Professional Documents
Culture Documents
Mitigating Economic Denial of Sustainability (Edos) in Cloud Computing Using In-Cloud Scrubber Service
Mitigating Economic Denial of Sustainability (Edos) in Cloud Computing Using In-Cloud Scrubber Service
net/publication/233916411
CITATIONS READS
63 558
6 authors, including:
2 PUBLICATIONS 63 CITATIONS
Pondicherry University
1 PUBLICATION 63 CITATIONS
SEE PROFILE
SEE PROFILE
All content following this page was uploaded by Madarapu Naresh Kumar on 01 June 2014.
Madarapu Naresh Kumar1, P Sujatha2, Vamshi Kalva3, Rohit Nagori4, Anil Kumar Katukojwala5 and Mukesh
kumar6
1
National Informatics Centre (NIC) under IVFRT Project, New Delhi, INDIA
2
School of Engineering and Technology, Department of Computer Science, Pondicherry University, INDIA,
3
Indigo Technologies, Greater Chicago, Illinois, US.
4
Quantitative Research Group at Evalueserve, Gurgaon, INDIA.
5
Software Engineer, iGate at Pune, INDIA.
6
Prasad Institute of Technology, Department of Computer Science, Uttar Pradesh Technical University (UPTU), INDIA
e-mail: madarapu.naresh@gmail.com; spothula@gmail.com; vamshi53@gmail.com
rohitnagori.cse@gmail.com; anilcsd@gmail.com; prof.mkg@gmail.com
Abstract— Cloud computing is not a new technology; it is a they need on the Internet and pay only for what they use.
new way of delivering computing resources. Elastic cloud The cloud computing model causing a shift from DDoS to
computing enables services to be deployed and accessed EDoS (Economic Denial of Sustainability).In an EDDoS,
globally on demand with little maintenance by providing the elasticity of the cloud and surplus of available resources
QoS as per service level agreement (SLA) of customer. The might be used in such a way that large botnets generating
Cloud-based DDoS attacks or outside DDoS attacks can seemingly legitimate "targeted" requests for service
make ostensibly legitimate requests for a service to generate
causing the victim to cloudburst in order to keep pace with
an economic Distributed Denial of Service (eDDoS) -- where
the scale of the requests. Even though the victim can
the elastic nature of the cloud allows scaling of service
beyond the economic means of the purveyor to pay their sustain business operations, the cost of doing so may be so
cloud-based service bills which leads to Economic Denial of exorbitantly expensive that to do so threatens economic
Sustainability (EDoS). Attacks mimicking legitimate users sustainability i.e., the elastic property of the infrastructure
are on the climb. For cloud computing to remain attractive, allows scaling of service beyond the economic means of the
the DDoS threat is to be addressed before it triggers the vendor to pay their cloud-based service bills.
billing mechanism. This problem can be addressed by using Distributed Denial of Service (DDoS) attacks target
reactive/on-demand in-cloud eDDoS mitigation service web sites, hosted applications or network infrastructures by
(scrubber Service) for mitigating the application-layer and absorbing all available bandwidth and disrupting access
network-layer DDOS attacks with the help of an efficient for legitimate customers and partners. DDoS attacks can
client-puzzle approach. bring mission critical systems and business operations to a
halt, resulting in lost revenue opportunities, decreased
Index Terms— Cloud computing, Economic Denial of productivity or damage to your reputation [2]. As
Service (EDoS), Mitigation, Distributed Denial of Service
cloud-based eDDoS mitigation mechanism itself is
(DDoS), cryptographic puzzles.
susceptible to eDDoS, it is imperative to drop eDDoS
traffic before it triggers the billing mechanism [1]. For
I. INTRODUCTION cloud computing to remain attractive, the EDDoS threat is
In the age of virtualization and cloud, old world to be addressed. This can be done possibly by dropping
denial-of-service attacks have become more targeted, EDDoS traffic before it triggers the billing mechanism.
causing new worries. Cloud computing has created a lot of Hence, the application-layer and network-layer DDOS
buzz lately and many companies have started venturing in attacks are to be mitigated.
