Cooperative Defense Methods Against DoS Attacks For Cloud Computing Data Center

Denial of Service(DoS)attacks are the major threat that incurs significant performance degradation on cloud service availability and continuity.In cloud computing,DoS attacks present large-scale,diversified and complicated characteristics,which imposes critical challenges for existing detection and defense technologies.For defending against the cloud data center-oriented DoS attacks launched outside the data center,this paper proposes our solutions based on cooperative-routing defense strategy.For detecting the LDoS attack launched inside the cloud data center,a detection mechanism based on cooperative analysis of muli-link bandwidths is proposed.Our contributions can be summarized as follows:(1)In order to defend against the flooding DoS attack launched outside the data center,a cooperative-routing approach based on Security Access Path Algorithm(SAPA)is proposed,which is a multi-node cooperative active defense method.SAPA uses the Node Route Table(NRT)to compose security access path.It simplifies role nodes of traditional Secure Overlay Services(SOS),and periodically updates role nodes,and cached security access paths.Therefore,SAPA is more appropriate for cloud computing to defend DoS attacks.Based on the tum routing architecture,we build the mathematical model of SAPA,and analyse its performance.The performance of SAPA is tested in OMNeT++ experimental platform.Also,the Test-bed experiments are performed to evaluate the effectiveness of SAPA for defending DoS attack.Experimental results show that the cooperative defense method of SAPA can degrade the impact of communication success rate caused by DoS attack effectively,and guarantees the access delay small enough.(2)For the Low-rate Denial of Service(LDoS)attacks lauched inside the cloud data center,we expose the fault of the existing attack model,and rebuild LDoS attack model in the view of maximum attack potency.By analyzing the behaviors of TCP congest window,the behaviors of router queue and the packet process,a more accurate Full Buffer-LDoS(FB-LDoS)attack model is built,and,based on which,a more enhanced FB-LDoS attack model is further proposed.NS2 test results show that the proposed attack model can achieve the desirsed reultes of packet loss and enhance the attack potency.(3)An LDoS attack detection approach is proposed based on the cooperative analysis for the bandwidth characteristic between different links.As LDoS attacks force the links co-located in the same routing domain to increase their available bandwidths,the average euclidean distance of multi-link bandwidths is applied to the available bandwidth as the measurement for detecting LDoS attacks.Also,we improve the traditional Probe Gap Model(PGM)to accurately probe the available bandwidth in cloud computing.Experiments in practical network are conducted to test the detection performance.Test results verify that the proposed cooperative detection approach can detect LDo S attack accurately,and achieves 94% detection rate and 9% false positive rate.