discuss the new trends
and characteristics of DDoS attacks in cloud computing, and provide a comprehensive survey of defence
mechanisms against DDoS attacks using SDN. In addition, we review the studies about launching DDoS attacks on
SDN, as well as the methods against DDoS attacks in SDN. To the best of our knowledge, the contra dictory
relationship between SDNandDDoS attacks has not been well addressed in previous works. This work can help to
understand how to make full use of SDN‘s advantages to defeat DDoS attacks in cloud computing environments and
how to prevent SDN itself from becoming a victim of DDoS attacks, which are important for the smooth evolution
of SDN-based cloud without the distraction of DDoS attacks.
Keywords : Application Programming Interface, VLAN, IETF, Saas, Paas, Iaas, QoS
I. INTRODUCTION
Cloud computing is an internet-based computing in
which large groups of remote servers are networked to
allow sharing of data-processing tasks, centralized data
storage, and online access to computer services or
resources. Clouds can be classified as public, private or
hybrid.Cloud computing or in simpler shorthand just
"the cloud", also focuses on maximizing the
effectiveness of the shared resources. Cloud resources
are usually not only shared by multiple users but are
also dynamically reallocated per demand. This can
work for allocating resources to users. For example, a
cloud computer facility that serves European users
during European business hours with a specific
application (e.g., email) may reallocate the same
resources to serve North American users during North
America's business hours with a different application
(e.g., a web server). This approach should maximize
the use of computing power thus reducing
environmental damage as well since less power, air
conditioning, rack space, etc. are required for a variety
of functions.
The expression cloud is commonly used in science to
describe a large agglomeration of objects that visually
appear from a distance as a cloud and describes any set
of things whose details are not inspected further in a
given context. In analogy to above usage the word
cloud was used as a metaphor for the Internet and a
standardized cloud-like shape was used to denote a
network on telephony schematics. I.
Wireless Networking becomes the most adaptable
technology for flexibility and mobility in human life.
For the last few years, Software Defined Wireless
Networking (SDWN), a branch of Software Defined
Network (SDN) has been a key research technology to
Volume 2 | Issue 2 | | March-April-2017 | www.ijsrcseit.com
63
analyze and proper management of the densely
populated cellular network [1] [2]. Software Defined
Wireless Networking (SDWN) assures simple and
scalable network architecture and effective mobility
management of the IP networks.
The Software Defined Wireless Networking (SDWN)
programmatically centralizes and separates the control
plane (aka. Network OS) from the data plane (aka.
Forwarding plane). A conventional architecture of SDN
is illustrated in Fig. 1. The southbound interface is a
medium between the control plane and data plane while
northbound is layer between application plane and
control plane. The southbound interface trains the
controllers to collect information about Mobile Nodes
(MNs) and transmits and receives packets to and from
MNs using SDWN elements [3].
To ensure quality of service in SDWN and persistent
network services, operators need to monitor the
network and do proper service measurements from time
to time. Such monitoring will assist in analyzing
network parameters, i. e. throughput, roundtrip
transmission time, bandwidth in the wireless link,
mobility frequency and preparing a real-time view of
the network service standard on industry level. For
such analysis, monitoring and measurement, various
open- source and commercial technology and tools are
available for SDWN including sFlow [4], FlowVisor
[5], BigSwitch [6], BigTap [7], SevOne [8] etc. These
tools provide the operator with capabilities to perform
troublesome network activities and even monitor,
detect and indicate security attack in progress on a
certain.
Figure 1. SDN architecture with separated control and
data plane
Previously several research work is performed on
analyzing the security of OpenFlow-based SDN
environment. Analysis on 4D, PCE and SANE-based
SDN architectures is performed in paper [9], security
application of SDN is thoroughly analyzed and
evaluated in [10]. In previous research sFlow has been
represented as an effective and scalable vulnerability
mitigation mechanism for SDN [11]. FlowVisor turned
a better solution for network virtualization [12] and
vulnerability solution for flow isolation is proposed and
evaluated alongside [13]. Among the tools that monitor
and measure the SDN: a comparative study between
sFlow (Open-Source) and BigTap (commercial) is
illustrated in paper [14]. However, a security and threat
defined study in SDWN monitoring and measurement
tools, those focuses on Open-Flow flow entries and
communication among multiple controllers in wireless
platform, is the primary goal of this perspective study.
