Abstract
Internet-based computing has lead to an emergence of a large number of threats. One of the major threat is DDoS (Distributed Denial of Service) attack. Recent incidents have shown that DDoS attacks have the capability of shutting a business not for a day but weeks. DDoS attacks have a greater impact on multi-tenant clouds than traditional infrastructure. DDoS attacks in the cloud, take the shape of EDoS (Economic denial of sustainability) attacks. In EDoS, instead of “Service Denial”, economic harms occur due to fake resource usage and subsequent addition or buying of resources using on-demand provisioning. To detect and mitigate DDoS attacks in the cloud, we argue that on-demand resource allocation (known as auto-scaling) should also be looked, in addition to network or application layer mitigation. We have proposed a novel mitigation strategy, DARAC, which makes auto-scaling decisions by accurately differentiating between legitimate requests and attacker traffic. Attacker traffic is detected and dropped based on human behavior analysis based detection. We also argue that most of the solutions in the literature, do not pay much attention to the service quality to legitimate requests during an attack. We calculate the share of legitimate clients in resource addition/buying and make subsequent accurate auto-scaling decisions. Experimental results show that DARAC mitigates various DDoS attack sets and take accurate and quick auto-scaling decisions for various legitimate and attacker traffic combinations saving from EDoS. We also show how proposed mechanism could make “arms-race” very difficult for the attackers as the resource need to defeat DARAC mechanism on a very small capacity server is huge. Results also show significant improvements in the average response time of the web-service under attack, in addition to infrastructure cost savings up to 50 % in heavy attack cases.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Chen, Q., Lin, W., Dou, W., Yu, S.: Cbf: a packet filtering method for ddos attack defense in cloud environment. In: IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing (DASC), pp. 427–434. IEEE (2011)
Clemente, L.: Auto scaling on aws: an overview (2013). http://www.luigiclemente.com/scalable-websites-on-aws-an-overview/
Amazon CloudWatch (2014). https://aws.amazon.com/cloudwatch/
Dean, D., Stubblefield, A.: Using client puzzles to protect tls. In: USENIX Security Symposium, vol. 42 (2001)
Dou, W., Chen, Q., Chen, J.: A confidence-based filtering method for ddos attack defense in cloud environment. Future Gener. Comput. Syst. 29(7), 1838–1850 (2013)
Douligeris, C., Mitrokotsa, A.: DDoS attacks and defense mechanisms: classification and state-of-the-art. Comput. Netw. 44(5), 643–666 (2004)
Du, P., Nakao, A.: Ddos defense as a network service. In: Network Operations and Management Symposium (NOMS), pp. 894–897. IEEE (2010)
Ismail, M.N., et al.: Detecting flooding based doS attack in cloud computing environment using covariance matrix approach. In: ICUIMC, p. 36. ACM (2013)
Huang, V.S., Huang, R., Chiang, M.: A ddos mitigation system with multi-stage detection and text-based turing testing in cloud computing. In: 2013 27th International Conference on Advanced Information Networking and Applications Workshops (WAINA), pp. 655–662. IEEE (2013)
Idziorek, J., Tannian, M., Jacobson, D.: Detecting fraudulent use of cloud resources. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security, pp. 61–72. ACM (2011)
Idziorek, J., Tannian, M., Jacobson, D.: Attribution of fraudulent resource consumption in the cloud. In: 2012 IEEE 5th International Conference on Cloud Computing (CLOUD), pp. 99–106. IEEE (2012)
Jeyanthi, N., Iyengar, N.C.S.N., Mogan Kumar, P.C., Kannammal, A.: An enhanced entropy approach to detect and prevent ddos in cloud environment. Int. J. Commun. Netw. Inf. Secur. (IJCNIS) 5(2), 110–119 (2013)
Jia, Q., Wang, H., Fleck, D., Li, F., Stavrou, A., Powell, W.: Catch me if you can: a cloud-enabled ddos defense. In: 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 264–275. IEEE (2014)
Kandula, S., Katabi, D., Jacob, M., Berger, A.: Botz-4-sale: Surviving organized DDoS attacks that mimic flash crowds (awarded best student paper). In: NSDI, USENIX (2005)
Khor, S.H., Nakao, A.: spow: On-demand cloud-based eddos mitigation mechanism. In: HotDep (2009)
Khor, S.H., Nakao, A.: Daas: Ddos mitigation-as-a-service. In: 11th International Symposium on Applications and the Internet (SAINT), pp. 160–171. IEEE (2011)
Kim, S.H., Kim, J.H.: Method for detecting and preventing a ddos attack using cloud computing, and server, 12 July 2010. US Patent App. 13/386,516
Koduru, A., Neelakantam, T., Saira Bhanu, S.M.: Detection of economic denial of sustainability using time spent on a web page in cloud. In: 2013 IEEE International Conference on Cloud Computing in Emerging Markets (CCEM), pp. 1–4, October 2013
Kaspersky Labs. Global it security risks survey 2014 distributed denial of service (ddos) attacks (2014). http://media.kaspersky.com/en/B2B-International-2014-Survey-DDoS-Summary-Report.pdf
Latanicki, J., Massonet, P., Naqvi, S., Rochwerger, B., Villari, M.: Scalable cloud defenses for detection, analysis and mitigation of ddos attacks, In: Future Internet, Assembly, pp. 127–137 (2010)
