Controlled access to cloud resources for mitigating Economic Denial of Sustainability (EDoS) attacks
Introduction
Cloud computing is a model to provision on-demand network access to a shared pool of computing resources that can accommodate varying end-user demands, with minimal service provider intervention [1]. It allows for utility-based pricing and dynamic resource assignments for services provisioned to end-users. Cloud providers manage submission of requests to the cloud based on leasing agreements of a utility-based pricing model. Service providers request resources from cloud providers, subsequently paying only for actual resource utilization, and in effect providing services to end users [2].
The cloud computing platform has gained immense popularity in recent times by allowing end-users to lease computing resources, and only pay based on individual usage. Auto-scaling is a fundamental characteristic of the cloud facilitating near-instantaneous scaling up or down of the required cloud-based services. This is based on variable user demands, which are derived from pre-agreed Service Level Agreements (SLAs). Implementation of auto-scaling within the cloud translates to rules for auto-allocation of resources such as the number of CPUs, amount of memory, or the number of networking devices. As a result, overwhelming of cloud resources is avoided. For instance, if the CPU usage for a given set of users belonging to a service provider, exceeds 80% for a period of time amounting to a minute, the cloud provider will dynamically allocate additional CPUs to reduce the overhead on the existing CPUs. On the contrary, reducing demand for resources in the cloud is handled through deallocation of computing resources, in real-time, again based on predefined rules at the provider’s end. In general, the most common parameters considered by a cloud provider to facilitate auto-scaling are: performance metric, threshold, and duration. The performance metric parameter is a tuple defining the percentage of resource utilization within the cloud, in terms of the CPU utilization rate, memory usage and networking resource usage, during a given window of time. The threshold parameter defines the aggregate value calculated based on current performance metric values, at which point auto-scaling of resources is triggered. The duration parameter defines the period of time during which the auto-scaling condition is to be active for [3]. Scaling up or down of computing resources does not exceed thresholds of maximum resource allocation to end-users of a given service provider, as stipulated in the SLA. As a simple example, if the upper and lower thresholds on CPU utilization are set to 30% and 80% at time of cloud initialization, and the duration is set to 1 min then, whenever the CPU utilization exceeds 80% persistently for a period of 1 min, additional CPUs will be allocated (i.e., scaling up). On the other hand, CPU resources will be scaled down when the CPU utilization falls below 30% for a period of 1 min.
The cloud computing paradigm in an ideal situation will operate according to the needs and demands of end-users, thus ensuring quality of end-user experience, through accurate auto-scaling of resources. Cloud security is rated as the greatest issue faced by cloud providers [4]. EDoS attack is considered as one of the cloud security concerns, that has remained broadly unaddressed in the literature. In the presence of the adversarial class, routine operations of a cloud provider may be disrupted, through diverse and sophisticated malicious activity, conducted for achieving one of many objectives, such as: disclosure of sensitive cloud data, modification/tampering of data, high volumes of incoming requests for cloud resource allocation, identity theft, etc. Through an EDoS attack, the adversarial entity exploits the auto-scaling feature of the cloud to cause intentional and unwanted scaling up of computing resources at the cloud provider. Resulting cost associated with provisioning of cloud resources is billed to the service provider. After a persistent effort by the adversary over a period of time, the service provider is charged with an exceedingly high amount for unused and unrequested services. Economic viability of the service provider is thus left unsustainable. EDoS attacks may be launched through generation of a large volume of service and/or resource requests that appear to be legitimate. The cloud provider accordingly scales its resources to accommodate all end-user requests, duly abiding by the SLA [5], [6].
A mitigation technique to identify suspicious service requests that targets the service provider’s end, and mitigates the effects of the EDoS attack through controlled resource usage is proposed in this paper. The scheme operates through a regular assessment of incoming requests from end-users, by comparing user activity (i.e., numbers and types of requests for cloud services) at the cloud provider, and by controlling the rate at which cloud service requests can be positively responded to. The proposed techniques operates with low overhead and does accurate classification of incoming requests into legitimate and malicious, based on several criteria.
