A Virtual Firewall Mechanism Using Army Nodes to Protect Cloud Infrastructure from DDoS Attacks

Jeyanthi, N; Mogankumar, P. C.

doi:10.2478/cait-2014-0034

Abstract

Cloud is not exempted from the vulnerability of Distributed Denial of Service (DDoS) attack, a serious threat to any distributed network and has considerably less effective solutions to deploy in the network. This paper introduces a novel mechanism to protect and prevent the cloud from the spurious packets targeting the depletion of server resources. The army nodes called “Cloud DDoS Attack Protection” (CDAP) nodes are installed at the cloud server farm/ Datacenter (DC). These army nodes act as virtual firewall without destroying the Cloud Infrastructure and improve the availability of DC, even at the time of DDoS attack. By continuously monitoring the incoming packets, CDAP filters the attack packets intruding the Cloud DC. Availability is further improved by handing over the threat detection and attack mitigation to CDAP nodes and by redirecting the malicious user requests to the dump network. The simulation results prove that the introduction of CDAP nodes improve the availability and reduce the response time and the cost incurred.

References

1. Zissis, D., D. Lekkas. Addressing Cloud Computing Security Issues. - Future Generation Computer Systems, Vol. 28, 2012, 583-592.10.1016/j.future.2010.12.006
Search in Google Scholar
2. Du, P., A. Nakao. OverCourt: DDoS Mitigation through Credit-Based Traffic Segregation and Path Migration. - Computer Communications, Vol. 33, 15 December 2010, No 18, 2164-2175.10.1016/j.comcom.2010.09.009
Search in Google Scholar
3. Lent, R. Evaluating a Migration-Based Response to DoS Attacks in a System of Distributed Auctions. - Computers & Security, Vol. 31, May 2012, No 3, 327-343.10.1016/j.cose.2012.01.001
Search in Google Scholar
4. Liu, Xiao-Ming, Gong Cheng, Miao Zhang, Shou-Shan Luo. On a Novel Pattern of Distributed Low-Rate Denial of Service Attacks. - The Journal of China Universities of Posts and Telecommunications, Vol. 18, December 2011, No 2, 113-118.10.1016/S1005-8885(10)60161-6
Search in Google Scholar
5. Chonka, A., Yang Xiang, Wanlei Zhou, Alessio Bonti. Cloud Security Defense to Protect Cloud Computing Against HTTP-DoS and XML-DoS Attacks. - Journal of Network and Computer Applications, Vol. 34, July 2011, No 4, 1097-1107.10.1016/j.jnca.2010.06.004
Search in Google Scholar
6. Lombardi, F., R. Di Pietro. Secure Virtualization for Cloud Computing. - Journal of Network and Computer Applications, Vol. 34, July 2011, No 4, 1113-1122.10.1016/j.jnca.2010.06.008
Search in Google Scholar
7. Janczewski, Dr L. J., D. Reamer, J. Brendel. Handling Distributed Denial-of-Service Attacks. - Information Security Technical Report, Vol. 6, 2001, 37-44.10.1016/S1363-4127(01)00306-5
Search in Google Scholar
8. Chen, Shigang, Yibei Ling, Randy Chow, Ye Xia. AID: A Global Anti-DoS Service. - Computer Networks, 2007, 4252-4269.10.1016/j.comnet.2007.05.005
Search in Google Scholar
9. Goscinski, A., M. Brock. Toward Dynamic and Attribute Based Publication, Discovery and Selection for Cloud Computing. - Future Generation Computer Systems, Vol. 26, 2010, 947-970.10.1016/j.future.2010.03.009
Search in Google Scholar
10. Iqbal, W., M. N. Dailey, D. Carrera, P. Janecek. Adaptive Resource Provisioning for Read Intensive Multi-Tier Applications in the Cloud. - Future Generation Computer Systems, Vol. 27, 2011, 871-879.10.1016/j.future.2010.10.016
Search in Google Scholar
11. Vecchiola, C., R. N. Calheiros, D. Karunamoorthy, Rajkumar Buyya. Deadline-Driven Provisioning of Resources for Scientific Applications in Hybrid Clouds with Aneka. - Future Generation Computer Systems, Vol. 28, 2012, 58-65.10.1016/j.future.2011.05.008
Search in Google Scholar
12. Wang, Kuochen, Chun-Ying Huang, Shang-Jyh Lin, Ying-Dar Lin. A Fuzzy Pattern-Based Filtering Algorithm for Botnet Detection. - Computer Networks, Vol. 55, 2011, 3275-3286.10.1016/j.comnet.2011.05.026