Mao, M., Li, J., Humphrey, M.: Cloud auto-scaling with deadline and budget constraints. In: 2010 11th IEEE/ACM International Conference on Grid Computing (GRID), pp. 41–48. IEEE (2010)
Marck, S.J., Lyon, J.A., Smith, R.C.: System and method for mitigating application layer distributed denial of service attacks using human behavior analysis, 31 October 2013. US Patent App. 13/458,129
Masood, M., Anwar, Z., Raza, S.A., Hur, M.A.: Edos armor: a cost effective economic denial of sustainability attack mitigation framework for e-commerce applications in cloud environments. In: 2013 16th International Multi Topic Conference (INMIC), pp. 37–42, December 2013
Mirkovic, J., Reiher, P.: A taxonomy of ddos attack and ddos defense mechanisms. SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)
Mirkovic, J., Robinson, M., Reiher, P.: Alliance formation for ddos defense. In: Proceedings of the 2003 Workshop on New Security Paradigms, pp. 11–18. ACM (2003)
Mohan, S., Alam, F.M., Fowler, J.W., Gopalakrishnan, M., Printezis, A.: Capacity planning and allocation for web-based applications. Decis. Sci. 45(3), 535–567 (2014)
Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. ACM Trans. Comput. Syst. (TOCS) 24(2), 115–139 (2006)
Morein, W.G., Stavrou, A., Cook, D.L., Keromytis, A.D., Misra, V., Rubenstein, D.: Using graphic turing tests to counter automated ddos attacks against web servers. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, pp. 8–19. ACM, New York (2003)
Munson, L.: Greatfire.org faces daily \({\$}\)30,000 bill from ddos attack (2015). https://nakedsecurity.sophos.com/2015/03/20/greatfire-org-faces-daily-30000-bill-from-ddos-attack/
Nah, F.F.-H.: A study on tolerable waiting time: how long are web users willing to wait? Behav. Inf. Technol. 23, 153–163 (2004)
Naresh Kumar, M., Sujatha, P., Kalva, V., Nagori, R., Katukojwala, A.K., Kumar, M.: Mitigating economic denial of sustainability (edos) in cloud computing using in-cloud scrubber service. In: Fourth International Conference on CICN, pp. 535–539. IEEE (2012)
Nelson, P.: Cybercriminals moving into cloud big time, report says (2015). http://www.networkworld.com/article/2900125/malware-cybercrime/criminals-moving-into-cloud-big-time-says-report.html
Arbor Networks. Understanding the nature of ddos attacks (2014). http://www.arbornetworks.com/asert/2012/09/understanding-the-nature-of-ddos-attacks/
SPAMfighter News. Survey - with ddos attacks companies lose around 100k/hr (2015). http://www.spamfighter.com/News-19554-Survey-With-DDoS-Attacks-Companies-Lose-around-100kHr.htm
Oikonomou, G., Mirkovic, J.: Modeling human behavior for defense against flash-crowd attacks. In: IEEE International Conference on Communications, 2009, ICC 2009, pp. 1–6. IEEE (2009)
Peng, T., Leckie, C., Ramamohanarao, K.: Survey of network-based defense mechanisms countering the dos and ddos problems. ACM Comput. Surv. 39(1) (2007)
Prolexic (2014). http://www.prolexic.com/
Saini, B., Somani, G.: Index page based EDoS attacks in infrastructure cloud. In: Martínez Pérez, G., Thampi, S.M., Ko, R., Shu, L. (eds.) SNDS 2014. CCIS, vol. 420, pp. 382–395. Springer, Heidelberg (2014)
Seals, T.: Q1 2015 ddos attacks spike, targeting cloud (2015). http://www.infosecurity-magazine.com/news/q1-2015-ddos-attacks-spike/
Sqalli, M.H., Al-Haidari, F., Salah, K.: EDoS-shield - A two-steps mitigation technique against EDoS attacks in cloud computing. In: UCC, pp. 49–56. IEEE Computer Society (2011)
Stillwell, M., Schanzenbach, D., Vivien, F., Casanova, H.: Resource allocation algorithms for virtualized service hosting platforms. J. Parallel Distrib. Comp. 70(9), 962–974 (2010)
Akamai Technologies. Akamai’s state of the internet q4 2013 executive summary vol. 6(4) (2013). http://www.akamai.com/dl/akamai/akamai-soti-q413-exec-summary.pdf
WAPT Load Testing Tool. Response time (2015). http://www.loadtestingtool.com/help/response-time.shtml
Vaquero, L.M., Rodero-Merino, L., Buyya, R.: Dynamically scaling applications in the cloud. SIGCOMM Comp. Comm. Rev. 41(1), 45–52 (2011)
Wang, H., Jia, Q., Fleck, D., Powell, W., Li, F., Stavrou, A.: A moving target ddos defense mechanism. Comput. Commun. 46, 10–21 (2014)
Wang, J., Yang, X., Long, K.: Web ddos detection schemes based on measuring user’s access behavior with large deviation. In: Global Telecommunications Conference (GLOBECOM 2011), 2011 IEEE, pp. 1–5. IEEE (2011)
Yu, S., Tian, Y., Guo, S., Wu, D.: Can we beat ddos attacks in clouds? IEEE Trans. Parallel Distrib. Syst. 25(9), 2245–2254 (2013)
Zhao, S., Chen, K., Zheng, W.: Defend against denial of service attack with vmm. In: Eighth International Conference on Grid and Cooperative Computing, 2009, GCC 2009, pp. 91–96. IEEE (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Somani, G., Johri, A., Taneja, M., Pyne, U., Gaur, M.S., Sanghi, D. (2015). DARAC: DDoS Mitigation Using DDoS Aware Resource Allocation in Cloud. In: Jajoda, S., Mazumdar, C. (eds) Information Systems Security. ICISS 2015. Lecture Notes in Computer Science(), vol 9478. Springer, Cham. https://doi.org/10.1007/978-3-319-26961-0_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-26961-0_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26960-3
Online ISBN: 978-3-319-26961-0
eBook Packages: Computer ScienceComputer Science (R0)