DDoS defense system for web services in a cloud environment

doi:10.1016/j.future.2014.03.003

Future Generation Computer Systems

Volume 37, July 2014, Pages 37-45

https://doi.org/10.1016/j.future.2014.03.003 Get rights and content

Highlights

•
Reported DoS vulnerabilities in web services are analyzed and confirmed.
•
The impact of exploiting these application-layer vulnerabilities is devastating.
•
An adaptive HTTP and XML inspecting defense system with minimal overhead is proposed.

Abstract

Recently, a new kind of vulnerability has surfaced: application layer Denial-of-Service (DoS) attacks targeting web services. These attacks aim at consuming resources by sending Simple Object Access Protocol (SOAP) requests that contain malicious XML content. These requests cannot be detected on the network or transportation (TCP/IP) layer, as they appear as legitimate packets. Until now, there is no web service security specification that addresses this problem. Moreover, the current WS-Security standard induces crucial additional vulnerabilities threatening the availability of certain web service implementations. First, this paper introduces an attack-generating tool to test and confirm previously reported vulnerabilities. The results indicate that the attacks have a devastating impact on the web service availability, even whilst utilizing an absolute minimum of attack resources. Since these highly effective attacks can be mounted with relative ease, it is clear that defending against them is essential, looking at the growth of cloud and web services. Second, this paper proposes an intelligent, fast and adaptive system for detecting against XML and HTTP application layer attacks. The intelligent system works by extracting several features and using them to construct a model for typical requests. Finally, outlier detection can be used to detect malicious requests. Furthermore, the intelligent defense system is capable of detecting spoofing and regular flooding attacks. The system is designed to be inserted in a cloud environment where it can transparently protect the cloud broker and even cloud providers. For testing its effectiveness, the defense system was deployed to protect web services running on WSO2 with Axis2: the defacto standard for open source web service deployment. The proposed defense system demonstrates its capability to effectively filter out the malicious requests, whilst generating a minimal amount of overhead for the total response time.

Introduction

During a denial-of-service (DoS) attack, the attacker tries to overload the victim’s resources, resulting in a reduced or denied service for legitimate users who are trying to access the victim’s services. In a distributed case, the attacker recruits zombies¹ by infecting numerous machines across the Internet, creating a botnet. These distributed botnets can be used to drastically multiply the strength of the attack.Moreover, it makes it difficult to filter out malicious sources and hides the true identity of the attacker orchestrating the assault. These distributed denial-of-service (DDoS) attacks are one of the most devastating and realistic cyber threats today, as they can effectively ruin the service, profits and reputation of any organization operating through the Internet. Furthermore, specific knowledge of the victim’s infrastructure is hardly necessary. Botnets can therefore easily be re-targeted at a new victim with a minimum of effort.

With the rise of cloud computing and web services, even more dependency is put on the security and availability of resources accessible over the Internet [1]. It is crucial that services remain operational, making them an attractive target for attackers. Additionally, Economic Denial-of-Sustainability (EDOS) introduces an additional motive: these are attacks which aim at consuming resources to drive up the cost of cloud computing [2].

Recently, a new kind of vulnerability has surfaced: application layer denial-of-service (DoS) attacks targeting web services. These attacks aim at consuming resources by sending SOAP requests that contain malicious content. Generally, they target the possible heavy resource demands induced by a request to a web service. The malicious requests cannot be detected on the TCP/IP layer, as they appear as legitimate packets.

The current security specifications for web services, such as WS-Security, do not consider the problem of availability. They only address confidentiality, integrity and authorization. Moreover, these specifications themselves introduce additional weaknesses for application layer DoS attacks. It is clear that a new kind of defense system has to be designed to counter this type of attack.

As described in [3] we can distinguish between two major DoS threats against web services on the application layer: HTTP and XML attacks.

•
XML attacks target web services that communicate through XML documents. SOAP mostly uses XML for passing data between the client and server. Attackers construct malformed XML requests and send these to the web service. Even a single malformed request might be extremely resource intensive to process. Hence, the attacker can cause considerable harm with a minimum amount of resources.
•
An HTTP attack is very rudimentary: the attacker floods a web service with non-specific HTTP requests. As the web service tries to process all requests and the particular service requires heavy use of resources, a denial-of-service is easily achieved.

This paper proposes a system for defending against these two types of application layer threats. However, it must be made clear that the proposed defense system is specific for threats involved with web service deployment. It does not replace the lower-layer DDoS defense systems that target network and transportation attacks. Therefore, for complete protection, it is recommended that such a defense mechanism precedes the proposed system.