this domain and providing cloud-based services. Likewise, The automation of attacks, spoofing and the rise in the
most companies have also started moving some of their IT number of infected clients available as well as the ease with
operations on to the Cloud. Cloud computing has become which HTTP based botnets can be created have all
the latest craze in a series of popular industry terms. contributed to the evolution in sophistication of DDoS
Elastic cloud computing is an attractive proposition; It attacks. Most existing distributed denial-of-service
offers convenience in setup, on-demand capacity and a (DDoS) mitigation proposals are reactive in nature, i.e.,
highly dependable computing platform while requiring they are deployed to limit the damage caused by attacks
little maintenance. These value propositions have spurred after they are detected. Hence, we advocate proactive
many businesses to adopt cloud computing technology. mechanisms that are ready to defend against DDoS attacks
With cloud computing, companies can scale up to before they happen. Distributed denial-of service is a grave
massive capacities in an instant without having to invest in problem that requires a complex solution.
new infrastructure, train new personnel, or license new The rest of the paper organized as follows: section II
software. Cloud computing is of particular benefit to small describes the background and related works. Section III
and medium-sized businesses who wish to completely describes the case study. Section IV describes Service
outsource their data-center infrastructure, or large Level Agreement. Section V describes the proposed work
companies who wish to get peak load capacity without and Section VI concludes the paper.
incurring the higher cost of building larger data centers
internally. In both instances, service consumers use what
536
drop the DDoS before the billing mechanism starts for the The aim of this agreement is to provide a basis for close
service provider. co-operation between Service Provider and End Users or
Service Consumers, for support services to be provided by
Service Provider to End Users/Clients, thereby ensuring a
timely and efficient support service is available to End
Users or Service Consumers. SLA include Service Terms
in terms of QoS parameters, the delivery ability of the
provider, the performance target of diversity components
of user’s workloads, the bounds of guaranteed availability
and performance, the measurement and reporting
mechanisms, the cost of the service, the data set for
renegotiation, and the penalty terms for SLA violation.
Hence the violation of SLA lead to penalties that should be
paid to dissatisfied customer [16]. According to Amazon,
the SLA is a contract between customers and service
providers of the level of service to be provided [15]. It
contains the performance metrics (e.g., uptime,
throughput, and response time), security and problem
management details. Service provider is required to
execute service requests from a customer within negotiated
quality of service (QoS) requirements for a given price. It
contains penalties for non-performance. Penalty
calculation is based on unit-price per hour from the
Fig. 2. eDDoS (Economic Distributed Denial of Service) moment when SLA violation happened for that service
instance.
537
2.2. High-rated DDoS attack unfeasible.
2.3. Low-Rated DDoS attack 5. Having solved new puzzles does not aid in solving
• Step2: When the service provider perceives that new given puzzles.
the web server is under normal situation, then it In a Scrubber Service-generated puzzle, the server
runs in Normal mode. generates the partial hash input and hash output, and
• Step3: When the service Provider perceives the transmits both pieces of information to the client. The
web server resource depletion is beyond an solution to the puzzle is the value k. The server provides X,
acceptable limit k1 and bandwidth traffic is high, Y, and the hash function h ( ) to the client
then high-rated DDoS attacks are expected.
Hence, service Provider will switch to Suspected Η(Χ||κ)=Υ (1)
mode and an On-Demand request is sent to the
Scrubber Service, which generates and verifies Where,
Hard_puzzle ( ). X=puzzle parameter provided by server
• Step4: When the service Provider perceives the Y=puzzle parameter provided by server
web server resource depletion beyond an k= puzzle solution
acceptable limit k1 and bandwidth traffic is normal The difficulty of this puzzle is defined by the size of k in
or less than threshold, then Low-rated DDoS bits. The greater k is in size, the more difficult the puzzle is
attacks are expected. Hence, service will switch to to solve.
Suspected mode and an On-Demand request is
sent to the Scrubber Service, which generates and Proposed Algorithm:
verifies Moderate_puzzle( ). Here Web Server will
decrease the timeout duration for the existing 1. While(RDAL > k1)
requests. 2. {
3. If(BWTAL > b1)
4. {
5. High-rated DDoS Attacks expected.
6. Send request to Scrubber Service.
7. Generate Client_Puzzle(k-bit Hard puzzle);
8. Verify Client_Puzzle(k-bit Hard puzzle);
9. }
10. Else
11. {
12. Expected Low-Rated DDoS Attacks.
13. Decrease session timeouts of existing
requests.