The rest of the paper is organized as follows: Section 2 provides an extensive analysis of the existing work done to identify and prevent distributed attacks against the cloud. An elaborate explanation of the proposed scheme and its implementation is provided in Section 3. Experimental results and their analysis is presented in Section 4. Finally, we provide conclusions and future directions for work in Section 5.
Section snippets
Literature review
Several techniques to detect EDoS attacks can be found in the literature. Each one comes with its share of benefits and limitations. In this section, we summarize the key contributions available in recent literature. We begin with the proposal of Khor and Nakao [7] who proposed a scheme to ascertain a client’s commitment to cloud resource requests, by having them solve crypto-puzzles. Resource access was granted to genuine clients with intents to pay for services utilized. Clients first define
The proposed approach
In this section, we present the proposed mitigation technique against EDoS attacks in the cloud infrastructure. The scheme does EDoS detection and subsequent mitigation of the effects of the malicious attack in reactive manner. As stated earlier, auto-scaling based on user demands, facilitates dynamic allocation and deallocation of resources in the cloud. This characteristic of the cloud can be exploited by the adversary class, to cause an unnecessary allocation of resources (based on
Experiments and analysis
In this section, we analyze the results obtained from experiments conducted in a lab environment, to study the performance of the proposed mitigation technique against EDoS attacks. We compare the performance of the scheme to scenarios without any mitigation scheme in place.
To build the cloud, we deployed two servers, namely, a management server and a compute server. The management server is responsible for managing the cloud services. Citrix CloudPlatform 3.0.5 is the software that is
Conclusion and future work
We proposed a novel reactive scheme to detect and mitigate EDoS attacks against cloud-based services. The scheme operates with low overhead and is based on a rate limit technique for preventing suspect requests from being granted service before passing further investigative tests. The scheme comprises several components, namely, the vFirewall, VM Investigator, Load balancer, and the DataBase, all operating hand in hand, to control access to cloud services, for mitigating the effects of an EDoS
Acknowledgments
The authors would like to acknowledge the support provided by King Fahd University of Petroleum & Minerals (KFUPM) for funding this research work through project No. 11-INF1609-04 as part of the National Science, Technology and Innovation Plan.
Zubair A. Baig received the B.S. degree in computer engineering from the King Fahd University of Petroleum & Minerals, Dhahran, Saudi Arabia, in 2002, M.S. degree in Electrical Engineering from the University of Maryland, College Park, USA, in 2003 and the Ph.D. degree in computer science from Monash University, Melbourne, Australia, in 2008. Currently, he is a Senior Lecturer in the School of Science, Edith Cowan University, Perth, W.A., Australia.He is also affiliated to the Security Research
References (27)
- et al.
The NIST definition of cloud computing
Natl. Inst. Stand. Technol. Special Publication SP 800-145
(2011) - et al.
Cloud computing: state-of-the-art and research challenges
J. Internet Serv. Appl.
(2010) Citrix CloudPlatform 3.0.5 (Powered by Apache CloudStack) Administrator’s Guide
(2012)- I.D. Corporation, New IDC IT cloud services survey: top benefits and challenges, 2009, http://blogs.idc.com/ie/?p=730....
- C. Hoff, Cloud computing security: from DDoS (distributed denial of service) to EDoS (economic denial of...
- et al.
EDoS-shield – a two-steps mitigation technique against EDoS attacks in cloud computing
Proceedings of the 2011 Fourth IEEE International Conference on Utility and Cloud Computing (UCC)
(2011) - et al.
SPOW: on-demand cloud-based eDDoS mitigation mechanism
Proceedings of the Fifth Workshop on Hot Topics in System Dependability
(2009) Mitigation of economic distributed denial of sustainability (eDDoS) in cloud computing
Proceedings of the International Conference on Advances in Engineering and Technology
(2011)Mitigating economic denial of sustainability (EDoS) in cloud computing using in-cloud scrubber service
Proceedings of the Fourth International Conference on Computational Intelligence and Communication Networks (CICN)
(2012)Guaranteeing access in spite of service-flooding attacks
Proceedings of the International Workshop on Security Protocols
(2003)
Enhanced EDoS-shield for mitigating EDoS attacks originating from spoofed ip addresses
Proceedings of the IEEE Eleventh International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)
Securing cloud servers against flooding based DDoS attacks
Proceedings of the International Conference on Communication Systems and Network Technologies (CSNT)
Economic denial of sustainability (EDoS) in cloud services using http and xml based DDoS attacks
Int. J. Comput. Appl.