Section snippets

Related work

Jensen et al. [4] conducted a thorough research on the vulnerabilities in the current SOAP specifications and frameworks. Several of these attacks target the availability of the web service, such as coercive parsing, oversize payload, oversize cryptography and attack obfuscation. Furthermore, the paper provides several possible counter measures. One of the most prominent suggestions is the use of a stream-based XML parser such as SAX [5]. Originally, Document Object Model (DOM) parsers were

Attacks

First, an overview of all regarded attacks is given. Second, an attack-generating tool is presented. It is able to test the regarded attacks on a web service implementation, Axis2 in this case. Finally, the confirmed vulnerabilities are discussed.

Architecture

The following section discusses the architecture involved in implementing the proposed defense system in a cloud environment. First, the cloud architecture without any defense system is reviewed. Then, the secure architecture is introduced.

Filter design

The core concept of the filter is to determine a normal usage profile for each web service or web service operation. This profile is represented by Gaussian models, defined by means and standard deviations of several features, such as content-length, number of elements, nesting depth, longest element, attribute and namespace. These models are based on datasets constructed from the logged features of previous requests. Using these models, outliers can be detected to distinguish abnormal requests

Experimental setup

The experimental setup deployed in the Cloud Resource Broker (CRB) is shown in Fig. 5. The CRB is installed on a server with 4 CPUs; each CPU has a Quad Core Processor with 2 GHZ processor speed, 16 GB RAM memory and Cent OS 5.5 as the operating system. The hardware details of the Cloud resources configured in the Anna University Campus are shown in Table 2.

The eucalyptus 2.0.3 middleware is installed for managing the Cloud resources. The Eucalyptus based Cloud resources are configured with

Conclusion

It is clear that application-layer vulnerabilities impose an enormous risk for the availability of web services. The tested attacks have proven to clog up a web server with a minimum amount of attack resources. A distributed attack is not even necessary, as a single machine and even a single request have proven to successfully execute a denial-of-service attack.

To mitigate this risk, a defense system is proposed and implemented. The system tests concluded that it is effective at detecting and

Future work

Further integration into the cloud environment must be investigated. Now, the system has only been implemented to protect the cloud broker. The low overhead might enable it to be used to protect all web servers. Additionally, the use of a shared, distributed dataset, or even common models should be considered to improve the scalability and the effectiveness of the system deployed in a distributed environment. Furthermore, adjustment of the $α$ parameter, according to the gathered training data

Acknowledgments

I, Thomas Vissers, would like to thank the people from The Centre for Advanced Computing Research and Education (CARE) at Anna University for making this research possible. Furthermore, I would like to express my gratitude towards Karthikeyan Panneerselvam, Avinash Nidhi and Shyam Narayan for their invaluable hospitality, and towards family and friends for their support.

We thank the reviewers for their valuable comments.

Thomas Vissers is a Master of Applied Engineering: Electronics—ICT at the Artesis University College Antwerp, Belgium. For his Masters thesis, he conducted research at the Centre for Advanced Computing Research and Education (CARE) at Anna University, India. Recently, he started working as a security researcher at Distrinet, KU Leuven.

References (24)

A. Chonka et al.
Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks
J. Netw. Comput. Appl.
(2011)
P. Varalakshmi et al.
Thwarting DDoS attacks in grid using information divergence
Future Gener. Comput. Syst.
(2013)
A.S. Nitin Singh Chauhuan
Crypthography and cloud security challenges
CSI Commun.
(2013)
B. Cha et al.
Study of multistage anomaly detection for secured cloud computing resources in future internet
M. Jensen et al.
A survey of attacks on web services
Comput. Sci.-Res. Dev.
(2009)
About SAX, Apr. 2004. [Online]. Available:...
D. Sosnoski, Java web services: Metro vs. Axis2 performance, Jan. 2010. [Online]. Available:...
N. Gruschka et al.
Protecting web services from DoS attacks by SOAP message validation
Secur. Priv. Dyn. Environ.
(2006)
C.I. Pinzón et al.
S-MAS: an adaptive hierarchical distributed multiagent architecture for blocking malicious SOAP messages within web services environments
Expert Syst. Appl.
(2010)
I. Siddavatam et al.
Comprehensive test mechanism to detect attack on web services