Search in Google Scholar
13. Nathani, Amit, Sanjay Chaudhary, Gaurav Somani. Policy Based Resource Allocation in IaaS Cloud. - Future Generation Computer Systems, Vol. 28, 2012, 94-103.10.1016/j.future.2011.05.016
Search in Google Scholar
14. Arshad, Junaid, Paul Townend, Jie Xu. A Novel Intrusion Severity Analysis Approach for Clouds. - Future Generation Computer Systems, 16 August 2011, ISSN 0167-739X. 10.1016/j.future.2011.08.009.
Search in Google Scholar
15. Varalakshmi, P., S. Thamarai Selvi. Thwarting DDoS Attacks in Grid Using Information Divergence. - Future Generation Computer Systems, 18 November 2011. ISSN 0167-739X. 10.1016/j.future. 2011.10. 012.
Search in Google Scholar
16. Gutierrez-Garcia, J. O., K. M. Sim. A Family of Heuristics for Agent-Based Elastic Cloud Bag-of-Tasks Concurrent Scheduling. - Future Generation Computer Systems. ISSN 0167-739X. 10.1016/j.future.2012.01.005.
Search in Google Scholar
17. Sabahi, Farzad. Cloud Computing Security Threats and Responses. - In: Proc. of IEEE 3rd International Conference on Communication Software and Networks, 2011, 245-249.10.1109/ICCSN.2011.6014715
Search in Google Scholar
18. Du, Ping, Akhiro Nakao. DDoS Defense as a Network Service. - In: Proc. of IEEE/IFIP Network Operations and Management Symposium, 2010, 894-897.10.1109/NOMS.2010.5488345
Search in Google Scholar
19. Chen , Q i, Wenmin Lin, Wanchun Dou, Shui Yu. CBF: A Packet Filtering Method for DDoS Attack Defense in Cloud Environment. - In: Proc. of 9th IEEE International Conference on Dependable, Autonomic and Secure Computing, 2011, 427-434.
Search in Google Scholar
20. Lee, Heejo, Kihong Park. On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack. - In: Proc. of INFOCOM, 2001, 338-347.
Search in Google Scholar
21. Savage, S., Wetherall, D. Karlin, A. Tom, A. Tom. Practical Network Support for IP Traceback. - SIGCOMM, Vol. 30, 2000, No 4, 295-306.10.1145/347057.347560
Search in Google Scholar
22. Ioannidis, J., S. M. Bellovin. Implementing Pushback: Router-Based Defense Against DDoS Attacks. - In: Proc. of Network and Distributed System Security Symposium, Vol. 2, February 2002.
Search in Google Scholar
23. Yaar, A., A. Perrig, D. Song. Pi: A Path Identification Mechanism to Defend against DDoS Attacks. - In: Proc. of IEEE Symposium on Security and Privacy, 2003, 93-107.
Search in Google Scholar
24. Joshi, K. R. G. Bunker, F. Jahanian, A. P. A. van Moorsel, J. Weinman. Dependability in the Cloud: Challenges and Opportunities. - In: Proc. of 2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN, 2009, Estoril, Lisbon, Portugal, 29 June-2 July 2009, 103-104.10.1109/DSN.2009.5270350
Search in Google Scholar
25. Sqalli, M. H., F. Al-Haidari, K. Salah. EDoS-Shield - A Two-Steps Mitigation Technique Against EDoS Attacks in Cloud Computing. - In: Proc. of 4th IEEE International Conference on Utility and Cloud Computing, December 2011, 49-56.10.1109/UCC.2011.17
Search in Google Scholar
26. Jain, Pritesh, Dheeraj Rane, Shy am Patidar. A Survey and Analysis of Cloud Model-Based Security for Computing Secure Cloud Bursting and Aggregation in Renal Environment. - In: Proc. of World Congress on Information and Communication Technologies, December 2011, 456-461.10.1109/WICT.2011.6141288
Search in Google Scholar
27. Jung, J., B. Krishnamurthy, M. Rabinovich. Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites. - In: Proc. of 11th International Conference on World Wide Web (WWW’02), ACM, 2002, 293-304.
Search in Google Scholar
28. Buyya, Rajkumar, R ajiv Ranjan, R. N. Calheiros. Modeling and Simulation of Scalable Cloud Computing Environments and the CloudSim Toolkit: Challenges and Opportunities. - In: Proc. of 7th High Performance Computing and Simulation Conference (HPCS), 21-24 June 2009. 10.1109/HPCSIM.2009.5192685
Search in Google Scholar

A Virtual Firewall Mechanism Using Army Nodes to Protect Cloud Infrastructure from DDoS Attacks

Abstract

Paradigm

My account