Hence, sFlow and FlowVisor are chosen for above flow
circumstances.
The structure of this paper is as follows. In Section II,
the STRIDE and Data Flow methodology is described.
In section III and IV, security and threat risk of sFlow
and FlowVisor are analyzed. Section V represents a
comparative study between the two monitoring tools
and thereby concluding the paper in Section VI with
future prospects of this study outcomes.
II. BACKGROUND AND RELATED WORK
According to OpenFlow specification in [15], any
OpenFlow switch holds flow entries that contains
incoming packet header information, packet handling
action for matched packet entries in the list and
statistics of number of bytes, packets in a particular
flow and time since last pass. Packets as arrive at any
OpenFlow switches, it executes the packet header
information and try matching the existing flow entries.
When the information does not match any of the flow
tables, switch then pass the packet to the controller to
take action and update the flow entries accordingly
with required information of the packet. When it‘s a
match switch performs and forwards the packet to its
next destination on the basis of routing flow table
information in it.
As SDN brings more advantage in connecting into the
internet, Software Defined Wireless Network (SDWN)
has got much importance and emerging research field
Volume 2 | Issue 2 | | March-April-2017 | www.ijsrcseit.com
64
with attention. SDWN is oriented towards the mobile
and wireless network devices and aims at the research
and study of crucial technologies for the future mobile
and wireless network. This SDWN architecture is
composed of both North-South and East-West network
dimension where East- West operates for wireless and
mobile devices using inter- controller protocols such as
Border Gateway Protocol
(BGP) [16]. Hence, security of the underlying network
depends on the secured flow information and control
plane. Tools that monitor and measure and flows
between SDWN entities, therefore, requires security
from external access and service oriented attacks. This
study is concerned about sFlow and FlowVisor as one
of these tools.
Subjective assessments by the threat reporter. Octave
model is best suited for complex and larger system
where STRIDE focuses on network based application
and systems. Trike helps security auditing process with
distinct risk-based implementation than others,
however, is yet in experimentation stage and lacks
proper documentation and support. PASTA includes
risk management steps in the final stage of the process
and is not limited to a specific risk calculation formula
[22]. Thereby, introduced by Microsoft, SRTIDE
model method is used to identify and evaluate the
security threats on OpenFlow- based SDWN network
measurement and monitoring tools: sFlow and
FlowVisor.
STRIDE threat model reveals if a system or software in
concern is vulnerable to Spoofing, Tampering,
Repudiation, Information Disclosure, Denial of Service
(DoS) and Elevation of Privilege threat [20]. Each of
the STRIDE threats can be mapped to one security
property as shown in Table 1. and described in the
following:
a) Spoofing: In spoofing malicious user or program
masquerades gain illegal access in privileged data by
falsifying user information.
b) Tampering: Data tampering involves malicious
modification of information and resources, i.e.
alteration of data as it flows between two computers
over an open network, such as the Internet.
c) Repudiation: Repudiation threats are associated with
malicious users and masquerades who performs ac
action and deny without other parties having any way
to prove otherwise—for example, an attacker controller
performs an illegal operation in a SDN that lacks the
ability to trace the prohibited operations.
d) Information Disclosure: This treat means the
illegitimate availability of resource information of the
system or network or software to malicious and
unauthorized users or programs.
e) Denial of Service: This treat causes service
unavailability to the authorized legitimate users or
programs. f) Elevation of Privilege: In this type of
threat, an unprivileged user gains privileged access and
thereby has sufficient access to compromise or destroy
the entire system. This treat can cause penetration of all
system or network
Elements of sFlow system consists sFlow agents and
sFlow collector, illustrated in Fig. 2. Agent is the
software process that is remotely configured using a
Management Information Base (MIB) within the
device. Combining the interface counters and flow
samples into sFlow datagrams, these datagrams are sent
to the sFlow collector installed in the monitoring host
through the SDWN environment using Simple Network
Management Protocol (SNMP) [23].Including sFlow‘s
own collector sets: sFlow-RT, sFlow- Trend, sflowtool,
this sampling tool also support the third party collectors:
VitalSuit, Peakflow, Kentik Detect, FlowTraq etc.,
those handle more details of sFlow datagrams [4].