E. Menahem, A. Schclar, L. Rokach, Y. Elovici, Securing your transactions: detecting anomalous patterns in XML...

A. Mohamed Ibrahim, L. George, K. Govind, S. Selvakumar, Threshold based kernel level HTTP filter (TBHF) for DDoS...

Cited by (62)

Distributed denial of service attack detection in E-government cloud via data clustering
2022, Array
Citation Excerpt :
Due to these features, the DDoS attack covers not only traditional networks but also a network of higher technologies. Since DDoS attacks can occur in different layers of the Internet, including the cloud, methods of countering attacks must be designed and used in separate layers [4,35]. The working principle of the protection mechanism of each layer is different.
One of the main essential security issues of cloud computing is the detection and prevention of network intrusions. The gaps in the network directly affect the security of the cloud as it is the foundation of it. Attacks in the cloud are launched either by compromised nodes of the network outside of the cloud or by virtual machines (VMs) within the cloud network. So, monitoring both external and internal traffic of the cloud network is of great importance. In this paper, a machine learning method performing accurate clustering of network data to detect DDoS attacks has been proposed. The method uses a feature selection technique to increase the efficiency of data clustering. To provide the feature selection the PCA algorithm has been used. For the dataset formed on selected features, the DBSCAN (density-based spatial clustering of applications with noise), Agglomerative Clustering, and k-means algorithms are applied. In the experiment, the clustering results of the methods using fewer features were higher on all metrics than the clustering results of the methods using all the features. Сompared to the standard algorithms, the PCA + DBSCAN, PCA + Agglomerative, and PCA + k-means algorithms obtained higher values on the Adjusted Rand Index metric and reached 0.8989, 0.9130, 0.9094 values, respectively. The effectiveness of the approach also was evaluated on the other clustering metrics and obtained high results. The proposed system can be installed in both internal and external cloud infrastructure. This allows, to detect attacks on the external cloud network, as well as on the internal physical network or in the virtual network between hypervisors.
Mitigating TCP SYN flooding based EDOS attack in cloud computing environment using binomial distribution in SDN
2022, Computer Communications
Citation Excerpt :
Also, there are several proposed simulation platforms to measure and analyze the impact of EDOS attacks on CCE. To detect traffic anomaly and defend new types of DDoS attacks, there are multiple approaches, statistical anomaly detection [28–37], artificial intelligence-based approach [38–40], data mining approach [41–45], machine learning-based approach [46,47], classifiers-based [48–53], signature-based [54–57] and hybrid anomaly detection [58–66]. A comparative summary of all the approaches is shown in Table 1 and based on the comparison, statistical anomaly detection is used in this research.
Cloud Computing provides an auto-scaling feature for dynamic resource utilization to cope with their customers’ requirements and charge as ‘pay-per-use’. Attackers get the benefit of this auto-scaling feature by flooding DDoS attacks on the VMs or instances in the cloud environments. Such DDoS attacks give financial damages to the customers because of massive amount of resource utilization, known as the Economic Denial of Sustainability (EDOS) attack. Transmission Control Protocol (TCP) SYN flooding attack is known to be the most challenging attack resulting EDOS attack. Software Defined Network (SDN) being a cost-efficient solution for cloud service providers, uses the OpenFlow switches and flow tables to make rules for each incoming flow. In SDN, it is feasible to classify an incoming flow as an attack and block forwarding of this flow to the targeted VM. This research work proposes an SDN based fast and computationally cost-efficient statistical anomaly detection model, named EDOS-TCP SYN mitigation model (EDOS-TSM) to mitigate TCP SYN flooding attack from a single user and spoofed IPs. EDOS-TSM uses binomial probability, TTL field value of IP packet header and multi-TCP SYN requests to detect source-based and spoofing based attacks. The proposed model is implemented, and the performance is evaluated on an OpenStack production-based cloud with real-time traffic and attack generation. The attack mitigation results are compared with existing models in the literature. The results show a large number of false negatives in existing models and efficiency of EDOS-TSM is proved in both source based and spoofing attacks.
The impact and mitigation of ICMP based economic denial of sustainability attack in cloud computing environment using software defined network
2021, Computer Networks
High availability in network services is a crucial requirement for quality of experience. Denial of Service (DoS) and Distribute Denial of Service (DDoS) attacks are under contemplation by many researchers across the globe because these attacks directly target services availability. For this reason, cloud providers use the auto-scaling feature in Cloud Computing Environments (CCE), in which cloud resources scale dynamically on demand. DoS/DDoS attacks on CCE, using auto-scaling, do not deny services but cause high resource usage and substantial financial damages that become an Economic Denial of Sustainability (EDOS) attack. One of the DoS/DDoS attacks, resulting EDOS attack is the Internet Control Messaging Protocol (ICMP) flooding attack. In this paper, a novel technique, ICMP detection and mitigation model (EDOS-IDM) is proposed that can detect and mitigate Volumetric and Normal Behavioral ICMP traffic attacks. The results from the proposed technique are compared with the Normal Behavioral ICMP traffic attack because it causes least resource usage among all the mitigation techniques. According to our study, there is no such technique that can handle normal behavioral ICMP traffic attack. The technique is practically tested and evaluated on OpenStack production Cloud Environment test bed. According to the results, the technique is proved to save extra resource consumption and customer's bills in a cloud computing environment.