Cited by (41)
Conceptualization and cases of study on cyber operations against the sustainability of the tactical edge
2021, Future Generation Computer SystemsCitation Excerpt :Although in [29] was demonstrated that the implementation of cybersecurity measures based on predicting the behavior of the protected system, constructing adaptive thresholds, and clustering of VNFs instances based on productivity, were effective enough to reveal EDoS threats [34], their prevention, detection, mitigation and attribution still entail important research challenges, to which is added that the bibliography does not include a large collection of publications focused on the defense against EDoS threats. The studies that address this problem usually assume metrics at network-level, usually confusing features for EDoS identification with those that typically detect flooding-based DDoS behaviors [35–37]. An illustrative example of EDoS to TDoS is illustrated in Fig. 3.
Detection of economic denial of sustainability (EDoS) threats in self-organizing networks
2019, Computer CommunicationsCitation Excerpt :The nature of EDoS threats poses instead resemblance with normal network traffic behaviors, hence requiring different defensive approaches to find particular discordances both at network and application level. In [11,35,40] some of the most relevant proposals are collected and discussed. With the purpose of facilitate their understanding, they are classified according to their scope, as traditionally organized in the research related with the defense against DDoS [41]: detection, prevention/mitigation, and identification of sources.
Game theoretic modeling of economic denial of sustainability (EDoS) attack in cloud computing
2022, Probability in the Engineering and Informational SciencesUncovering collateral damages and advanced defense strategies in cloud environments against DDoS attacks: A comprehensive review
2024, Transactions on Emerging Telecommunications TechnologiesDDoSMiner: An Automated Framework for DDoS Attack Characterization and Vulnerability Mining
2024, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)An efficient EDoS-DOME system in cloud computing using obfuscated IP spoofing technique and RCDH-ENN detection technique
2023, Applied Nanoscience (Switzerland)
Zubair A. Baig received the B.S. degree in computer engineering from the King Fahd University of Petroleum & Minerals, Dhahran, Saudi Arabia, in 2002, M.S. degree in Electrical Engineering from the University of Maryland, College Park, USA, in 2003 and the Ph.D. degree in computer science from Monash University, Melbourne, Australia, in 2008. Currently, he is a Senior Lecturer in the School of Science, Edith Cowan University, Perth, W.A., Australia.He is also affiliated to the Security Research Institute at Edith Cowan University. He has authored over 47 journal and conference articles and book chapters. His research interests are in the areas of cyber-security, artificial intelligence and optimization algorithms. He has served on numerous technical program committees of international conferences and has delivered a keynote talk on computer security.
Sadiq M. Sait obtained a Bachelor’s degree in Electronics from Bangalore University in 1981, and Master’s and PhD degrees in Electrical Engineering from King Fahd University of Petroleum & Minerals (KFUPM), Dhahran, Saudi Arabia in 1983 & 1987, respectively. Sait has authored over 200 research papers, contributed chapters to technical books, and lectured in over 25 countries. Sait is the principle author of the books (1) VLSI PHYSICAL DESIGN AUTOMATION: Theory & Practice, published by McGraw-Hill Book Co., Europe, (and also co-published by IEEE Press), January 1995, and (2) ITERATIVE COMPUTER ALGORITHMS with APPLICATIONS in ENGINEERING (Solving Combinatorial Optimization Problems): published by IEEE Computer Society Press, California, USA, 1999. He was the Head of Computer Engineering Department, KFUPM from January 2001 to December 2004, Director of Information Technology and CIO of KFUPM between 2005 and 2011, and now is the Director of the Center for Communications and IT Research at the Research Institute of KFUPM.
Farid Binbeshr obtained his Master’s degree in Computer Engineering from King Fahd University of Petroleum & Minerals (KFUPM), Dhahran, Saudi Arabia, in 2014. His areas of research interest are: Computer networks, Cloud computing and Network security.