Cloud Computing to Combat DDOS

¶ … Cloud Computing to combat DDOS attacks

Cloud Computing to Protect Against DDOS Attacks

Distributed Denial of Service Attacks have pervaded the online computing and networking environment globally. Such attacks have disrupted the activities of major web search engines and have compromised the integrity of the online security network that institutions such as major multinational banks rely on to protect their consumers, everyday. DDOS represents 21st century modality of international war and the new way criminal hackers can create havoc on their rather unsuspecting victim. According to Vijayan, (2004), "A DDoS attack typically involves thousands of compromised "zombie" systems sending torrents of useless data, or requests for data, to targeted servers or networks." (Vijayan, 2004)

The DDoS attack is described by Yuan & Mills (2005), "A DDoS attack is a simulation network attack on a victim (T.G., a Web server or a router) from a large number of compromised hosts, which may be distributed widely among different, independent networks. By exploiting asymmetry between network-wide resources and local capacities of a victim, a DDoS attack can build up an intended congestion very quickly at an attacked target. The Internet routing infrastructure, which is stateless and based mainly on destination addresses, appears extremely vulnerable to such coordinated attacks." (Yaun, Mills, 2005)

The problem is initially described by Lynn (2009), according to Lynn, "There has also been growing concern about the security and reliability of the cloud-based world in which both Google Docs and Apps reside. Recent incidents of Distributed Denial-of-Service, or DDoS, attacks have brought sites; other cloud-based platforms like Twitter and Facebook to standstills, albeit temporary ones. Even Google's mail service, Gmail, has had extended outages. Back in September, tens of millions of Gmail users were unable to access Gmail for about 100 minutes. The outage occurred after Google took some servers offline for routing maintenance and remaining routers just sort of died after becoming overloaded by network traffic." (Lynn, 2009)

Since DDoS utilizes its effectiveness via bombarding the bandwidth capabilities with strings of data packets that compile and produce a 'bottleneck' effect that renders the site as relatively inoperable, the ability to prevent this choke point is the answer to preventing DDoS attacks. There are ways to accomplish this outside of working with the cloud (computing), however, the cloud is easier and less expensive an alternative than systematically routing server to server randomly to confuse the DDoS attack and prevent the choke point.

According to Moss & Zierick (2011), "We believe the cloud holds the promise of being more secure than traditional computing models. The false sense of comfort that organizations gain from keeping security within their own four walls can lead to poor monitoring and over-zealous trust -- a challenge that by its very nature does not exist in outsourced activities such as cloud. The myth of the cloud is that you take your data and give it to a third party -- an oversimplification of cloud adoption. In reality, as organizations move to cloud technology they do so in a very deliberate fashion, often determined by the specific purpose or work they want to accomplish. When organizations look beyond these factors they will realize that cloud computing offers the opportunity to achieve, not only greater security of information, but also financial benefits and access to world-class security expertise." (Moss, Zierick, 2011)

Security in the cloud, according to Moss & Zierick (2011), "Once an organization has moved its data to the cloud it has lost all control of that data. Cloud computing is a security nightmare. An organization will have no control over who can see its data and even steal it. Yes, cloud vendors could have access to a better class of security experts, but the question is, will they? Or will they do like most companies and go for the cheapest talent around rather than the best talent around? Willie Sutton, a noted bank robber, is credited with saying that he robbed banks because "that's where the money is." The cloud vendors are going to be the largest target for focused attacks that try and get ALL of the data from cloud providers in a breach. Your data could get exposed through an attack on cloud providers that are hosting another high-profile company's data." (Moss, Zierick, 2011)

Recent computer attacks against companies including Visa and PayPal due to negating contact with the ill-famed WikiLeaks have decided to prepare for a global cyber war. According to Fowler & Tuna, (2010), "The Web industry offers an arsenal of weapons against denial-of-service attacks, often selling them as services to corporations that can't afford to set up those technologies in-house. Such services are often used to market the "cloud computing" industry, which urges corporations to move many of their computing tasks online to services that distribute the load across many servers, often in multiple locations." (Fowler, Tuna, 2010)