14. Generate Client_Puzzle(k-bit Moderate
puzzle);
15. Verify Client_Puzzle(k-bit Moderate puzzle);
16. }
17. }
18. While(RDAL < k1)
19. Server is in Normal Condition and send stop
request to scrubber service.
538
cloud-based service bills for serving illegitimate clients in
order to maintain the SLA of a client. In order to overcome
such troubles we proposed an in-cloud eDDoS mitigation
service (Scrubber Service), which is used on-demand and
is charged according to pay-per use basis. As the Puzzle
generation and Verification is done by the Scrubber
Service, the burden on Service Provider server’s can be
triumphed. There by reducing the cloud-based bills to the
service provider and guaranteed availability of service can
be ensured.
REFERENCES
[1] Soon Hin Khor and A. Nakao, “sPoW: On-Demand Cloud-based
eDDoS Mitigation Mechanism,” HotDep (Fifth Workshop on Hot
Topics in System Dependability), co-located with the 39th Annual
IEEE/IFIP International Conference on Dependable Systems and
Networks, June 29, 2009.
[2] “DDoS Detection and Mitigation- Ensure application availability,”
2P_TC_case_study_readyaccess_ver1.0_jun-2008, Tata
Communications Ltd.
[3] P. Ferguson and D. Senie, “RFC 2267: Network Ingress Filtering:
Defeating of Service Attacks which employ IP Source Address
Spoofing,” January 1998.
[4] A. D. Keromytis, V. Misra, and D. Rubenstein, “SOS: Secure Overlay
Services,” In Proceedings of ACM Sigcomm 2002, Pittsburgh, USA,
August 2002.
[5] D. G. Andersen. “Mayday: Distributed Filtering for Internet Services,”
in 4th USENIX Symposium on Internet Technologies and Systems
(USITS), March 26-28, 2003, pp. 31-42.
[6] Reuven Cohen, “Infinite Capacity in Cloud Computing,” June 26,
2009, Available: http://www.elasticvapor.com
/2009/06/defining-infinite.html#links.
[7] Patrick Verkaik, Oliver Spatscheck, Jacobus Van der Merwe, and Alex
C. Snoeren, “PRIMED: Community-of- Interest-Based DDoS
Mitigation,” SIGCOMM'06 Workshops September 11-15, 2006,
Pisa, Italy. ACM 1-59593-417-0/06/0009.
[8] V. Praveena, and N. Kiruthika, “New Mitigating Technique to
Overcome DDOS Attack,” World Academy of Science, Engineering
and Technology 45 2008, pp. 442-447
[9] A. D. Keromytis, V. Misra, and D. Rubenstein. “SOS: An Architecture
for Mitigating DDoS Attacks,” in IEEE Journal on Selected Areas in
Communications, Vol. 22, Issue 1, January 2004, pp. 176-188.
[10] K. Lakshminarayanan, D. Adkins, A. Perrig, and I. Stoica. “Taming IP
Flooding attacks,” in ACM SIGCOMM Computer Communication
Review (Papers from HotNets-II), Vol. 34, Issue 1, January 2004, pp.
45 – 50.
[11] D. Dean and A. Stubblefield. “Using Client Puzzles to Protect TLS,” in
Proceedings of the 10th USENIX Security Symposium, August
13-17, 2001.
[12] W. Feng, E. Kaiser, W. Feng, and A. Luu, "The Design and
Implementation of Network Puzzles", in Proceedings of IEEE
INFOCOM 2005, March 13-17, 2005.
[13] X. Wang and M. K. Reiter. “Mitigating Bandwidth-Exhaustion
Attacks using Congestion Puzzles (Extended Abstract),” in
Proceedings of the 11th ACM Conference on Computer and
Communications Security (CCS ’04). October 25-29, 2004, pp.
257–267.
[14] Cade Metz, “DDoS attack rains down on Amazon cloud,” Available:
http://www.theregister.co.uk/2009/10/05/
amazon_bitbucket_outage/, Posted in Enterprise Security, 5th October
2009 15:32 GMT
[15] Source SLA Zone: http://www.sla-zone.co.uk/
[16] Linlin Wu and Rajkumar Buyya, “Service Level Agreement (SLA) in
Utility Computing Systems,” Technical Report,
CLOUDS-TR-2010-5, Cloud Computing and Distributed Systems
Laboratory, The University of Melbourne, Australia, September 3,
2010.
539