DDoS attacks in cloud computing: Issues, taxonomy, and future directions

Security issues related to the cloud computing are relevant to various stakeholders for an informed cloud adoption decision. Apart from data breaches, the cyber security research community is revisiting the attack space for cloud-specific solutions as these issues affect budget, resource management, and service quality. Distributed Denial of Service (DDoS) attack is one such serious attack in the cloud space. In this paper, we present developments related to DDoS attack mitigation solutions in the cloud. In particular, we present a comprehensive survey with a detailed insight into the characterization, prevention, detection, and mitigation mechanisms of these attacks. Additionally, we present a comprehensive solution taxonomy to classify DDoS attack solutions. We also provide a comprehensive discussion on important metrics to evaluate various solutions. This survey concludes that there is a strong requirement of solutions, which are designed keeping utility computing models in mind. Accurate auto-scaling decisions, multi-layer mitigation, and defense using profound resources in the cloud, are some of the key requirements of the desired solutions. In the end, we provide a definite guideline on effective solution building and detailed solution requirements to help the cyber security research community in designing defense mechanisms. To the best of our knowledge, this work is a novel attempt to identify the need of DDoS mitigation solutions involving multi-level information flow and effective resource management during the attack.

[1]  Ahmed Patel,et al.  Review of pricing models for grid & cloud computing , 2011, 2011 IEEE Symposium on Computers & Informatics.

[2]  Pourya Shamsolmoali,et al.  Statistical-based filtering system against DDOS attacks in cloud computing , 2014, 2014 International Conference on Advances in Computing, Communications and Informatics (ICACCI).

[3]  Zhenyu Wu,et al.  A Measurement Study on Co-residence Threat inside the Cloud , 2015, USENIX Security Symposium.

[4]  Steve Mansfield-Devine,et al.  The growth and evolution of DDoS , 2015, Netw. Secur..

[5]  Nils Gruschka,et al.  Attack Surfaces: A Taxonomy for Attacks on Cloud Services , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[6]  Mohamed Cheriet,et al.  Taxonomy of Distributed Denial of Service mitigation approaches for cloud computing , 2015, J. Netw. Comput. Appl..

[7]  Rida Khatoun,et al.  A collaborative approach for a source based detection of botclouds , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[8]  Natalija Vlajic,et al.  Web bugs in the cloud: Feasibility study of a new form of EDoS attack , 2014, 2014 IEEE Globecom Workshops (GC Wkshps).

[9]  Abdelkader H. Ouda,et al.  Cloud-based DDoS attacks and defenses , 2013, International Conference on Information Society (i-Society 2013).

[10]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[11]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[12]  Akihiro Nakao,et al.  DDoS defense as a network service , 2010, 2010 IEEE Network Operations and Management Symposium - NOMS 2010.

[13]  Gail-Joon Ahn,et al.  Security and Privacy Challenges in Cloud Computing Environments , 2010, IEEE Security & Privacy.

[14]  George Pallis,et al.  Cloud Computing: The New Frontier of Internet Computing , 2010, IEEE Internet Computing.

[15]  Wanlei Zhou,et al.  Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks , 2011, J. Netw. Comput. Appl..

[16]  Adrian Perrig,et al.  Challenges in Securing Vehicular Networks , 2005 .

[17]  P. Sujatha,et al.  Mitigating Economic Denial of Sustainability (EDoS) in Cloud Computing Using In-cloud Scrubber Service , 2012, 2012 Fourth International Conference on Computational Intelligence and Communication Networks.

[18]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[19]  Yao Zheng,et al.  DDoS attack protection in the era of cloud computing and Software-Defined Networking , 2015, Comput. Networks.

[20]  F. Richard Yu,et al.  Distributed denial of service attacks in software-defined networking with cloud computing , 2015, IEEE Communications Magazine.

[21]  Sanjay Chaudhary,et al.  Application Performance Isolation in Virtualization , 2009, 2009 IEEE International Conference on Cloud Computing.

[22]  Angelos D. Keromytis,et al.  Using graphic turing tests to counter automated DDoS attacks against web servers , 2003, CCS '03.

[23]  Lori M. Kaufman,et al.  Data Security in the World of Cloud Computing , 2009, IEEE Security & Privacy.

[24]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[25]  Zonghua Zhang,et al.  Towards Autonomic DDoS Mitigation using Software Defined Networking , 2015 .

[26]  B. B. Gupta,et al.  An ISP Level Solution to Combat DDoS Attacks using Combined Statistical Based Approach , 2012, ArXiv.