Additionally, according to Fowler & Tuna (2010), "Denial-of-service attacks are "the kind of thing that will never go away" says Rich Mogull, an analyst at research and consulting firm Securosis. But the more bandwidth a business has the less likely an attack is to succeed. Bringing down a large website like Amazon.com or PayPal isn't easy because such sites are used to dealing with large volumes of traffic. (Fowler, Tuna, 2010)

According to Connelly (2001), "The problem behind DDoS attacks is that, in the last decade, companies have become dependent on the Internet for communications and revenue. If you're Amazon, eBay, or Yahoo, to name a few companies for which the Internet is lifeblood, a DDoS attack that lasts hours can mean millions in lost revenue. Fortunately vendors are lining up with products and services for enterprises and ISPs that are designed to give potential victims the upper hand. Whether these are offered via a service model such as Arbor Networks' Peakflow, TrafficMaster Inspector, and Vantage System take a lot of the guesswork out of tracing DDoS assaults by using advanced router features that report on traffic flows moving via the router interfaces. The solutions nut information at the fingertips of network managers instead of forcing them to spend hours rubbing through system logs." (Connelly, 2001)

According to Information Weekly Online (2010), "Expect many current types of attacks to become more nuanced, including distributed denial of service (DDoS) attacks. Today, the majority involve brute force -- overwhelming targeted data centers and carriers backbone links with traffic, at a rate of sometimes more than 50 Gbps, said Craig Labovitz, chief scientist at Arbor Networks." (Information Weekly Online, 2010)

According to Information Week Online (2010), "But more pinpointed attacks are also growing more sophisticated and therefore more effective. "Service or application-level attacks may focus on a series of Web or API calls that force an expensive database transaction or calls to slow storage servers. Accordingly, attackers may spend weeks reconnoitering and identifying weak links, then unleash a highly tuned attack that is effective, yet may be barely noticeable. "Unlike massive DDoS traffic floods, application attacks can be far more subtle and may only register as increased load on servers or a precipitous drop in five-minute real-time sales revenue charts" said Labovitz." (Information Week Online, 2010)

According to Yuan & Mills (2003), "Unfortunately, an attack victim cannot defeat a flooding attack simply through detection. Instead, attack packets must be filtered in transit networks, preferably close to attack sources, before they converge on the victim. Attempts in transit networks to detect such attacks often lead to a high false-alarm rate. Similarly, networks hosting attack sources may observe only a normal outgoing pattern of Internet traffic, which shows a high variability. Most DDoS-related research has focused on detection mechanisms deployed near vulnerable servers, where incoming attack traffic could deny access to legitimate users. Many mechanisms attempt to detect attacks by analyzing specific features, e.g., header information, connection counts, correlations, and congestion." (Yuan, Mills, 2003)

According to Yuan & Mills (2003), "The approach we propose aims at monitoring network traffic at a macroscopic level in order to reveal dynamic shifts in congestion patterns, which might signal onset of a DDoS attack. Our method reveals possible attacks without observations near the victim. On the other hand, our technique cannot readily distinguish the cause of observed congestion, which might result from flash crowds or partial network outages, as well as from DDoS attacks. For this reason, our method can only serve as an alert function to trigger more detailed monitoring mechanisms, focused on particular points where congestion appears. Incorporating our approach could permit such processes to be activated only where and when needed. (Yuan, Mills, 2003)

According to Yuan, Mills, (2003), "Creating defenses for DDoS attacks requires monitoring dynamic network activities in order to obtain timely and significant information. While much current effort focuses on detecting constant-rate attacks, attack patterns appear likely to become more sophisticated. Our simulation results show that macroscopic-level monitoring could capture shifting traffic patterns during transient periods with relatively few observation points. (Yuan, Mills, 2003)

The method of detection proposed by Yuan & Mills (2003), is reactive in a sense that proactive detection requires more than just network packet surveillance. Monitoring the type of DDoS attack, the frequency of the attack, duration of attack, and the aggressiveness of the attack all provide clues as to whom may be instituting the attack. The packet stream can be disrupted by the victim by 'pretending' to go offline to the protocol receiving the bandwidth from that particular attack. The rerouting of using available bandwidth to other protocols via an alternative port can remove the ramifications of the attack.

