A New Form of Dos attack in Cloud
Download as PPTX, PDF1 like453 views
The document describes a new type of denial-of-service (DoS) attack that can occur in cloud data centers due to their underprovisioned nature. It identifies that by saturating the network bandwidth between hosts in different subnets, an attacker can target specific applications by congesting the uplink connecting the targeted subnet. It then proposes two approaches for an attacker to identify the network topology and determine a suitable bottleneck link to attack. Finally, it shows that through rapidly launching many virtual machines, an attacker can quickly gain access to a sufficient number of hosts connected to the targeted router subnet to launch an effective bandwidth saturation attack.
A New Form of Dos attack in Cloud
- 2. 1. Introduction • Data centers are typically under-provisioned Expensive to build a 1:1 bi-section bandwidth Number of actual paths supported is actually small (even though ECMP is used) • Under-provisioned nature of data centers is a problem for clouds or hosting companies Cloud data centers are typically big Limit on multi-paths on the current network architecture Cloud is used by many people and organizations – opens doors for attacks Third, an application owner has no or little control over the underlying network in a cloud data-center • Under-provisioning not a problem in a corporate data center Data center managers have full control over the architecture and structure
- 4. Introduction • Solving this new type of DOS is difficult without human intervention • Damage is reduced if virtualized and self-service data centers are used • Contributions of this paper: Identify a new form of DOS attack in a cloud data-center, and verify that such an attack could be carried out in a real cloud data-center Propose and evaluate a new mechanism for applications to dynamically relocate to a different infrastructure when the desired Quality of Service (QoS) could not be met Propose and evaluate a new available bandwidth detection technique which can accurately determine the available bandwidth in a high speed network
- 5. 2. A New Form of DOS Attack • The gross under-provisioning and the public nature of a cloud data-center open a potential venue for exploit • Saturation of network bandwidth against other applications in the same network is the key to this attack • Aggregate capacity of hosts greatly exceeds the uplink capacity • In Fig. 1, Link A, B, and C are the uplinks of router R5, R1 and R2 respectively • Transmission of enough traffic from hosts to hosts of different subnets will ensure the saturation of the uplink
- 6. 2. A New Form of DOS Attack • Example:- Let us consider Link B as a target, assuming Link B is the active link and Link C is a fail-over link. To saturate Link B, an adversary needs to send traffic from a host in R1’s subnet (e.g., H1) to another host in a different subnet (e.g., H5). Due to under-provisioning, a small number of hosts in R1’s subnet are sufficient to saturate link B. • Two types of attack: • Targeted – attacking of a specific subnet • Untargeted – attacking of any subnet
- 7. 2.1 Topology Identification • Topology information is important to launch an effective attack • A naive approach is to gain access to a number of hosts in a cloud data- center, then blindly send traffic to each other at the maximum rate (which is not effective in many cases) • Identification of network bottleneck is very crucial • To carry out an attack:- 1. An adversary would first gain access to a set of hosts (e.g., by launching virtual machines using the cloud API) 2. Learn the topology, and determine whether there is a bottleneck link to attack 3. If none found, the adversary can continue to gain access to more hosts and repeat the steps above. In this section
- 8. 2.1 Topology Identification • Two approaches to topology identification: 1. Using a Debugging Tool • Running Traceroute (debugging tool) among all pairs of nodes • Data-center networks typically follow a regular structure and the IP addresses are typically assigned based on a set naming convention. • Running Traceroute from a few hosts is often enough to infer the overall IP layer topology. • Traceroute is a valuable tool for maintenance so many networks are adaptive to this software
- 9. 2.1 Topology Identification 1. Exploiting Multiplexing Nature of Router • We choose one host as the sink and the rest of hosts as sources • From each source, we send a sequence of packets back-to-back to the sink at the same time • At the sink, we measure the number of packets that we received from each source and based on the received traffic rate, we can derive how many switches are between a source and the sink • To build a complete topology, we need to choose all hosts as the sink hosts and construct the view from each host’s perspective • Detected topology may be different from the actual topology due to a compression effect
- 11. 2.1 Topology Identification • This inaccurate view is not a problem for us, since we are only interested in determining if we have enough critical mass in a router’s subnet to launch an attack • Send traffic at its maximum interface speed during probing, the load to the network could be very high • To minimize impact, we limit the probing length (the time to continuously send packets from a host) and also to account for network latency • The more hosts, the longer the probe length needs to be to maintain good resolution • This technique described above only works well when all the links have the same capacity (1Gbps) • But some links may have higher uplinks (10Gbps) then this method will identify this link as a normal link but its latency time is very less, hence this link will not be favourable as a bottleneck
- 12. 2.1 Topology Identification • The researchers did a preliminary evaluation of the second proposed approach of topology detection in one cloud vendor • Instead of evaluating whether the detected topology is exactly the same as the real topology (e.g., as detected by the first Traceroute approach), • they check whether we can accuratelyfind the router whose subnet contains the most number of hosts • They were able to accurately identify the router with the most hosts and a favourable bottleneck
- 13. 2.2 Gaining Access to Hosts • Access to sufficient number of hosts connected to a router is important • Launching a large number of VMs is the key to this attack • Experimentally, it was discovered that it was still economical and less time consuming to launch a cluster (sufficient number of VMs) in the subnet • To simulate a targeted attack, a subnet is randomly choosen in the cloud provider’s network • Then launch 10 VMs at a time to see how fast we can form a cluster in that subnet. • A 2-host cluster at 60 VMs, a 3-host cluster at 160 VMs, a 4-host cluster at 210 VMs, and a 5-host cluster at 320 VMs are formed • Even though it takes more VMs to launch a targeted attack, it is still quite fast and economical to do.
- 14. 2.2 Gaining Access to Hosts