BAHIR DAR UNIVERSITY

BAHIR DAR INSTITUTE OF TECHNOLOGY

SCHOOL OF RESEARCH AND POSTGRADUATE STUDIES
Faculty of computing

PREVENTING DISTRIBUTED DENIAL OF S ERVICE

ATTACKS IN CLOUD ENVIRONMENTS

Yared Dessalegne Alemu

BAHIR DAR, ETHIOPIA

February 11, 2019

 PREVENTING DISTRIBUTED DENIAL OF S ERVICE
ATTACKS IN CLOUD ENVIRONMENTS

Yared Dessalegne Alemu

A thesis submitted to the school of Research and Graduate Studies of Bahir Dar
Institute of Technology, BDU in partial fulfillment of the requirements for the degree of
Msc in computer science in the computing faculty.

Advisor Name:Mekunnient.A(PhD)
Co-Advisor Name( Optional)

BahirDar,Ethiopia
February 11, 2019
DECLARATION
I, the undersigned, declare that the thesis comprises my own work. In compliance with
internationally accepted practices, I have acknowledged and refereed all materials used
in this work. I understand that non-adherence to the principles of academic honesty and
integrity, misrepresentation/ fabrication of any idea/data/fact/source will constitute
sufficient ground for disciplinary action by the University and can also evoke penal
action from the sources which have not been properly cited or acknowledged.

Name of the student_______________________________ Signature _____________

Date of submission: ________________
Place: Bahir Dar

This thesis has been submitted for examination with my approval as a university
advisor.

Advisor Name: __________________________________

Advisor’s Signature: ______________________________

i
ii
 Bahir Dar University

Bahir Dar Institute of Technology-

School of Research and Graduate Studies

Faculty of computing

THESIS APPROVAL SHEET

Student:
________________________________________________________________________
Name Signature Date

The following graduate faculty members certify that this student has successfully presented
the necessary written final thesis and oral presentation for partial fulfillment of the thesis
requirements for the Degree of Master of Science in computer science
Approved By:
Advisor:
________________________________________________________________________
Name Signature Date

External Examiner:
________________________________________________________________________
Name Signature Date

Internal Examiner:
________________________________________________________________________
Name Signature Date

Chair Holder:
________________________________________________________________________
Name Signature Date

Faculty Dean:
________________________________________________________________________
Name Signature Date

iii
ACKNOWLEDGEMENTS
This thesis would not be complete without the help of many people. First and foremost, I
would like to thank my advisor, Dr.Mekuanint for his best contribution to motivate me to do
this thesis . His support, his gentle way of teaching, his generosity and kindness, and his high
standards of integrity have been inspirational to me and crucial to the accomplishment of
this thesis.

iv
 ABSTRACT
Cloud computing is a new technological model which involves providing its users with
applications and services over the Internet and its security aspects require special
considerations. Now a day’s Denial of Service (DoS) attacks are harmful elements of
computer networks and it is one of the most harmful security aspects to attack the cloud
environment. Distributed Denial of Service (DDoS) attacks resulting in loss of availability
of cloud services ,these attacks are being more harmful in terms of their common influences
and their new effects that harm the cloud sustainability by exploiting its scalability and
payment model (pay-as-you-use).Many defending mechanisms of this attack have been
proposed to mitigate the impact of the attacks.

This thesis work is done to mitigate DDoS attacks on the cloud computing environment
through Enhanced DDoS- Mitigation System (Enhanced DDoS-MS) process. To complete
our work, we propose a DoS attack mitigation architectural framework on cloud
computing infrastructure to mitigate DoS attacks.