Applying the aforementioned framework within the cloud environment offers an unprecedented level of security enabling the transmission and storage of information in an environment where DDoS is actively monitored and attacks are recognizable. The strategy of using the cloud ostensibly removes the bottleneck constriction due to the lack of physical infrastructure such as a server that purports a chokepoint should an attacker stream an abundance of packet information to the target server.

According to Koutepas, Stamatelopoulos, & Maglaris (2004), "Management-wise DDoS attacks present an interesting challenge since their nature makes them difficult to stop by the efforts of a single site. Factors that contribute to this are: (a) attackers most of the time spoof packet source IP's address; (b) the possibility of the attack initiating from a wide range of networks worldwide; and (c) the in ability of a domain to enforce incoming traffic shaping; detected malicious flows can be blocked locally but the assistance of the upstream network is still needed in order to free the resources occupied on the incoming link. (Koutepas, Stamatelopoulos, Maglaris, 2004)

When attempting to counter a DDoS, the specific attack characteristics have to be determined locally and communicated to networks on the attack path (possibly through attack-congested lines) in order to take appropriate measures. According to the site's security policies the typical reactions implemented usually consist of setting up tailor-made blocking or throttling filters on active network components. Still, no matter how effective this response will be, the bandwidth penalty is present on all the domains along the attack path. To alleviate the resulting congestion extra steps must be taken and contacts must be made between these networks. The further we move from the victim, the more dispersed this procedure becomes and there is less immediate interest from the domains to help." (Koutepas, Stamatelopoulos, Maglaris, 2004)

Security considerations, according to Koutepas, Stamatelopoulos, Maglaris (2004), include "An attacker orchestrating a DDoS attack could "tune into" the right Multicast group (the one used by the Entities) and listen for signs of detection and response communications. Knowing such information could make it possible to direct the hostile machines to new attack patterns so that the malicious traffic can elude any newly installed filters. Another concern is that fake alert messages describing nonexistent events could initiate Entity responses to hinder legitimate traffic." (Koutepas, Stamatelopoulos, Maglaris, 2003)

According to Fonseca (2001), "Asta Networks will unveil Vantage System, its new DDoS -- prevention offering, this month. Deployed at various points in an enterprise or service provider network, Vantage System is a hardware appliance that uses software to survey and "flag" traffic for known or unknown anomalies. The product features sensors, which direct suspicious activity, and the coordinator, which interfaces with a variety of sensors and reports back to the user. Devich says his defense system integrates with network management platforms through SNMP, as well as Cisco and Juniper routers. In the fight against DoS attacks, users may be able to deflect a deluge that could strike from any origination point through a managed service approach, says John Pescatore, vice president and research director of network security at Stamford, Conn.-based Gartner." (Fonseca, 2001)

According to Vijayan (2004), "The long-term answer to DDoS protection has to be in the [service provider] networks and backbones" said John Pescatore, an analyst at Stamford, Conn.-based Garnter, Inc. That's because upstream service providers are in a better position to detect and choke off traffic directed at a specific IP address, said Schneier. But putting in place extra server processing capacity to handle DDoS attacks can be expensive and is likely to make sense only for larger companies, Mockapetris said. "There's a bit of a digital divide when it comes to the ability of companies to defend themselves against these attacks," he said. As a result, it's a good idea to require service providers to offer some sort of guarantee against DDoS attacks, said Schneier. Gartner has in fact been advocating this for more than two years, urging users to include DDoS protection language in their service-level agreements with Internet service providers and data center hosting companies. But less than 1% of companies overall are buying such services, Pescatore said. "Most enterprises say, 'It isn't raining, so the roof isn't leaking. Why fix it?" he said." (Vijayan, 2004)