Exploring New Opportunities to Defeat Low-Rate DDoS Attack in Container-Based Cloud Environment

DDoS attacks are rampant in cloud environments and continually evolve into more sophisticated and intelligent modalities, such as low-rate DDoS attacks. But meanwhile, the cloud environment is also developing in constant. Now container technology and microservice architecture are widely applied in cloud environment and compose container-based cloud environment. Comparing with traditional cloud environments, the container-based cloud environment is more lightweight in virtualization and more flexible in scaling service. Naturally, a question that arises is whether these new features of container-based cloud environment will bring new possibilities to defeat DDoS attacks. In this paper, we establish a mathematical model based on queueing theory to analyze the strengths and weaknesses of the container-based cloud environment in defeating low-rate DDoS attack. Based on this, we propose a dynamic DDoS mitigation strategy, which can dynamically regulate the number of container instances serving for different users and coordinate the resource allocation for these instances to maximize the quality of service. And extensive simulations and testbed-based experiments demonstrate our strategy can make the limited system resources be utilized sufficiently to maintain the quality of service acceptable and defeat DDoS attack effectively in the container-based cloud environment.

[1]  Song Guo,et al.  Can we beat legitimate cyber behavior mimicking attacks from botnets? , 2012, 2012 Proceedings IEEE INFOCOM.

[2]  S. Wittevrongel,et al.  Queueing Systems , 2019, Introduction to Stochastic Processes and Simulation.

[3]  Dimitrios Pendarakis,et al.  ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[4]  Guobin Xu,et al.  A Cloud Computing Based Network Monitoring and Threat Detection System for Critical Infrastructures , 2016, Big Data Res..

[5]  Koushik Sen,et al.  WISE: Automated test generation for worst-case complexity , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[6]  Raouf Boutaba,et al.  FireCol: A Collaborative Protection Network for the Detection of Flooding DDoS Attacks , 2012, IEEE/ACM Transactions on Networking.

[7]  Zhijun Wu,et al.  Low-Rate DoS Attacks Detection Based on Network Multifractal , 2016, IEEE Transactions on Dependable and Secure Computing.

[8]  Benny Rochwerger,et al.  Scalable Cloud Defenses for Detection, Analysis and Mitigation of DDoS Attacks , 2010, Future Internet Assembly.

[9]  Amir Herzberg,et al.  CDN-on-Demand: An affordable DDoS Defense via Untrusted Clouds , 2016, NDSS.

[10]  Wanlei Zhou,et al.  Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics , 2011, IEEE Transactions on Information Forensics and Security.

[11]  Manoj Singh Gaur,et al.  Service resizing for quick DDoS mitigation in cloud computing environment , 2017, Ann. des Télécommunications.

[12]  Weimin Zheng,et al.  Defend Against Denial of Service Attack with VMM , 2009, 2009 Eighth International Conference on Grid and Cooperative Computing.

[13]  Muttukrishnan Rajarajan,et al.  DDoS victim service containment to minimize the internal collateral damages in cloud computing , 2017, Comput. Electr. Eng..

[14]  Congfeng Jiang,et al.  PINE: Optimizing Performance Isolation in Container Environments , 2019, IEEE Access.

[15]  Byung-Chul Tak,et al.  Understanding Security Implications of Using Containers in the Cloud , 2017, USENIX Annual Technical Conference.

[16]  Zongpeng Li,et al.  Load Balancing Across Microservices , 2018, IEEE INFOCOM 2018 - IEEE Conference on Computer Communications.

[17]  Akihiro Nakao,et al.  DDoS defense as a network service , 2010, 2010 IEEE Network Operations and Management Symposium - NOMS 2010.

[18]  Rose F. Gamble,et al.  DDoS Attacks in Service Clouds , 2015, 2015 48th Hawaii International Conference on System Sciences.

[19]  Mark Handley,et al.  Improving datacenter performance and robustness with multipath TCP , 2011, SIGCOMM.

[20]  Rubby Casallas,et al.  Cost comparison of running web applications in the cloud using monolithic, microservice, and AWS Lambda architectures , 2017, Service Oriented Computing and Applications.

[21]  Scott Shenker,et al.  Universal Packet Scheduling , 2015, NSDI.

[22]  Xiao Zhang,et al.  CPI2: CPU performance isolation for shared compute clusters , 2013, EuroSys '13.

[23]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[24]  Kejiang Ye,et al.  Fault Injection and Detection for Artificial Intelligence Applications in Container-Based Clouds , 2018, CLOUD.

[25]  R. Chitra,et al.  Securing cloud from ddos attacks using intrusion detection system in virtual machine , 2013 .

[26]  Douglas Jacobson,et al.  The Insecurity of Cloud Utility Models , 2013, IT Professional.

[27]  Gnanasekaran Aghila,et al.  A Filter Tree Approach to Protect Cloud Computing against XML DDoS and HTTP DDoS Attack , 2012, ISI.

[28]  Isil Dillig,et al.  Detecting and Exploiting Second Order Denial-of-Service Vulnerabilities in Web Applications , 2015, CCS.

[29]  Ivan Lanese,et al.  Microservices: How To Make Your Application Scale , 2017, Ershov Informatics Conference.

[30]  Anat Bremler-Barr,et al.  DDoS attack on cloud auto-scaling mechanisms , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[31]  Vyas Sekar,et al.  Gremlin: Systematic Resilience Testing of Microservices , 2016, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

[32]  Scott Shenker,et al.  Verification in the Age of Microservices , 2017, HotOS.

[33]  Jie Xu,et al.  On a Mathematical Model for Low-Rate Shrew DDoS , 2014, IEEE Transactions on Information Forensics and Security.

[34]  Aamir Shahzad,et al.  Detecting flooding based DoS attack in cloud computing environment using covariance matrix approach , 2013, ICUIMC '13.

[35]  Fabrizio Montesi,et al.  Microservices: Yesterday, Today, and Tomorrow , 2017, Present and Ulterior Software Engineering.

[36]  Angelos D. Keromytis,et al.  SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities , 2017, CCS.

[37]  Khaled Salah,et al.  EDoS-Shield - A Two-Steps Mitigation Technique against EDoS Attacks in Cloud Computing , 2011, 2011 Fourth IEEE International Conference on Utility and Cloud Computing.

[38]  Jinjun Chen,et al.  A confidence-based filtering method for DDoS attack defense in cloud environment , 2013, Future Gener. Comput. Syst..

[39]  Massimiliano Rak,et al.  Stealthy Denial of Service Strategy in Cloud Computing , 2015, IEEE Transactions on Cloud Computing.

[40]  Manoj Singh Gaur,et al.  DARAC: DDoS Mitigation Using DDoS Aware Resource Allocation in Cloud , 2015, ICISS.

[41]  Kai Hwang,et al.  Collaborative Detection of DDoS Attacks over Multiple Network Domains , 2007, IEEE Transactions on Parallel and Distributed Systems.

[42]  Song Guo,et al.  Can We Beat DDoS Attacks in Clouds? , 2014, IEEE Transactions on Parallel and Distributed Systems.

[43]  Mazin S. Yousif,et al.  Microservices , 2016, IEEE Cloud Comput..

[44]  Muttukrishnan Rajarajan,et al.  Combating DDoS Attacks in the Cloud: Requirements, Trends, and Future Directions , 2017, IEEE Cloud Computing.