To show our results, we used simulation based testing on the DoS attack mitigation using
the OPNET simulation tool. In order to demonstrate the mitigation process our simulation
uses four scenarios.

v
 TABLE OF CONTENTS
DECLARATION ................................................................................................................. I
ACKNOWLEDGEMENTS ............................ IERROR! BOOKMARK NOT DEFINED.
ABSTRACT ....................................................................................................................... V
TABLE OF CONTENTS ................................................................................................. VI
LIST OF ABBREVATIONS ..................................................................................... VIVII
LIST OF FIGURES....................................................................................................... VIII
1. INTRODUCTION ....................................................................................................... 1
1.1. Background ........................................................................................................................................1
1.2. Problem Statement .............................................................................................................................2
1.3. Objective of the study ........................................................................................................................2
1.4. Scope of the study ...............................................................................................................................2
1.5. Significance of the study ....................................................................................................................3
2. LITERATURE REVIEW........................................................................................... 3
2.1. Existing Prevention Techniques........................................................................................................4
2.2. Proposed prevention Techniques .......................................................................................................6
3. METHODOLOGY...................................................................................................... 7
4. RESULTS AND DISCUSSION ................................................................................. 8
4.1. implementation for server under attack with configuered network Error! Bookmark not defined.
4.2. number of requestes recived by server for http applications .........................................................9
4.3. Response time for http applications ................................................... Error! Bookmark not defined.
4.3. server performance ......................................................................................................................... 12
5. CONCLUSIONS AND RECOMMENDATIONS .................................................. 13
5.1. Conclusions ....................................................................................................................................... 13
5.2. Recommendations ............................................................................................................................ 14
REFERENCES ................................................................................................................. 15

vi
 LIST OF ABBREVATIONS
CPU Central Processing Unit
CSP Cloud Service Provider
DDoS Distributed Denial of Service
DoS Denial of Service
EDoS Economical Denial of Sustainability
HTTP Hyper Text Transfer Protocol
IaaS Infrastructure as a Service
ICMP Internet Control Message Protocol
OPNET OPtimized Network Engineering Tools
PaaS Platform as a Service
SaaS Software as a Service
TCP Transmission Control Protocol
UDP User Datagram Protocol

vii
 LIST OF FIGURES
Figure 1- Enhanced DDoS-MS Architecture........................................................................ 7

Figure 2-System design and implementation for a server under attack with the configured
............................................................................................................................................ 10

Figure 3-Average number of traffic requests received by the Server ................................... 7

Figure 4- Average response time for HTTP applications initiated ...................................... 7

Figure 5- Average load on the Server for HTTP applications in .......................................... 7

viii
ix
 1.INTRODUCTION

1.1 Background

Cloud computing is the utilization of hardware and software combined to provide services
to end users over a network like the internet. It includes a set of virtual machines that
simulate physical computers and provide services, such as operating systems and
applications. However, configuring virtualization in a cloud computing environment is
critical when deploying a cloud computing system. A cloud computing structure relies on
three service layers: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and
Software as a Service (SaaS) . IaaS gives users access to physical resources, networks,
bandwidth, and storage. PaaS builds on IaaS and gives end users access to the operating
systems and platforms necessary to build and develop applications, such as databases. SaaS
provides end users with access to software applications.
However many challenges are occur in cloud computing, Some of the challenges are
security, performance and availability of cloud computing services and resources [4]. My
concern in this thesis work is protection of cloud infrastructure and services from different
threats. The most prominent threat on availability of cloud computing service is Denial of
Service (DoS) through flooding or logical attacks. Since the aim of cloud computing is to
deliver its applications and services to users through the Internet, it is prone to various kinds
of external and internal security attacks [7].
A DDoS attack occurs when an attacker (or a malicious user) attempts to completely
consume all available resources of the target server and, therefore, blocks all services to
legitimate users by sending massive amounts of bogus traffic to the victim. A DoS attack
typically consumes bandwidth but can also consume memory, CPU cycles, file space, or
any other resource that is necessary for normal operation [4]. The victim will become
overwhelmed by the overload of traffic and will not be able to respond to legitimate users.
Unless countermeasures are taken, the victim will remain at the mercy of the hacker for the
entire duration of the attack.

1
 1.2 Problem Statement.