Illustration in Fig. 2 represents the Data Flow Diagram
(DFD) of sFlow that uncovers the crucial security risk.
sFlow doesn‘t provide any security mechanism for data
flow rather depends on secure third party management
environment for sFlow agents.Data flows are
vulnerable to Tampering, Information Disclosure and
DoS attack in absence of proper security mechanism. A
physical interface of switch, routers are pote-
As collectors can be vendor provided, security of the
received datagrams depends on vendor‘s will of
deployment and how they process the data. Hence,
sFlow doesn‘t provide any security mechanism. For
security reasons SNMPv3 should be used to configure
and control the sFlow agents to encrypt and
authenticate the datagrams before transmitting to the
collector.According to Table 1 data store are prone to
Volume 2 | Issue 2 | | March-April-2017 | www.ijsrcseit.com
65
Tampering, Information Disclosure and DoS attack
vulnerabilities alike data flows. MIB contains
information about sFlow agents, collector ports and
even IP addresses. Using SNMP, sFlow agents can be
configured through a local Command Line Interface
(CLI) or SNMP commands.
In order to decline any anonymous actions, switches
and routers in the network should have some Access
Control (AC) mechanisms, i.e. Discretionary Access
Control (DAC), Role-Based Access Control (RBAC) to
ensure the interface‘s security [14]. In opposite case, if
CLI is accessible from unauthorized user, MIB in
sFlow is vulnerable to data Tampering, traffic
Information Disclosure and even DoS attack, holds the
MIB flow entries and collector details open for
unauthorized access and even attacker can modify the
information. In case of SNMPv1, SNMPv2
communication with collector is at similar risks.
FlowVisor partitions the minimum transmission
bandwidth for each slice assigning specific data rate to
a set of flows from that slice. FlowVisor keeps track of
every flow-entry for each guest controller and
partitions the flow table among the switches. Switches
are configured according to the resource allocation and
routing policies slices of the FlowVisor controller.
Slices are isolated and have their own ‗flowspace‘ or
set of region of data flows. This isolated slices can be
broken allowing different attacks.
A. Data Flows
FlowVisor adopts slicing policies for each guest
controller. Traffic sent from the production network
and guest controllers if matches the forwarding entries
in the FlowVisor is sliced for corresponding switches
according to ‗flowspace‘. Different slices having
flexible and different flow policies are strongly isolated.
Any traffic that does not match the existing forwarding
entries are sent to the production controller for
insertion. Production controller hence rewrites the
policies of corresponding slice. Attack on slice policy
rewrites from attacking entity can cause vulnerabilities
to such network with FlowVisor. If, therefore, data is
sent from an attacker, the controller cannot detect
because of policy rewrite and causes tampering of flow
rules and the network data and even DoS threats.
The switch configuration is stored in the flow entries of
the slices by the corresponding guest controllers. This
allows data traffic authentication to flow between the
controllers and switches inside the wireless OpenFlow
network even under mobility situations. This
mechanism ensures that data is secured against
Tampering, Information Disclosure and Spoofing
threats.
FlowVisor‘s Command Line Interface (CLI) provides
control access to users for data and slice configuration.
CLI uses user-authentication in terms of username, host
name and port number on accessing the interface and
slices and therefore secure from Spoofing, Tampering,
Repudiation and Elevation of Privilege threats.
Adapting Transport Layer Security can defend the
policy rewrite in production controller for unmatched
packets where virtual controller cannot modify the
MAC and IP address for the packets freely.
III. IMPLEMENTATION RESULTS
The implementation results can be shown as figure
below
Volume 2 | Issue 2 | | March-April-2017 | www.ijsrcseit.com
66
Volume 2 | Issue 2 | | March-April-2017 | www.ijsrcseit.com
67
IV. COMPARISON
Flow and FlowVisor both provide different network
monitoring and measurement functionalities. The
comparative threat model analysis of them is illustrated
in Table 6. Above analysis holds sFlow providing no
security in data flow and data store in DFD wherein
FlowVisor inherits security threat vulnerabilities in
isolated slices. This makes FlowVisor vulnerable to
Spoofing, Tampering and Information disclosure, even
delay and Denial of Service threats in data flow.