Distributed denial of service attacks in cloud: State-of-the-art of scientific and commercial solutions
2021, Computer Science Review
Citation Excerpt :
After confirmation that DDoS attack has been detected is received, the packets are discarded. Vissers et al. [103] have stated that attacks on web service consume resources by forwarding SOAP requests that contain malicious XML content like oversized XML document, oversized encryption, deeply nested XML structures, spoofed Reply To and Fault To addresses. The defence mechanism consists of a filter in the cloud architecture for HTTP header inspection and XML content inspection.
Cloud computing model provides on demand, elastic and fully managed computer system resources and services to organizations. However, attacks on cloud components can cause inestimable losses to cloud service providers and cloud users. One such category of attacks is the Distributed Denial of Service (DDoS), which can have serious consequences including impaired customer experience, service outage and in severe cases, complete shutdown and total economic unsustainability. Advances in Internet of Things (IoT) and network connectivity have inadvertently facilitated launch of DDoS attacks which have increased in volume, frequency and intensity. Recent DDoS attacks involving new attack vectors and strategies, have precipitated the need for this survey.
In this survey, we mainly focus on finding the gaps, as well as bridging those gaps between the future potential DDoS attacks and state-of-the-art scientific and commercial DDoS attack defending solutions. It seeks to highlight the need for a comprehensive detection approach by presenting the recent threat landscape and major cloud attack incidents, estimates of future DDoS, illustrative use cases, commercial DDoS solutions, and the laws governing DDoS attacks in different nations. An up-to-date survey of DDoS detection methods, particularly anomaly based detection, available research tools, platforms and datasets, has been given. This paper further explores the use of machine learning methods for detection of DDoS attacks and investigates features, strengths, weaknesses, tools, datasets, and evaluates results of the methods in the context of the cloud. A summary comparison of statistical, machine learning and hybrid methods has been brought forth based on detailed analysis. This paper is intended to serve as a ready reference for the research community to develop effective and innovative detection mechanisms for forthcoming DDoS attacks in the cloud environment. It will also sensitize cloud users and providers to the urgent need to invest in deployment of DDoS detection mechanisms to secure their assets.
Computational intelligence intrusion detection techniques in mobile cloud computing environments: Review, taxonomy, and open research issues
2020, Journal of Information Security and Applications
With the increasing utilization of the Internet and its provided services, an increase in cyber-attacks to exploit the information occurs. A technology to store and maintain user's information that is mostly used for its simplicity and low-cost services is cloud computing (CC). Also, a new model of computing that is noteworthy today is mobile cloud computing (MCC) that is used to reduce the limitations of mobile devices by allowing them to offload certain computations to the remote cloud. The cloud environment may consist of critical or essential information of an organization; therefore, to prevent this environment from possible attacks a security solution is needed. An intrusion detection system (IDS) is a solution to these security issues. An IDS is a hardware or software device that can examine all inside and outside network activities and recognize doubtful patterns that may demonstrate a network attack and automatically alert the network (or system) administrator. Because of the ability of an IDS to detect known/unknown (inside/outside) attacks, it is an excellent choice for securing cloud computing. Various methods are used in an intrusion detection system to recognize attacks more accurately. Unlike survey papers presented so far, this paper aims to present a comprehensive survey of intrusion detection systems that use computational intelligence (CI) methods in a (mobile) cloud environment. We firstly provide an overview of CC and MCC paradigms and service models, also reviewing security threats in these contexts. Previous literature is critically surveyed, highlighting the advantages and limitations of previous work. Then we define a taxonomy for IDS and classify CI-based techniques into single and hybrid methods. Finally, we highlight open issues and future directions for research on this topic.
Voting extreme learning machine based distributed denial of service attack detection in cloud computing
2020, Journal of Information Security and Applications
Distributed denial of service attack is one of the most dangerous attacks in cloud computing. This attack makes the cloud services inaccessible to the end-users by exhausting resources, resulting in heavy economic and reputation loss. So, developing defensive solutions against these attacks is necessary for the widespread adoption of cloud computing technology. This paper proposes a new system for detecting DDoS attacks in cloud computing environment. The proposed system is built using voting extreme learning machine (V-ELM), a type of artificial neural network. Experiments were performed to evaluate the performance of the proposed system by using two benchmark datasets viz. NSL-KDD dataset and ISCX intrusion detection dataset. It has been shown by experiments that the proposed system detects attacks with an accuracy of 99.18% with the NSL-KDD dataset and 92.11% with the ISCX dataset. Performance of the proposed system has been compared with other systems based on backpropagation artificial neural network, artificial neural network trained with black hole optimization, extreme learning machine, random forest and, adaboost. It performs better than these systems. Experiments have also been performed to analyze the performance of the proposed system under different parameter values viz. number of ELMs in V-ELM and number of hidden layer neurons in a single ELM.

