Tail Amplification in n-Tier Systems: A Study of Transient Cross-Resource Contention Attacks

Fast response time becomes increasingly important for modern web applications (e.g., e-commerce) due to intense competitive pressure. In this paper, we present a new type of Denial of Service (DoS) Attacks in the cloud, MemCA, with the goal of causing performance uncertainty (the long-tail response time problem) of the target n-tier web application while keeping stealthy. MemCA exploits the sharing nature of public cloud computing platforms by co-locating the adversary VMs with the target VMs that host the target web application, and causing intermittent and short-lived cross-resource contentions on the target VMs. We show that these short-lived cross-resource contentions can cause transient performance interferences that lead to large response time fluctuations of the target web application, due to complex resource dependencies in the system. We further model the attack scenario in n-tier systems based on queuing network theory, and analyze cross-tier queue overflow and tail response time amplification under our attacks. Through extensive benchmark experiments in both private and public clouds (e.g., Amazon EC2), we confirm that MemCA can cause significant performance uncertainty of the target n-tier system while keeping stealthy. Specifically, we show that MemCA not only bypasses the cloud elastic scaling mechanisms, but also the state-of-the-art cloud performance interference detection mechanisms.

[1]  Bowen Zhou,et al.  Mitigating interference in cloud services by middleware reconfiguration , 2014, Middleware.

[2]  Randy H. Katz,et al.  Above the Clouds: A Berkeley View of Cloud Computing , 2009 .

[3]  Richard L. Sites Datacenter computers: modern challenges in CPU design , 2016 .

[4]  Patrick P. C. Lee,et al.  An experimental study of cascading performance interference in a virtualized environment , 2013, PERV.

[5]  Peter Desnoyers,et al.  Scheduler vulnerabilities and coordinated attacks in cloud computing , 2013, J. Comput. Secur..

[6]  Thomas Eisenbarth,et al.  Hit by the Bus: QoS Degradation Attack on Android , 2017, AsiaCCS.

[7]  Xiao Zhang,et al.  CPI2: CPU performance isolation for shared compute clusters , 2013, EuroSys '13.

[8]  Anshul Gandhi,et al.  DIAL: Reducing Tail Latencies for Cloud Applications via Dynamic Interference-aware Load Balancing , 2017, 2017 IEEE International Conference on Autonomic Computing (ICAC).

[9]  R. Chitra,et al.  Securing cloud from ddos attacks using intrusion detection system in virtual machine , 2013 .

[10]  Harkeerat Singh Bedi,et al.  Securing cloud infrastructure against co-resident DoS attacks using game theoretic defense mechanisms , 2012, ICACCI '12.

[11]  Giuseppe Serazzi,et al.  Java Modelling Tools: an Open Source Suite for Queueing Network Modelling andWorkload Analysis , 2006, Third International Conference on the Quantitative Evaluation of Systems - (QEST'06).

[12]  Calton Pu,et al.  A Study of Long-Tail Latency in n-Tier Systems: RPC vs. Asynchronous Invocations , 2017, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[13]  Ricardo Bianchini,et al.  DeepDive: Transparently Identifying and Managing Performance Interference in Virtualized Environments , 2013, USENIX Annual Technical Conference.

[14]  Tipp Moseley,et al.  Measuring interference between live datacenter applications , 2012, 2012 International Conference for High Performance Computing, Networking, Storage and Analysis.

[15]  Wouter Joosen,et al.  Maneuvering Around Clouds: Bypassing Cloud-based Security Providers , 2015, CCS.

[16]  Kristal Curtis Determining SLO Violations at Compile Time , 2010 .

[17]  Ali A. Ghorbani,et al.  Application-layer denial of service attacks: taxonomy and survey , 2015, Int. J. Inf. Comput. Secur..

[18]  Zhenyu Wu,et al.  A Measurement Study on Co-residence Threat inside the Cloud , 2015, USENIX Security Symposium.

[19]  Huan Liu,et al.  A new form of DOS attack in a cloud and its avoidance mechanism , 2010, CCSW '10.

[20]  Yuguang Fang,et al.  A queueing analysis for the denial of service (DoS) attacks in computer networks , 2007, Comput. Networks.

[21]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[22]  Michael M. Swift,et al.  A Placement Vulnerability Study in Multi-Tenant Public Clouds , 2015, USENIX Security Symposium.

[23]  Saurabh Bagchi,et al.  ICE: An Integrated Configuration Engine for Interference Mitigation in Cloud Services , 2015, 2015 IEEE International Conference on Autonomic Computing.

[24]  T. Başar,et al.  A New Approach to Linear Filtering and Prediction Problems , 2001 .

[25]  Calton Pu,et al.  The Impact of Soft Resource Allocation on n-Tier Application Scalability , 2011, 2011 IEEE International Parallel & Distributed Processing Symposium.

[26]  David Lie,et al.  Computer Meteorology: Monitoring Compute Clouds , 2009, HotOS.

[27]  Calton Pu,et al.  Tail Attacks on Web Applications , 2017, CCS.

[28]  Ron Kohavi,et al.  Online Experiments: Lessons Learned , 2007, Computer.

[29]  Ruby B. Lee,et al.  DoS Attacks on Your Memory in Cloud , 2017, AsiaCCS.

[30]  Jie Liu,et al.  Cuanta: quantifying effects of shared on-chip resource interference for consolidated virtual machines , 2011, SoCC.

[31]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[32]  Carl M. Harris,et al.  Fundamentals of queueing theory , 1975 .

[33]  Yuting Zhang,et al.  Reduction of quality (RoQ) attacks on Internet end-systems , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[34]  Abdelkader H. Ouda,et al.  Cloud-based DDoS attacks and defenses , 2013, International Conference on Information Society (i-Society 2013).

[35]  Xiaofeng He,et al.  ?-Diagnosis: Unsupervised and Real-time Diagnosis of Small- window Long-tail Latency in Large-scale Microservice Platforms , 2019, WWW.

[36]  Christina Delimitrou,et al.  Bolt: I Know What You Did Last Summer... In The Cloud , 2017, ASPLOS.

[37]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[38]  Onur Mutlu,et al.  Memory Performance Attacks: Denial of Memory Service in Multi-Core Systems , 2007, USENIX Security Symposium.

[39]  Christoforos E. Kozyrakis,et al.  Heracles: Improving resource efficiency at scale , 2015, 2015 ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA).

[40]  Gorka Irazoqui Apecechea,et al.  Cache Attacks Enable Bulk Key Recovery on the Cloud , 2016, CHES.

[41]  Kevin Skadron,et al.  Bubble-up: Increasing utilization in modern warehouse scale computers via sensible co-locations , 2011, 2011 44th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[42]  Hui Chen,et al.  DCM: Dynamic Concurrency Management for Scaling n-Tier Applications in Cloud , 2017, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[43]  Benjamin Farley,et al.  Resource-freeing attacks: improve your cloud performance (at your neighbor's expense) , 2012, CCS.

[44]  Qiben Yan,et al.  Very Short Intermittent DDoS Attacks in an Unsaturated System , 2017, SecureComm.