[27]  Carlo Curino,et al.  Relational Cloud: a Database Service for the cloud , 2011, CIDR.

[28]  Fei Li,et al.  Catch Me If You Can: A Cloud-Enabled DDoS Defense , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[29]  Martina Meschke Service Level Agreement (SLA) , 2008 .

[30]  Dimitrios Zissis,et al.  Addressing cloud computing security issues , 2012, Future Gener. Comput. Syst..

[31]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[32]  Jian Zhang,et al.  A Robust and Efficient Detection Model of DDoS Attack for Cloud Services , 2015, ICA3PP.

[33]  Mauro Conti,et al.  EyeCloud: A BotCloud Detection System , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[34]  Opeyemi A. Osanaiye,et al.  Short Paper: IP spoofing detection for preventing DDoS attack in Cloud Computing , 2015, 2015 18th International Conference on Intelligence in Next Generation Networks.

[35]  Elisa Bertino,et al.  PARALLEL AND DISTRIBUTED SYSTEMS , 2010 .

[36]  Kefu Xu,et al.  You Can’t Hide: A Novel Methodology to Defend DDoS Attack Based on Botcloud , 2015 .

[37]  Fei Li,et al.  A moving target DDoS defense mechanism , 2014, Comput. Commun..

[38]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[39]  Amir Herzberg,et al.  CDN-on-Demand: An affordable DDoS Defense via Untrusted Clouds , 2016, NDSS.

[40]  Haiyun Luo,et al.  Security in mobile ad hoc networks: challenges and solutions , 2004, IEEE Wireless Communications.

[41]  Muttukrishnan Rajarajan,et al.  Combating DDoS Attacks in the Cloud: Requirements, Trends, and Future Directions , 2017, IEEE Cloud Computing.

[42]  Song Guo,et al.  Can We Beat DDoS Attacks in Clouds? , 2014, IEEE Transactions on Parallel and Distributed Systems.

[43]  Guy Pujolle,et al.  Reducing DDoS attacks impact using a hybrid cloud-based firewalling architecture , 2014, 2014 Global Information Infrastructure and Networking Symposium (GIIS).

[44]  Kai Hwang,et al.  Collaborative Detection of DDoS Attacks over Multiple Network Domains , 2007, IEEE Transactions on Parallel and Distributed Systems.

[45]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[46]  Manoj Singh Gaur,et al.  Service resizing for quick DDoS mitigation in cloud computing environment , 2017, Ann. des Télécommunications.

[47]  Ming Chen,et al.  SDSNM: A Software-Defined Security Networking Mechanism to Defend against DDoS Attacks , 2015, 2015 Ninth International Conference on Frontier of Computer Science and Technology.

[48]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[49]  Esraa Alomari,et al.  Botnet-based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art , 2012, ArXiv.

[50]  Amin Vahdat,et al.  Enforcing Performance Isolation Across Virtual Machines in Xen , 2006, Middleware.

[51]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[52]  M. Uysal,et al.  DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks , 2009, IEEE/ACM Transactions on Networking.

[53]  Aamir Shahzad,et al.  Detecting flooding based DoS attack in cloud computing environment using covariance matrix approach , 2013, ICUIMC '13.

[54]  B. B. Gupta,et al.  Enhanced CBF Packet Filtering Method to Detect DDoS Attack in Cloud Computing Environment , 2013, ArXiv.

[55]  Maurizio Aiello,et al.  Understanding DDoS Attacks from Mobile Devices , 2015, 2015 3rd International Conference on Future Internet of Things and Cloud.

[56]  Shui Yu,et al.  CBF: A Packet Filtering Method for DDoS Attack Defense in Cloud Environment , 2011, 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing.

[57]  Jung-Shian Li,et al.  Defending cloud computing environment against the challenge of DDoS attacks based on software defined network , 2017 .

[58]  Akihiro Nakao,et al.  DaaS: DDoS Mitigation-as-a-Service , 2011, 2011 IEEE/IPSJ International Symposium on Applications and the Internet.

[59]  Andrew Warfield,et al.  Live migration of virtual machines , 2005, NSDI.

[60]  Kim-Kwang Raymond Choo,et al.  Distributed denial of service (DDoS) resilience in cloud: Review and conceptual cloud DDoS mitigation framework , 2016, J. Netw. Comput. Appl..

[61]  N. Jeyanthi,et al.  A Virtual Firewall Mechanism Using Army Nodes to Protect Cloud Infrastructure from DDoS Attacks , 2014 .