Studies have been conducted in the past few years to propose solutions to the problems of
cloud computing services security issues. Among the different threats, DoS attack is
becoming the most critical. these attacks are being more harmful in terms of their common
influences and their new effects that harm the cloud sustainability by exploiting its
scalability and payment model (pay-as-you-use).It denies cloud services users from using
their access right on virtual infrastructure. Its impact is not as such simple the degree can
range from mild service degradation to complete loss of service.
There are a number of methods proposed to encounter these attacks. However, existing
solutions still have limitations for example the

➢ it prevents the legitimate users from accessing the targeted servers

➢ it still increases the end-to end latency
➢ the verification process is not enough to protect the system
So to fill the above gaps we propose a new framework DDoS Mitigation System (DDoS-
MS).the framework is aware of previous work it includes the strong aspects of previous
systems and improves the weak points.

1.3 Objective of the study

1.3.1 General objective :

➢ The general objective of this thesis to develop a DoS attack mitigation system on
the cloud environment.

1.3.2 Specific objectives

To achieve the general objective of this thesis, the following specific objectives are
identified.
✓ To design Enhanced DDoS-Mitigation System (Enhanced DDoS-MS).
✓ To implement the network system without an active firewall configuration
✓ To implement the network system with the existence of firewall and without
active attacks.
✓ To design the network system with the existence of firewall under active attacks
✓ To design the network system with an active policy system on the firewall.

2
 1.4 Scope of the study

In this thesis mainly focuses on developing an architectural framework for DoS attack
mitigation on cloud computing. It particularly focuses on DDoS. So, some results of the
thesis may not be applicable for non-cloud computing systems

1.5 Significance of the study

The result of this thesis may contribute to the cloud customers can obtain any cloud
services from cloud providers without any challenges.so the cloud services are available
and accessible at all times.

2.LITERATURE REVIEW

2.1 Existing Prevention Techniques

There are many methods proposed for tackling DDoS attacks such as CLAD,SOS,
WebSOS, and Fosel. Hence, it is noticed that the existing techniques focused on some
aspects and ignored or failed to meet the requirements of others. Therefore, a new
framework will be designee .

In [8] work on detecting DDoS attacks in cloud computing environment using the Dempster-
Shafer theory (DST) operations. In their work, they combine the evidences obtained from
IDSs deployed in the VMs of the cloud systems with a data fusion methodology in
the front-end. They also use MySQL database placed within the Cloud Fusion Unit
(CFU) of the front-end server to store the VM-based IDS alerts during the attack. To meet
their final goal, they propose a quantitative solution for analyzing alerts generated by
the IDSs, using the DST operations in 3-valued logic and the Fault-Tree Analysis (FTA).
As a limitation, the summarization of all packets in a matrix form, the conversion of this
matrix into covariance matrix, and storing a result matrix for further analysis is very difficult
when the number of packets increases.

In [9] proposed an extension to federated cloud architecture to use scalability and migration
of virtual machines to build scalable cloud defenses against cloud DDoS attacks. In their
work, they proposed a scalable solution for mitigating DDoS attacks by leveraging the cloud

3
capabilities. The idea is to use the scalability of federated cloud infrastructures to
build scalable cloud DDoS defenses that can deal more efficiently with DDoS attacks
and restore availability of the cloud infrastructure more quickly. As a weakness t proposed
solution did not show validating the architecture by integrating the countermeasure in
afederated IaaS architecture.

In [10] proposed a system by combining concepts which are available with new
intrusion detection techniques and merge Entropy based System with anomaly detection
system to mitigate multilevel Distributed Denial of Service (DDoS). This is done in
two steps. First, users are allowed to pass through a router inside the network that
incorporates Detection Algorithm and detects legitimate users. Second, it passes through a
router placed inside the cloud site that incorporates confirmation Algorithm and checks for
threshold value. If it is beyond the threshold value, it is considered as legitimate user,
else it is an intruder. In the system, each node identifies local events that could represent
security violations and alerts the other nodes. Moreover, each individual IDS
cooperatively participates in intrusion detection and provides sharing of information
between the IDS service and the other elements participating in the architecture: the node,
service, event auditor, and storage service.

