NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Protecting the Cloud Computing Environment with CEP Shield against

DDoS Attacks

Venkatesan Pillai (aka VP)

Cybersecurity Practitioner & Instructor

Way11 Consulting

11/10/2017

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Bio

• Cybersecurity Practitioner & Instructor

• Specialized in Network Security, Data Security & Application Security

• Independ Technology Evaluator

• Cybersecurity Instructor @ Collin College

• Served member of EC Council review board

• Working group member of Healthcare cybersecurity

2

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Outline

•Introduction

•Problem

•Objectives

•Existing System

•Proposed System

•Implementation

•References

3

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Introduction

• Cloud computing environment is the most popular business model adopted by organizations worldwide.

• As cloud deployment is increasing in the recent years, there is a paradigm shift of the attackers taking benefit of cloud resources for unintended purpose.

• DDoS is the one of the security attack in the cloud that needs efficient detection and prevention mechanisms.

4

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Top Cloud Threats

5

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

DDoS Targets

6

45% 23%

Q2 2016 DDoS Trends Report by Verisign

14%

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

DDoS Attacks

7

2016

2015

2013

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Problem

• Cloud environment is exposed to threats and the security risk is very high when the virtual machines patches are not updated frequently.

• Anomalies in the computing environment affect the normal functioning of the cloud services.

8

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Objectives

• Develop DDoS Detection system with highdetection accuracy.

• Respond to the attack traffic with fastresponse time.

9

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

DDoS Attack Taxonomy

DDoS Attack

Bandwidth Depletion

Attacks

Flood Attack

ICMP Attack UDP Attack

Specified Port Random Port

Amplification Attack

Smurf Fraggle

Direct Loop

Resource Depletion

Attacks

Protocol Exploit Attack

TCP SYN

PUSH-ACK

Malformed Packet Attack

IP Address

IP Packet Options

10

B. Prabadevi and N.Jeyanthi, Distributed Denial of service Attacks and its effects in Cloud Environment- a Survey , IEEE, 2014

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Cloud Attacks

11

Cloud Attacks

Browser level attacks

1.Cache poisoning

2.Hidden field manipulation

3.SQL injection attacks

4. Man-in-middle attacks

5.Cloud malware injection attack

Application level attacks

1.Backdoor and debug options

2. CAPTCHA breaking

3. Google hacking

4. Cross site scripting attack

5.Hypervisor level attacks

6. Dictionary attack

Network level attacks

1. Sybil attack

2. BGP prefix hijacking

3. Port scanning

4. DNS attacks

5. Sniffer attacks

6. Amplification attack

7. Reflector attack

8. Smurf attack

9. Bandwidth attack

10. ICMP flood

Server level attacks

1. DoS attacks

2. DDoS attack

3. XML signature element wrapping

B. Prabadevi and N.Jeyanthi, Distributed Denial of service Attacks and its effects in Cloud Environment- a Survey , IEEE, 2014

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Cloud Attacks

12

Attack Type Definition Detection/Prevention technique

VM level attacks Vulnerabilities in the hypervisor

Advanced cloud protection system

Bandwidth attack Consumes target resources MULTOPS detects disproportional packets both incoming and outgoing

ICMP flood Variation of bandwidth due to ICMP packets

ScreenOS

Amplification attack Induces the device to generate large responses

High performance OS, load balancer, rate limiting

Reflector attack Third parties bounce the traffic from the attacker

Deterministic edge router marking

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Cloud Attacks

13

Attack Type Definition Detection/Prevention technique

SMURF ICMP echo request to generate DoS attacks

Ingress filtering

DNS attack DNS server name poisoning Radware carrier solution, DNS Security Extensions

BGP Prefix hijacking Flawed announcement about the IP addresses in Autonomous system (AS) is made

Autonomous security system

Port scanning Due to open ports Encrypted security portsFirewall against port attacks

Sniffer attack Data loss by capturing sensitive data transferred through the over the transmission channel

Detection based on ARP and RTT

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Cloud Attacks

14

Attack Type Definition Detection/Prevention technique

Issue of reused IP Remains in the DNS cache memory each insertion and when it is assigned to new user

DNS cache cookies need to be cleared

Cookie poisoning Impersonates the legitimate user Encryption, Web application firewall

Hidden field manipulation Retrieve contents in the hidden fields of web page

Security policies and session token

SQL injection attacks Malicious SQL query Parametrized queries

Man-in-middle Overhear the information in communication channel

Encryption

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Cloud Attacks

15

Attack Type Definition Detection/Prevention technique

Cloud malware injection attack Malicious code in the cloud Utilization of the file allocation table

Backdoor and debug options unauthorized use of the website in the debug mode to hack the website

