computing is a model that include service provider and service consumer
interact with each other over a network. it provides a lots of benefits for
service consumers as they can use resources on cloud. Clients can use
applications on cloud, can use any platform on cloud, and can also use any
infrastructure without maintaining it. Other benefits are: Storage CPU
utilization etc. Security is big issue in cloud computing and with the passage
of time attacks on security are increasing so, many researchers are working to
propose a solution that eliminate security issues in cloud. One of most
frequent security problem is DDOS attack. In DDOS attack, the attacker intends
either to occupy the bandwidth of server so that legitimate users can not
access it, or send a large amount of traffic on particular resource to keep it busy
in handling requests of attackers so that legitimate users can not use them. As
Cloud computing provides pay per use facility so, attackers using the resources
will not pay for it. It causes economical losses to cloud providers. Detecting
attacks can also cause economical loss to some extent because attacker will keep on using resources and
causing problem for legitimate users till it is detected.. So it is required to
prevent DDOS attacks from accessing the server. Many attackers make use of
spoofed(i-e: fake) IP addresses. Majority of DDOS prevention techniques
involves detection of attacks when requests from a particular source are above
threshold level within a particular time frame. So it is also needed to detect
attacks if they are within threshold level. This research proposal aims to
propose techniques for: Detecting Spoofed IP addresses and detecting DDOS
attacks within threshold level. For detection of spoofed IP addresses, two
techniques will be used: “Double TCP connection” and “Packet sniffing”.
Wireshark will be used as packet sniffer. Both of these techniques will be
compared to see which one give better results for detecting attacks. And to
detect DDOS attack within threshold a technique named as “Auto Scaling” will be
computing, DDOS attacks, Prevention, Security Spoofed IP address, Auto Scaling
computing enable users to access and use resources like servers, networks,
storage, services and applications, on remote servers by using internet.
Services offered by cloud computing are software as a service (SAAS), user can
use the application that is running on cloud of the provider. Infrastructure as
a service(IAAS), users can use any kind of infrastructure to run any application
on that, application can be operating system. Platform as a service(PAAS.) ,
users can implement their application on cloud and run it.. Benefits provided
by cloud are resources on demand, pay per use, user have to pay according to
resources that are used, it reduces
maintenance overhead etc. Although many benefits are provided by cloud
computing, but it has some security problems. Data security or business logic
security. As passage of time, many attacks have been influencing the security
of cloud and so cloud providers have to take security measures to prevent their
cloud from such threats. The second 1
most frequent attack after information left is DDOS attack. More than 20%
reported atleast one DDOs attack on their infrastructure. .DDOS attacks can
effect two things3.
Bandwidth and Resources. When affecting bandwidth, attackers sent the large
amount of traffic to target server to consume bandwidth, so that legitimate
users’ request cannot reach the server and while in effecting resource, the
attacker send large amount of traffic to target resource so that it cannot
response to legitimate user because of resource being busy in responding
attackers’ requests. The traffic sent by attackers is sometimes referred to as
zombie army or botnet attacks. Botnet is the combination of robot and network.
Some special viruses like torjon are installed on computers and a bot network
is generated. A host machine controls this network. and attack is generated on
a target server or resource. Some companies sell or rent this zombie network to other users. Many
techniques have been generated for detection of DDOS attacks but when attack is
detected, economical losses have accrued. As DDOS attack leads to economic
losses so, it is also referred as EDOS attack. EDOS attack is specific type of
DDOS attack where the attackers’ intention is to provide economical loss to a
particular cloud provider. One of the techniques like Auto Scaling4
involves increasing resources as their need increased. But if resources are
increasing for attackers then this may cause economic loss. So some techniques
are needed to prevent these attacks from using the or even accessing the
resources. Techniques should be generated that detect the packet before accessing
resource and drop it or filter it according to need.
