DDoS attack on cloud auto-scaling mechanisms

Auto-scaling mechanisms are an important line of defense against Distributed Denial of Service (DDoS) in the cloud. Using auto-scaling, machines can be added and removed in an on-line manner to respond to fluctuating load. It is commonly believed that the auto-scaling mechanism casts DDoS attacks into Economic Denial of Sustainability (EDoS) attacks. Rather than suffering from performance degradation up to a total denial of service, the victim suffers only from the economic damage incurred by paying for the extra resources required to process the bogus traffic of the attack. Contrary to this belief, we present and analyze the Yo-Yo attack, a new attack against the auto-scaling mechanism, that can cause significant performance degradation in addition to economic damage. In the Yo-Yo attack, the attacker sends periodic bursts of overload, thus causing the auto-scaling mechanism to oscillate between scale-up and scale-down phases. The Yo-Yo attack is harder to detect and requires less resources from the attacker compared to traditional DDoS. We demonstrate the attack on Amazon EC2 [4], and analyze protection measures the victim can take by reconfiguring the auto-scaling mechanism.

[1]  Minlan Yu,et al.  NIMBUS: cloud-scale attack detection and mitigation , 2014, SIGCOMM.

[2]  Khaled Salah,et al.  EDoS-Shield - A Two-Steps Mitigation Technique against EDoS Attacks in Cloud Computing , 2011, 2011 Fourth IEEE International Conference on Utility and Cloud Computing.

[3]  Costin Raiciu,et al.  Enabling fast, dynamic network processing with clickOS , 2013, HotSDN.

[4]  Yuting Zhang,et al.  Reduction of quality (RoQ) attacks on Internet end-systems , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[5]  Vigneshwer. S. Ramana,et al.  Secure Cloud Computing Environment Against DDos and EDos Attacks , 2014 .

[6]  Mina Guirguis,et al.  Reduction of Quality (RoQ) Attacks on Dynamic Load Balancers: Vulnerability Assessment and Design Tradeoffs , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[7]  Ming Mao,et al.  A Performance Study on the VM Startup Time in the Cloud , 2012, 2012 IEEE Fifth International Conference on Cloud Computing.

[8]  S VivinSandar,et al.  Economic Denial of Sustainability (EDoS) in Cloud Services using HTTP and XML based DDoS Attacks , 2012 .

[9]  Henri Casanova,et al.  Resource allocation algorithms for virtualized service hosting platforms , 2010, J. Parallel Distributed Comput..

[10]  Mina Guirguis,et al.  Exploiting the transients of adaptation for RoQ attacks on Internet resources , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[11]  Mohamed Ahmed,et al.  Enabling dynamic network processing with clickOS , 2012, SIGCOMM.

[12]  Johan Tordsson,et al.  An adaptive hybrid elasticity controller for cloud infrastructures , 2012, 2012 IEEE Network Operations and Management Symposium.

[13]  Johan Tordsson,et al.  Efficient provisioning of bursty scientific workloads on the cloud using adaptive elasticity control , 2012, ScienceCloud '12.

[14]  Manoj Singh Gaur,et al.  DDoS/EDoS attack in cloud: affecting everyone out there! , 2015, SIN.

[15]  Elisha J. Rosensweig,et al.  Yo-Yo Attack: Vulnerability In Auto-scaling Mechanism , 2015, Computer communication review.

[16]  Michael M. Swift,et al.  A Day Late and a Dollar Short: The Case for Research on Cloud Billing Systems , 2014, HotCloud.

[17]  Zubair A. Baig,et al.  Controlled Virtual Resource Access to Mitigate Economic Denial of Sustainability (EDoS) Attacks against Cloud Infrastructures , 2013, 2013 International Conference on Cloud Computing and Big Data.

[18]  Rajkumar Buyya,et al.  Dynamically scaling applications in the cloud , 2011, CCRV.

[19]  Song Guo,et al.  Can We Beat DDoS Attacks in Clouds? , 2014, IEEE Transactions on Parallel and Distributed Systems.

[20]  Yan Grunenberger,et al.  The Cost of the "S" in HTTPS , 2014, CoNEXT.