Should be disabled after use

CAPTCHA breaking Audio system to track the CAPTCHA

Increase string length

Cross site scripting Disguising the script in the URL Active content filtering. Content based data leakage prevention

Dictionary attack Possible word combinations for successful decryption of the data residing in/flowing over the network

Encryption, challenge-response system

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Cloud Attacks

16

Attack Type Definition Detection/Prevention technique

Sybil attack Malicious code in the cloud Firewall

Google hijacking Sensitive information through google search

Standard security

DoS No.of requests that exceeds the server capacity

IDS

DDoS DoS attack with multiple nodes IDS

XML signature element wrapping Hacker changes the message and signature value in XML document

Digital signature

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

IP Spoofing

17

Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

SYN Flooding

18

Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

SMURF

19

Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Ping of Death

20

Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Land

21

Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Existing System

22

Type of Attack External Internal Defense Mechanism Disadvantages

IP Spoofing Hop count filtering in PaaS

IP2HC table can be built by the attacker

Trust based in IaaS

SYN Flooding SYN cache in PaaS Increased latency

SYN cookies in PaaS Low performance of the cloud

Reduced time in SYN-Rx in PaaS

Possibility of legitimate packet dropping

Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Existing System

23

Type of Attack External Internal Defense Mechanism Disadvantages

SYN Flooding Filtering in IaaS Not reliable

Firewall in PaaS Performance of the cloud is affected

Monitoring in IaaS Possibility of legitimate packet dropping

SMURF Configuring virtual machines in PaaS

Configuring network resources in IaaS

Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Existing System

24

Type of Attack External Internal Defense Mechanism Disadvantages

Buffer overflow Analysing static and dynamic code in SaaS

Time consumption

Array bound checking in SaaS

Runtime instrumentation in SaaS

Ping of death

Land

Teardrop

Layered filtering Attack may propagate to other layers if is unnoticed in the previous layers

Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Complex Event Processing

25

• Complex event processing or CEP is an event processing

method to combine information from multiple sources to

understand an event or patterns.

• In networked systems, the event correlation technique

analyses the huge events and detects the attacks with event

patterns.

• CEP can link low level events with low significance to high

level events with criticality.

• CEP is the aggregation of multiple simple events into complex

event.

Event

Action

CEP

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Complex Event Processing

26

Event Sources

CEP Engine System,

Processes and

Sensors

Event Output

Alerts and

triggered and

actions

CEP Query

Select src.IP and dest.IP where pkt.cnt>threshold #window time

30s

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

CEP Applications

• Monitoring and security

• Object and Inventory tracking

• Financial Trading

• Fraud detection

27

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Proposed System

28

Event Tracking

Event Detection

Even

t P

roce

ssin

g

Event

Sources

Prediction Analysis

Statistical Data

Event Patterns

Knowledge Base

GUI

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Proposed System

• Cloud Dataset: Cloud environment is used to generate DDoS attack traffic with

selected virtual machines installed with DDoS attack tools to send flooding

packets against target.

• DDoS Detection: The parameters of the traffic such as source address, source

port, protocol, destination address, destination port is fed into the CEP engine to

classify the attack and legitimate sources.

• DDoS Response: The alerts contain the source IP that need to blocked

immediately. The block list is passed to the attack response system to block the

attack traffic.

29

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Implementation

• Openstack Cloud

• Esper engine

• Machine learning algorithms

30

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Metrics

• Memory usage

• CPU utilization

• Bandwidth

• Response time

• Availability

31

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Future Directions

• Collaborative detection system for DDoS attacks using learning algorithms

32

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

References

• https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

• https://blog.verisign.com/security/verisign-q2-2016-ddos-trends-layer-7-ddos-attacks-a-growing-trend/

• http://www.datacenterdynamics.com/content-tracks/security-risk/major-ddos-attack-on-dyn-disrupts-aws-twitter-spotify-and-more/97176.fullarticle

• https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/,

• http://www.theregister.co.uk/2015/12/17/hackers_threaten_xbox_live_psn

• http://www.darkreading.com/attacks-breaches/wave-of-ddos-attacks-down-cloud-based-services/d/d-id/1269614, November 6, 2014.

33

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

References

• http://www.infosecurity-magazine.com/news/ddos-ers-launch-attacks-from-amazon-ec2/

• https://blogs.microsoft.com/cybertrust/2014/02/06/threats-in-the-cloud-part-2-distributed-denial-of-service-attacks/

• http://www.darkreading.com/attacks-and-breaches/bank-attackers-restart-operation-ababil-ddos-disruptions/d/d-id/1108955?

34

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Contact

Email : Venkatesan.P@Outlook.com

www.linkedin.com/in/venkatesanpillai/

35

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

36

Thank you