HostWatcher: Protecting hosts in cloud data centers through software-defined networking

Abstract Cloud has become a dominant computing platform, and cloud data centers have been widely deployed all over the world. Naturally, cloud data centers become the targets of cyber attacks due to the feature of publicity. In addition, the price of renting resources from cloud constantly gets cheaper and cheaper. Therefore, attackers can rent hosts from cloud data centers to initiate attacks with rather low cost. As a result, hosts in a cloud center could be either victims or attackers. However, most existing researches only treat the hosts as the targets or the sources of attacks, either protecting the hosts from being attacked or identifying the malicious hosts, which is insufficient to protect the cloud data centers comprehensively. In this paper, we hire the novel techniques of SDN to protect the cloud data centers in both directions. Aiming at mitigating DDoS attacks, we propose HostWatcher, a system that watches and protects every host in cloud data center. HostWatcher leverages the advantages of SDN techniques and distributed processing. Caching and round-robin-resending scheme is introduced to the proposed system. Our goal is to protect the hosts comprehensively with QoS guarantee. The extensive experiments show that HostWatcher can effectively mitigate the DDoS attacks that target the hosts. Meanwhile, HostWatcher can also significantly limit the packet rate of hosts that are controlled by attackers. Also, the comprehensive evaluations show that the overheads of our system are trivial, and that our system is practical to implement and deploy in the cloud data centers.

[1]  Eugene Ciurana,et al.  Google App Engine , 2009 .

[2]  Christoph Meinel,et al.  Intrusion Detection in the Cloud , 2009, 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing.

[3]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[4]  Song Guo,et al.  Can We Beat DDoS Attacks in Clouds? , 2014, IEEE Transactions on Parallel and Distributed Systems.

[5]  Chengwen Xing,et al.  Tensor-based blind signal recovery for multi-carrier amplify-and-forward relay networks , 2014, Science China Information Sciences.

[6]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[7]  Yao Zheng,et al.  DDoS Attack Protection in the Era of Cloud Computing and Software-Defined Networking , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[8]  Edgar R. Weippl,et al.  Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space , 2011, USENIX Security Symposium.

[9]  Guofei Gu,et al.  CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?) , 2012, 2012 20th IEEE International Conference on Network Protocols (ICNP).

[10]  Xiaodong Liu,et al.  Requirements model driven adaption and evolution of Internetware , 2014, Science China Information Sciences.

[11]  Lei Xu,et al.  FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[12]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[13]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[14]  Jie Xu,et al.  HTTP-SoLDiER: An HTTP-flooding attack detection scheme with the large deviation principle , 2013, Science China Information Sciences.

[15]  Jaehyuk Huh,et al.  Architectural support for secure virtualization under a vulnerable hypervisor , 2011, 2011 44th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[16]  Benjamin Farley,et al.  Resource-freeing attacks: improve your cloud performance (at your neighbor's expense) , 2012, CCS.

[17]  Min Zhu,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.

[18]  F. Richard Yu,et al.  Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges , 2016, IEEE Communications Surveys & Tutorials.

[19]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[20]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.