[62]  Jianfeng Ma,et al.  From high-availability to collapse: quantitative analysis of “Cloud-Droplet-Freezing” attack threats to virtual machine migration in cloud computing , 2014, Cluster Computing.

[63]  José Martínez-Aroza,et al.  An Analysis of Edge Detection by Using the Jensen-Shannon Divergence , 2000, Journal of Mathematical Imaging and Vision.

[64]  Hiroshi Fujinoki Dynamic Binary User-Splits to Protect Cloud Servers from DDoS Attacks , 2013, ICCC.

[65]  Zhiyang Li,et al.  Detecting DDoS attacks against data center with correlation analysis , 2015, Comput. Commun..

[66]  Aiko Pras,et al.  Booters — An analysis of DDoS-as-a-service attacks , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[67]  David K. Y. Yau,et al.  You can run, but you can't hide: an effective statistical methodology to trace back DDoS attackers , 2005, IEEE Transactions on Parallel and Distributed Systems.

[68]  Douglas Jacobson,et al.  Attribution of Fraudulent Resource Consumption in the Cloud , 2012, 2012 IEEE Fifth International Conference on Cloud Computing.

[69]  Joseph Idziorek,et al.  Exploiting Cloud Utility Models for Profit and Ruin , 2011, 2011 IEEE 4th International Conference on Cloud Computing.

[70]  Nirwan Ansari,et al.  Is it congestion or a DDoS attack? , 2009, IEEE Communications Letters.

[71]  Ronaldo M. Salles,et al.  Botnets: A survey , 2013, Comput. Networks.

[72]  Khaled Salah,et al.  Enhanced EDoS-Shield for Mitigating EDoS Attacks Originating from Spoofed IP Addresses , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[73]  Jie Li,et al.  Cloud auto-scaling with deadline and budget constraints , 2010, 2010 11th IEEE/ACM International Conference on Grid Computing.

[74]  Shui Yu,et al.  Distributed Denial of Service Attack and Defense , 2013, SpringerBriefs in Computer Science.

[75]  Zahid Anwar,et al.  EDoS Armor: A cost effective economic denial of sustainability attack mitigation framework for e-commerce applications in cloud environments , 2013, INMIC.

[76]  Weimin Zheng,et al.  Defend Against Denial of Service Attack with VMM , 2009, 2009 Eighth International Conference on Grid and Cooperative Computing.

[77]  Michael K. Reiter,et al.  Mitigating bandwidth-exhaustion attacks using congestion puzzles , 2004, CCS '04.

[78]  Mira Yun,et al.  Design for Run-Time Monitor on Cloud Computing , 2010, SUComS.

[79]  Kannan Govindarajan,et al.  DDoS defense system for web services in a cloud environment , 2014, Future Gener. Comput. Syst..

[80]  Mark Graham,et al.  Botnet detection within cloud service provider networks using flow protocols , 2015, 2015 IEEE 13th International Conference on Industrial Informatics (INDIN).

[81]  Rose F. Gamble,et al.  DDoS Attacks in Service Clouds , 2015, 2015 48th Hawaii International Conference on System Sciences.

[82]  N. Jeyanthi,et al.  An Enhanced Entropy Approach to Detect and Prevent DDoS in Cloud Environment , 2013, Int. J. Commun. Networks Inf. Secur..

[83]  Qi Shi,et al.  Collaborative Intrusion Detection in Federated Cloud Environments , 2015 .

[84]  Syam Kumar Pasupuleti,et al.  Simulated Raindrop Algorithm to Mitigate DDoS Attacks in Cloud Computing , 2015, ICCCT '15.

[85]  J. K. Kalita,et al.  Botnet in DDoS Attacks: Trends and Challenges , 2015, IEEE Communications Surveys & Tutorials.

[86]  Manoj Singh Gaur,et al.  DDoS attacks in cloud computing: Collateral damage to non-targets , 2016, Comput. Networks.

[87]  Zubair A. Baig,et al.  Controlled Virtual Resource Access to Mitigate Economic Denial of Sustainability (EDoS) Attacks against Cloud Infrastructures , 2013, 2013 International Conference on Cloud Computing and Big Data.

[88]  Sherali Zeadally,et al.  Using Cloud Computing to Implement a Security Overlay Network , 2013, IEEE Security & Privacy.

[89]  Henri Casanova,et al.  Resource allocation algorithms for virtualized service hosting platforms , 2010, J. Parallel Distributed Comput..