View all citing articles on Scopus

Thamarai Selvi Somasundaram is working as Professor and Dean in MIT Campus, Anna University, Chennai, India. She received her Ph.D. in Computer Science and Engineering in Manonmaniam Sundaranar University, Tirunelveli. Her area of interest includes Artificial Intelligence, Neural Networks, Grid Computing, Grid Scheduling, Semantic Technology, Virtualization and Cloud Computing. She is the Principal Investigator for the CARE project funded by Department of Information Technology, Ministry of Communication and Information Technology, New Delhi. She is the reviewer for Future Generation Computing Systems (FGCS), Journal of Grid Computing, Journal of Parallel and Distributed Computing, Transactions on Mobile Computing and IEEE Transactions on Data and Knowledge Engineering.

Luc Pieters is a professor of communication networks and head of the department of Applied Engineering: Electronics—ICT at the Artesis University College Antwerp, Belgium. He completed his civil engineer studies in electronics at the VU Brussel in 1975. In the initial phase of the IMEC he took part in the training of chip designer. He obtained a special degree in informatics at the VU Brussel in 1984. He was also a member of the Academic Staff of the Postacademic Programme Telecommunications and Telematics at the University of Antwerp. He organized a 12 weeks TACIS training session for staff members of MMT in Moscow. He was coordinator–contractor of a Tempus project that enhanced the post-academic degree for telecom engineers at the Tashkent Electrotechnical University of Telecommunications.

Kannan Govindarajan has received the B.E. degree in Information Technology from Bharathidasan University. He has completed his M.S. (By Research) degree in computer science and engineering from Anna University, Chennai in the area of Grid Scheduling in Virtualized Grid Environment. He is currently doing his Ph.D. at Anna University. He has seven years of research and development experience. His area of interest includes Grid Computing, Grid Scheduling, Semantic Technology, Virtualization and Cloud Computing. He is currently working as a Senior Research Associate in CARE, MIT Campus, Anna University. In 2012, he had been invited to visit Athabasca University, Canada, for research interaction and development.

Peter Hellinckx obtained his Master in Computer Science and his Ph.D. in Science both from the University of Antwerp in 2002 and 2008, respectively. His master thesis acted on the interpretation of 2D sketches. His Ph.D. was titled ”The evolution towards Desktop Grid systems, problems and solutions”. In 2009 he joined TERA-Labs at the Karel de Grote University College where he became a senior researcher and responsible for the distributed computing research group. In 2013 he became a professor with the faculty of applied engineering (Electronics-ICT) at the University of Antwerp and joined CoSys-Lab. Here he is responsible for the distributed computing research team.

View full text

DDoS defense system for web services in a cloud environment

Highlights

Abstract

Introduction

Section snippets

Related work

Attacks

Architecture

Filter design

Experimental setup

Conclusion

Future work

Acknowledgments

J. Netw. Comput. Appl.

Future Gener. Comput. Syst.

Crypthography and cloud security challenges

CSI Commun.

Study of multistage anomaly detection for secured cloud computing resources in future internet

A survey of attacks on web services

Comput. Sci.-Res. Dev.

Protecting web services from DoS attacks by SOAP message validation

Secur. Priv. Dyn. Environ.

S-MAS: an adaptive hierarchical distributed multiagent architecture for blocking malicious SOAP messages within web services environments

Expert Syst. Appl.

Comprehensive test mechanism to detect attack on web services