This research proposal aims to prevent DDOS attacks in cloud computing by proposing techniques to detect DDOS
attacks from spoofed IP addresses and DDOS attacks within the threshold level. Two
techniques i.e: Double TCP connection and packet sniffing, to detect spoofed IP
addresses will be used, and Wireshark
will be used to achieve packet sniffing. And it will be examined later through
experiments,that which technique works better in detecting DDOS attacks. Auto
Scaling will be used to detect attacks within threshold .
attacks are increasing day by day, so many techniques have been developed.
overlay services (SOS) architecture was proposed by5,
this architecture has three parts: Secure overly tunneling, Routing via
consistent hashing, Filtering. Author says that (SOS) can reduces the attack
probability by using filtering for secure edge and randomness for front end
6, author proposes correlation-based
detection(RCD), which identify whether the requests are from legitimate users
or attackers. this scheme directs the requests from legitimate users to server
and requests from malicious users will
algorithm is introduced in 7
,this algorithms aims to improve the accuracy
of detection and attack recognition. ALPi Algorithm uses extended concept of
packet scoring to improve packet flow and functionality.
scheme known as confidence-based filtering(CBF)8 was introduced. It involves
gathering packets from legitimate users during non-attack periods to extract
features. During attacks, CBF uses packet scoring calculation to decide which
packet should be dropped.
a lightweight approach for detecting flood attacks was proposed. In this
approach SNMP-MIB protocol was used and instead of raw data, statistical data
was used and attack classification was done by SVM classifier.
approach was generated to identify the attackers’ source. This scheme also
proposed Cloud Protector(CP) to detect attacks, by using a classifier named as,
new framework proposed in 11
efficiently detect the defected packets. It uses perimeter-based approach to
prevents DDOS attacks at router end.
new technique for mitigation of EDOS attacks is proposed in12.
The scheme includes three components: packet filtering, proof of work, edge
filtering. In this scheme crypto puzzle is solved by users to access the cloud
services. The shortcomings are puzzle accumulation attacks.
EDOS mitigation technique was developed in13,
named as cloud scrubber, user legitimacy is checked by crypto puzzles to access
server services. The techniques contains two modes. Normal and Suspected. And
the technique is enabled when cloud service is on suspected mode. During normal
mode, incoming packets are directed to cloud service but during suspected mode
the packets are directed to cloud scrubber which further verifies the packet.
Here, the problem arises when large number of attackers access client puzzles
to utilize bandwidth of the server so that legitimate user cannot access the
architecture was developed to differentiate between malicious and legitimate
users. It involves two things: Virtual firewall, for filtering incoming request
and to generate black list and white list depending on legitimate and malicious
users. Verifier node, for verifying incoming request through turing test. As
the user passes the turing test, its ip address
will be added to the whitelist and request from that user will be sent
to server. If user fails to pass turing
test. Its request will be added in blacklist. And request from that client will
be dropped by firewall. The technique has two shortcomings. First, spoofed ip
address detection mechanism is not considered and second, the white list and
blacklist updation is not defined. If any user in whitelist attacks, then
problem of false positives will arrive.
was proposed as extended version of EDOS-Sheild14.
Here Time-To-Live (TTL) field is
appended on both sides of IP address of user, to detect spoofed IP addresses of
users requesting for services on cloud. This methods fails if standard values
are not used by attacker for initial TTL packets .
classifier system named as CS_DDOS1
was developed for securing records in eHealth systems. It consists of two sub
systems, detection and prevention. Initially the packet enters in detection sub
system, where it checked that whether the source of this packet was previously
subjected in blacklist. If YES, then packet will be sent directly to prevention
subsystem. If packet source is not found in blacklist, incoming packet will be
sent to classifier for further verification. A packet source is considered to be malicious, if its requests
are more frequent than threshold level. Threshold will be assumed by cloud
provider. Depending on classification results, packet will be sent to
prevention subsystem(in case of malicious user) or cloud serve(in case of
legitimate user). On the other hand, an alert message by prevention subsystem
is sent to administrator about this malicious request and IP address of source
is added to blacklist(if not added previously), this blacklist will be used by
detection system each time when a new request arrives. The shortcomings of this
system are: it is assumed that spoofed IP address will not be used by attacker
and if attack arrives within a threshold, then there is no way to detect or
mitigate attack. Some DDOS prevention techniques have been surveyed. The Table
1 shows the Strength, Challenges, Limitations and Contributions of these
Challenge response protocol
Puzzles are used to distinguish
legitimate user and attackers.
Graph generation and Storage overhead.
If user is not solving first puzzle properly, he will be assigned another
one, until the threshold is reached.
Puzzle accumulation attacks, parsing
and dictionary attacks, image segmentation.
