SCEF: A Model for Prevention of DDoS Attacks From the Cloud

SCEF: A Model for Prevention of DDoS Attacks From the Cloud

Ganeshayya Ishwarayya Shidaganti (Ramaiah Institute of Technology (Visvesvaraya Technological University), India), Amogh Shreedhar Inamdar (Ramaiah Institute of Technology, India), Sindhuja V. Rai (Ramaiah Institute of Technology, India) and Anagha M. Rajeev (Ramaiah Institute of Technology, India)
Copyright: © 2020 |Pages: 14
DOI: 10.4018/IJCAC.2020070104


Distributed denial of service (DDoS) attacks are some of the biggest threats to network performance and security today. With the advent of cloud computing, these attacks can be performed remotely on rented virtual machines (VMs), potentially increasing their capabilities and making them harder to trace and mitigate, and negatively affecting the cloud service provider as well. By analyzing packet transmission statistics, attacks can be detected on a virtual machine monitor (VMM) that controls the behavior of the VMs. This article proposes a solution to stop such detected attacks from the source, and analyses solutions proposed for a few different types of such attacks. The authors propose a model called selective cloud egress filter (SCEF) which implements specific modules to deal with detected attacks. If an attack is detected, the SCEF relays information to the VMM about which VMs are participating in the attack, allowing for specific corrective action.
Article Preview


A denial of service (DoS) attack aims to make a machine or network resource unavailable to its intended users by disrupting the services of a host connected to the Internet (Wikipedia, n.d.). DDoS attacks involve the use of multiple remotely controlled computers (known as bots or zombies) to attack to deny internet service to a victim. The bots are usually taken control of by malicious software from the attacker, such as viruses and worms, and are collectively used as a powerful, distributed DoS attack system (botnet) that is much more potent than a regular DoS attack. The bots (also called secondary victims) are often used without the knowledge or consent of their owners. A DDoS attack adversely affects not only the target (primary victim) but also the secondary victims as well as the network, causing e.g., congestion issues and system failures. The frequency of DDoS attacks is increasing rapidly, and they have become one of the biggest threats to Internet-connected systems in recent years.

Cloud computing is a fast-growing model of computer resource acquirement. Pools of computing resources that are otherwise expensive and difficult to procure are instead leased from cloud service providers, allowing access to massive computing capability over the Internet. A portion of resources from a large-scale/ distributed computing facility is provided to the user, often through lightweight virtual machine (VM) interfaces that are more inexpensive and easier to scale than physical resources. Due to this, cloud computing is rapidly gaining popularity among organizations and small-scale users.

Cloud computing resources can be used for malicious purposes such as DDoS attacks, either by being rented for such purposes or being part of a botnet. There may be many VMs in a botnet, and the vast computing resources of a cloud provider increase the capabilities of an attacker. As no physical machines exist and the VMs are rented, the source of the attack is even more difficult to trace than with a non-cloud botnet. However, due to the VMs being part of a provided cloud service, they can be more closely monitored and regulated. Such attacks could potentially be stopped at their source before significant damage is done. The monitoring and management are usually done by a hypervisor or virtual machine manager (VMM) that controls the VMs running on that particular hardware.

There have been several attempts to classify attacks on a cloud environment. Velliangiri and Premalatha (2017) proposes the use of radial basis networks, a type of neural network architecture, to classify attacks. (Yuan et al., 2017) also proposes a deep learning-based DDoS attack detection approach (called DeepDefense). A recurrent deep neural network is designed to learn patterns from sequences of network traffic and shows lower error rates than conventional machine learning models. Virtual topologies have also been effectively used to classify attacks (Bahashwan et al, 2020) through the use of Software-Defined Networks (SDNs). (Ali & Osman, 2018) proposes a novel framework to detect and prevent DDoS attacks in the Cloud environment using feature extraction and selection methods to reduce the computation time and select optimal features from received packets. Rathore et al. (2019) propose a cyber security-based solution for detection of attacks, meant for edge computing platforms. A specific case study for Linux platforms (popular in cloud environments) can be found in Gul et al. (2019). Mthunzi et al. (2018) show that lapses in communication can cause spiking in packet rates as well.

In this paper, we propose a model for a Selective Cloud Egress Filter (SCEF), which detects multiple types of attacks based on the relevant packet metadata and performs preventive actions when a DDoS attack is detected on the VMs. The detection of attacks is dependent on the nature of the attack. In the absence of hand-engineered features or select statistics, packet rates are a good indication of a DDoS attack in general. We also simulate a network with a cloud provider and a target, as well as a detector using the Virtual Box (Oracle) VMM software. We can successfully demonstrate the ICMP flood attack and its detection through packet rate information from WireShark (WireShark) and the use of dynamic thresholds. The detected attacks can be used to notify the VMM to block outgoing ICMP packets from the zombie VMs. By adding more features to the detection model, other types of DDoS attacks can also be detected and prevented.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 11: 4 Issues (2021): Forthcoming, Available for Pre-Order
Volume 10: 4 Issues (2020): 3 Released, 1 Forthcoming
Volume 9: 4 Issues (2019)
Volume 8: 4 Issues (2018)
Volume 7: 4 Issues (2017)
Volume 6: 4 Issues (2016)
Volume 5: 4 Issues (2015)
Volume 4: 4 Issues (2014)
Volume 3: 4 Issues (2013)
Volume 2: 4 Issues (2012)
Volume 1: 4 Issues (2011)
View Complete Journal Contents Listing