However, FlowVisor ensures security of switch
information stored in its own controller where sFlow
depends on external secure deployment environment to
ensure security in MIB data storage and flow entry
information. This makes sFlow vulnerable to spoofing,
DoS and information disclosure threat as switching
agents send unencrypted datagrams to the
collector.Using Transport Layer Security (TLS) in
forwarding the datagrams to the collectors can
eliminate information disclosure threats wherein
tampering can be tackled using access control
mechanism in CLI, agent configuring SNMPv3
protocols.
V. CONCLUSIONS
In this paper, discussed the reasons why DDoS attacks
are growing in cloud computing environments. Then
we summarized the difficulty in defeating DDoS
attacks in cloud computing environments. In addition,
we presented some good features of SDN-based cloud
in defeating DDoS attacks and discussed some
challenges of SDN-based cloud. Since SDN-based
cloud is still in its concept phase, we provided a
comprehensive survey on some of the works that have
already been done to defend DDoS attacks using
SDN.SDN brings a fascinating dilemma: a promising
tool to defeat DDoS attacks in cloud computing
environments, versus a vulnerable target to DDoS
attacks. It is in favor of the community to study how to
make full use of SDN‘s advantages to defeat DDoS
attacks and how to prevent SDN itself becoming a
victim of DDoS attacks in cloud computing
environments. This paper attempts to briefly explore
the current technologies related to SDN and DDoS
attacks, and we discuss future research that may be
beneficial in these issues.
In future, this work can help to understand how to
make full use of SDN‘s advantages to defeat DDoS
attacks in cloud computing environments and how to
prevent SDN itself from becoming a victim of DDoS
attacks, which are important for the smooth evolution
of SDN-based cloud without the distraction of DDoS
attacks.
VI.REFERENCES
[1] G. Pallis, ―Cloud computing: The new frontier of
Internet computing,‖ IEEE
[2] T. Taleb, ―Toward carrier cloud: Potential, challenges,
and solutions,‖ IEEE Wireless Commun., vol. 21, no.
3, pp. 80–91, Jun. 2014.
[3] F. R. Yu and V. C. M. Leung, Advances in Mobile
Cloud Computing Systems. New York, NY, USA:
CRC Press, 2015.
[4] Y.-D. Lin, D. Pitt, D. Hausheer, E. Johnson, and Y.-B.
Lin, ―Software defined networking: Standardization
for cloud computing‘s second wave,‖ Computer, vol.
47, no. 11, pp. 19–21, Nov. 2014.
[5] Z. Yin, F. R. Yu, S. Bu, and Z. Han, ―Joint cloud and
wireless networks operations in mobile cloud
Volume 2 | Issue 2 | | March-April-2017 | www.ijsrcseit.com
68
computing environments with telecom operator
cloud,‖ IEEE Trans. Wireless Commun., vol. 14, no.
7, pp. 4020–4033, Jul. 2015.
[6] Y. Cai, F. R. Yu, and S. Bu, ―Dynamic operations of
cloud radio access networks (C-RAN) for mobile
cloud computing systems,‖ IEEE Trans. Veh. Tech.,
accepted for publication, DOI:
10.1109/TVT.2015.2411739.
[7] Y. Cai, F. R. Yu, C. Liang, B. Sun, and Q. Yan,
―Software defined device-to-device (D2D)
communications in virtual wireless networks with
imperfect network
[8] Ku, Y. Lu, and M. Gerla, ―Software-defined mobile
cloud: Architecture, services and use cases,‖ in Proc.
IEEE IWCMC, Aug. 2014, pp. 1–6.
[9] P. Klemperer, Y. Liang, M. Mazurek, M. Sleeper, B.
Ur, L. Bauer,
[10] L. F. Cranor, N. Gupta, and M. Reiter, ―Tag, you can
see it!: Using tags for access control in photo
sharing,‖ in Proc. ACM Annu. Conf. Human Factors
Comput. Syst., 2012, pp. 377–386
[11] Multi-authority attribute-based encryption,‖ in Proc.
16th ACM Conf. Comput. Commun. Security, 2011,
pp. 121-130