With the rise in cyber-attacks on cloud environments like Brute Force, Malware or Distributed Denial of Service attacks, information security officers and data center administrators have a monumental task on hand. Organizations design data center and service delivery with the aim of catering to maximize device provisioning & availability, improve application performance, ensure better server virtualization and end up securing data centers using security solutions at internet edge protection level. These security solutions prove to be largely inadequate in times of a DDoS cyber-attack. In this paper, traditional data center design is reviewed and compared to the proposed three tier data center. The resilience to withstand against DDoS attacks is measured for Real User Monitoring parameters, compared for the two infrastructure designs and the data is validated using T-Test.
TopLiterature Survey
Lonea at al. (2013) deployed a virtual machine based intrusion detection with graphical interface to monitor cloud fusion alerts by using Eucalyptus cloud architecture for front end and MySQL database for backend. Attacks are captured by Barnyard tool while using SNORT for signature based DDoS rules. Stacheldraht tool is utilized for generating the resource depletion data packets. These packets consist of UDP, TCP SYN and ICMP floods. These attack packets are captured during the attack and stored in the central MySQL database. However, a limitation in this signature based approach is that unknown or zero day attacks could not be detected.
Bakshi et al. (2010) proposed an Intrusion Detection based on Signature detection for DDoS by using virtual machines running SNORT to analyze both the real time in-bound and out-bound traffic. The defense framework identifies the attacker’s IP Address and auto scripts an Access Control List configuration for dropping the entire packets from that IP Address and blacklisting it immediately.
Gul et al. (2011) have cited that to handle a large packet flow, an intrusion detection model that analyzes and reports on the attack packets is utilized. These reports should be shared with the cloud actors involved. To improve the performance of the Intrusion Detection System multi-threading techniques are used. The final evaluation concluded that the use of multi thread deployment as compared to a single threaded deployment is more efficient.
Zarepoor at al. (2014) proposed the use of a statistical filtering system with two levels of filtering. The first level of filtering involves removing the header fields of incoming data packets, then comparing the time to live (TTL) value with a predetermined hop count value. If the values are not similar, the packet is termed to be spoofed and immediately dropped. The second level of filtering involves comparing the incoming packet header with a stored normal profile header.
Zakarya (2013) proposes an entropy based detection technique that identifies attack flow based on distribution ratio using the attack packet dropping algorithm. The entropy rate identifies the attack flow, dropping the packets if the DDoS is confirmed. Cloudsim simulation shows an accuracy of almost 90%.
Vissers et al. (2014) utilize Gaussian Model to preform defense against application layer attacks on cloud services using the parametric technique. The use of malicious XML content in use requests inside SOAP resulted in the DDoS attacks. Initially the detection involves HTTP header inspection to detect any HTTP floods and SOAP action inspection. Then XML content processing action is checked for any spoofing by comparing previous data. While this works very well for existing DDoS attacks, the disadvantage is the inability to detect the new age threat vectors arising from new request schematics.