13, 15, 16
Hidden servers/ ports
Direct connection between server and
client is not established in the first instance and services are offered to
Load balancing among servers and
additional server ports are needed.
Redirections and additional security
layers can cause overhead.
Admission control mechanism provides
access only to users whose past reputation is good and can solve the
crypto-puzzle correctly and prioritization is used instead of droping
packets. The users with good reputation or past behavior are allowed to access resources first. In this
way the user with bad reputation will be delayed every time.
Maintaining number of connections for
long period is challenging
Not scalable when large number of
sources with spoofed IP address
causing DDOS attack.
Put limitation on number of resources
a client can use. In this way economic losses can be reduced
Determination of resource limits and
planning the capacity of server
This technique does not prevent or
detect attacks but it only reduces economic losses.
Table: 1, Description of Techniques used to
prevent DDOS attacks.
methodology that will be used for
spoofed IP address detection is “packet sniffing”20.
Packet sniffer or analyzer can be viewed as a software or computer hardware
that looks at the traffic passing over a network. in other terms it captures
the data that passes through a network analyze it and convert it in human
readable form. Usually computer looks at the packet addressed to it and ignores
rest of traffic on the networks but packet sniffer looks at each of the packet
on network. fig1 shows the packet sniffing process, where a network analyzer,
analyzes all the packets over a network. It helps in identifying packets from
malicious users and legitimate users. The
tool that will be used for packet sniffing is “WireShark”.
technique to detect spoofed IP address is Double-TCP mechanism21.
Some DDOS attackers send large number of connection requests and never complete
them. These are called Half open connections. Fig 1 shows the half open connection
where the attackers consume the bandwidth and makes the server busy by sending
half open connections.
TCP connection not only solves the problem of
Half open connection but also spoofed IP address detection. Double TCP
connection not only solves the problem of
Half open connection but also spoofed IP address detection. While
spoofing IP address the attacker duplicates the IP address of legitimate user
and sends request through that. This method helps in identifying that also. Fig
2 shows the Double TCP connection process.
Client initiates connection process by
sending SYN request to server.
Server receives the request from client and
sends the ACK message to IP address of packet source along with 16 bit identity
If IP address is not spoofed, client will
receive the message from server and may or may not send final ACK message.
Final ACK is ignored by server. In case of spoof IP address, client will not
receive the message.
Now, Client again establishes the
connection with server by sending SYN message with 16 bit identity field
previously received from server to.
Server then checks the IP address and
identity field value, if value is correct then server sends ACK message to
client otherwise the it will drop the request.
After receiving ACK message from server,
client then sends the final ACK message and the connection will be successfully
his techniques, the problem of half open connection can be avoided and spoofed
IP address can be detected as well.
problem to be solved is detection of DDOS attacks that are within the threshold
level. For example if a source is sending 60 requests in a minute and threshold
is set to 40 request per minute then the system will drop these request and
will block the source. Now if requests from attackers are within the threshold
level, it will try to keep the server busy so that it cannot serve legitimate
of the technique is Auto Scaling21.
In terms of cloud computing, Auto Scaling is scaling up the resources according
to need. If attackers are using the resources they will try to keep the
resource busy so that legitimate users can not use that resource. By scaling up
resources to a certain limit, allow legitimate users to use the resource and if
any user is using resources more than a selected time limit and resource limit,
connection should be dropped or blocked. Auto scaling involves limitations on
scaling up of resources and on duration. For example if scaling limit21
is set to 80% of CPU utilization then if utilization increases from 80% for the
duration of one minute, additional CPUs will be allocated. And similarly if CPU
utilization is less than 80% for duration of one minute, additional CPUs will
be scaled down.
will propose techniques to detect spoofed IP address and technique to detect
the DDOS attack within threshold because in most of the literature only attacks
within threshold are detected. For IP address detection, two techniques will be
proposed and will be tested on Wireshark. The report on comparison results will
Aims and Objectives
To Prevent DDOS attacks in cloud
computing by proposing techniques for:
Detection of packets from spoofed IP addresses
Detecion of DDOS attacks within the
time and Deliverables
1st JAN – 5th AUG
Framework for preventing DDOS attacks
6th AUG -10th OCT
11th OCT – 10th
Research paper on preventing DDOS
attacks by detecting spoofed IP addresses.