Architecture Of DDoS Attacks Defense In Cloud Environment And Its Key Technologies

Cloud computing is becoming popular as the next infrastructure of computing platform in the IT industry in recent years. Due to its charming features such as on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service, cloud computing has attracted tremendous attention from both academia and industry. In cloud computing, cloud services are broadly offered in three forms:Infrastructure-as-a-Service (laaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). Based on this service-oriented architecture, cloud customers are offered a flexible way to rent cloud service to facilitate their own applications. The on-demand resource provisioning and pay-as-you-go pricing model of cloud computing further brings down both capital and operational expenditure for cloud customers by outsourcing their data and business.Despite all these charming features surrounding, security is the major concern that people hesitate to transfer their applications to cloud. Among the various vulnerabilities exposed by cloud computing, DDoS attacks are the main threat model that incurs significant performance degradation on cloud service availability. On one hand, traditional flooding (e.g., TCP SYN flood) and low rate (e.g., shrew attack) DDoS attacks still exist in clouds. On the other hand, new specific DDoS attacks on the computing mechanisms of cloud have also been found, including Economic Denial of Sustainability (EDoS) attack, bandwidth under-provisioning DDoS attack, and so on. With the popularity of employing software-defined network as the fundamental networking technology for cloud data centers, the DDoS attack surface for cloud platforms is further augmented.As a result, it is definitely expected to defend against DDoS attacks in cloud computing. Researchers have proposed various countermeasures aginst the existing DDoS attacks in cloud computing, such as the EDoS attack, the bandwidth under-provisioning DDoS attack and the control plane flooding DDoS attack. However, they are far from practical when compared to the DDoS attack surface of cloud computing. In general, literatures on this research topic are still faced with the following challenges,1) there is a lack of a global DDoS attack and defense framework, which specifies the potential DDoS attack vulnerabilities in clouds, where and how to defend against them efficiently; 2) How to establish a cloud firewall framework at access points between cloud data centers and the Internet as the first line to defend against malicious DDoS traffic;3) How to defend against the potential flooding and low rate DDoS attacks targeting data plane of cloud data centers; 4) How to mathematically evaluate the performance and efficiency of the cloud firewall? How to quantitatively model the performance degradation over the cloud platform caused by DDoS attack?In view of these challenges, we propose our solutions for defending against DDoS attacks in the clouds. More specifically, our contributions are summarized as follows,1) In order to shed light on DDoS attacks and defense in cloud environment, we propose a DDoS attack defense framework from a global perspective. The DDoS attack defense framework consists of four planes, i.e., legitimate users and attackers plane, cloud service access point plane, cloud data center network plane and cloud data center server plane. Concretely, the legitimate users and attackers plane refers to the procedure that both legitimate users and attackers organize their service requests to the cloud. The cloud service access point plane refers to the procedure that legitimate requests and attack flows arrive at the cloud service access point via the Internet. In this plane, we have to deploy intrusion prevention system and firewall as the first line defending against DDoS attack traffic. The cloud data center network plane refers to the procedure that legitimate requests and attack flows arrive at the data center network via the access point. In this plane, we have to defend against various network layer DDoS attacks, SDN specific DDoS attacks and bandwidth under-provisioning DDoS attack. Finally, the cloud data center server plane refers to the procedure that legitimate requests and attack flows finally arrive at the application server. In this plane, we have to defend against application layer DDoS attacks and the Economic Denial of Sustainability (EDoS) attack.2) In order to deploy cloud firewall as the first line defending against DDoS attack traffic at the access points, we propose a decentralized cloud firewall framework for individual cloud firewall customers. Individual cloud customer rents the firewall for protecting his cloud hosted applications. Hosting servers of applications are grouped into several clusters, and resources are then dynamically allocated to set up an individual firewall for each cluster. All these parallel firewalls will work together to monitor incoming packets. Resources are dynamically allocated to optimize the provisioning cost, and guarantee QoS requirement specified by customers at the same time. Compared to the existing centralized cloud firewall, our framework is able to address the problems including single point failure, large rule set, cannot satisfy QoS requirement.3) In order to defend against DDoS attacks targeting the cloud data center network introduced by SDN, we reveal two vulnerabilities for flooding and low rate SDN data plane DDoS attacks respectively. The SDN data plane flooding DDoS attack takes effect by creating flooding flow table rules, while the low rate DDoS attack incurs damage by creating resident flow entries. We differentiate the SDN data plane flooding DDoS attacks from flooding DDoS attacks on control plane. Then we propose defense strategy for this attack based on existing techniques about migrating control plane overloading traffic. The SDN data plane low rate DDoS attack flies under the radar, as it almost never exhibits a controller overloading behavior. Consequently, we establish a novel resident flow entry identification method to detect it.4) In order to mathematically evaluate the performance and efficiency of the cloud firewall, we introduce novel queuing theory based model M/Geo/1 or M/Geo/m for performance analysis. Compared to existing models like M/M/1, our model is much more complicated. By employing Z-transform and embedded Markov chain techniques, a closed-form expression of mean packet response time is derived. While for the performance degradation over the cloud platform caused by SDN data plane DDoS attacks, we propose to employ stochastic models for the quantitative analysis. Then we find that a flow-rule-flooding DDoS attack with limited attack resource is able to significantly delay system response time, and the low rate DDoS attack inflicts long term impact on the cloud system.