[90]  Jens Lindemann,et al.  Towards Abuse Detection and Prevention in IaaS Cloud Computing , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[91]  Douglas Jacobson,et al.  Detecting fraudulent use of cloud resources , 2011, CCSW '11.

[92]  G. Aghila,et al.  A comber approach to protect cloud computing against XML DDoS and HTTP DDoS attack , 2012, 2012 IEEE Students' Conference on Electrical, Electronics and Computer Science.

[93]  S VivinSandar,et al.  Economic Denial of Sustainability (EDoS) in Cloud Services using HTTP and XML based DDoS Attacks , 2012 .

[94]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[95]  Rajkumar Buyya,et al.  Optimal online deterministic algorithms and adaptive heuristics for energy and performance efficient dynamic consolidation of virtual machines in Cloud data centers , 2012, Concurr. Comput. Pract. Exp..

[96]  Anusha Koduru,et al.  Detection of Economic Denial of Sustainability Using Time Spent on a Web Page in Cloud , 2013, 2013 IEEE International Conference on Cloud Computing in Emerging Markets (CCEM).

[97]  Yi Lin,et al.  Preventing DDoS attacks by identifier/locator separation , 2013, IEEE Network.

[98]  Jeff Yan,et al.  CAPTCHA Security: A Case Study , 2009, IEEE Security & Privacy.

[99]  Tao Zhang,et al.  Defense of DDoS attack for cloud computing , 2012, 2012 IEEE International Conference on Computer Science and Automation Engineering (CSAE).

[100]  Muttukrishnan Rajarajan,et al.  DDoS victim service containment to minimize the internal collateral damages in cloud computing , 2017, Comput. Electr. Eng..

[101]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[102]  Shigang Chen,et al.  Perimeter-based defense against high bandwidth DDoS attacks , 2005, IEEE Transactions on Parallel and Distributed Systems.

[103]  Manoj Singh Gaur,et al.  DARAC: DDoS Mitigation Using DDoS Aware Resource Allocation in Cloud , 2015, ICISS.

[104]  Manoj Singh Gaur,et al.  DDoS Protection and Security Assurance in Cloud , 2015 .

[105]  Balachandra Reddy Kandukuri,et al.  Cloud Security Issues , 2009, 2009 IEEE International Conference on Services Computing.

[106]  Minyi Guo,et al.  A Feasible IP Traceback Framework through Dynamic Deterministic Packet Marking , 2016, IEEE Transactions on Computers.

[107]  F. Richard Yu,et al.  Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges , 2016, IEEE Communications Surveys & Tutorials.

[108]  Steven J. Templeton,et al.  Detecting spoofed packets , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[109]  Gaurav Somani,et al.  Index Page Based EDoS Attacks in Infrastructure Cloud , 2014, SNDS.

[110]  Feifei Li,et al.  ATOM: Automated tracking, orchestration and monitoring of resource usage in infrastructure as a service systems , 2015, 2015 IEEE International Conference on Big Data (Big Data).

[111]  Taieb Znati,et al.  A Guided Tour Puzzle for Denial of Service Prevention , 2009, 2009 Annual Computer Security Applications Conference.

[112]  Robert Huang,et al.  A DDoS Mitigation System with Multi-stage Detection and Text-Based Turing Testing in Cloud Computing , 2013, 2013 27th International Conference on Advanced Information Networking and Applications Workshops.

[113]  Amir Herzberg,et al.  Bandwidth Distributed Denial of Service: Attacks and Defenses , 2014, IEEE Security & Privacy.

[114]  Donald M. Borchert Encyclopedia of Philosophy , 1967 .

[115]  Xiaorong Li,et al.  Autonomic Cloud computing: Open challenges and architectural elements , 2012, 2012 Third International Conference on Emerging Applications of Information Technology.

[116]  Benny Rochwerger,et al.  Scalable Cloud Defenses for Detection, Analysis and Mitigation of DDoS Attacks , 2010, Future Internet Assembly.

[117]  F. Al-Haidari,et al.  Evaluation of the Impact of EDoS Attacks Against Cloud Computing Services , 2015 .

[118]  Lori M. Kaufman,et al.  Can Public-Cloud Security Meet Its Unique Challenges? , 2010, IEEE Security & Privacy.

[119]  Khaled Salah,et al.  EDoS-Shield - A Two-Steps Mitigation Technique against EDoS Attacks in Cloud Computing , 2011, 2011 Fourth IEEE International Conference on Utility and Cloud Computing.