In [11] The work on the availability challenge of cloud computing showed the effect of DoS
attack on the cloud. The researchers designed a model for DoS attack, and then they
simulated a cloud system on the experimental environment. Their experiments show that
the cloud system is vulnerable to this attack and leads to failures. In order to confront this
attack, several solutions are proposed in this paper. They suggested load balancing
and honeypots filtering besides the intrusion detection systems (IDS) to defend from
the attack. The paper’s strength is the experiment that shows the cloud system is vulnerable
to this attack and leads to failures but they didn’t test their defending mechanism. They
simply suggested the mechanism of how to defend from attack.

In [12] made an experimental based research to address a specific type of DoS attack
on the Virtual Machines (VMs). These VMs hold IaaS, PaaS, and SaaS to provide cloud
computing services. So the researchers use tools like nmap, hping and wget to
estimate the placement of virtual machines in a cloud infrastructure with a high likelihood.

4
They worked on a specific kind of DoS attack, where an attacker congests a bottleneck
network channel shared among VMs co-resident on the same physical node in the cloud
infrastructure. Their model is designed to evaluate the behavior of this shared network
channel using Click modular router on DETER testbed. Their approach holds new ways of
detecting DoS attack on the VMs using different tools and provide solution for user to use
their resource properly. However, they addressed only the problem of attack from shared
VMs co-resident on the same physical node.

In[13] proposed an approach to avoid DOS attacks by an entity integrated into a cloud
server that can be used to monitor what ratio of available bandwidth is being used. To find
the maximum available bandwidth of the server and to monitor the amount of bandwidth
used by each router, the entity Denial-of-Service-Bandwidth-Allowance-Device
(DOSBAD) will periodically send a series of packets to each possible path within the cloud.
To investigate a possible DOS attack, DOSBAD pings the suspicious address and identifies
the address of the most incoming packets by storing the signature of each incoming packet.
Finally they conclude that, if a high ratio of bandwidth is being used, one or more routers
are overwhelmed by incoming packets, and if high number of packets are coming in at
a router from the same IP address that address is suspicious to the system.

As a weakness to find the maximum available bandwidth of the server, DOSBAD

periodically sends a series of packets down each possible path within the cloud and
this reduces the performance of the network. it can create false positive results due to
different factors of the devices.

In [14] focused on protecting and defending the cloud infrastructure against malicious
attacks by designing ‘intrusion tolerance’. They showed the renewal and confidentiality
property of sensitive data by utilizing secret sharing and adding a proxy server. As they
mentioned, the proxy server acts as an intermediate server between the client system and
cloud servers. To reduce the impact of DoS attack, they proposed a framework of
cooperative intrusion detection system (IDS) but the attacks may never be completely
prevented. So, they implemented CloudSim Toolkit to monitor the cloud process and store
the data. Their implementation is authenticated by the proxy and the original data is
encrypted. It is successful means the real data will be viewed clearly and identified from the

5
attackers’ data. Using this, it ensures the intrusion attack is detected and separated during
the process and provides solutions for utilization of the cloud infrastructure without
interruptions.

The existing solutions still have limitations with regard to encounter DDoS attacks.
Therefore, a new framework is proposed to fill this gap by including the strong aspects of
the existing solutions and strengthen the weak ones. The framework is called Enhanced
DDoS-Mitigation System (Enhanced DDoS.

2.2 Proposed prevention Techniques

related literature from different sources (books, Internet, journals, etc.) will be reviewed to
understand DoS attack problems on cloud computing environment. The major activities are
the most current researches in the area of cloud computing on DoS attacks problems will be
review. The existing solutions still have limitations with regard to encounter DDoS and
EDoS attacks. Maintaining the cloud features such as scalability and elasticity besides
providing the required security with limiting the end-to-end latency must be the main aim
for any suggested solution to solve such problem. Therefore, a new framework is proposed
to fill this gap by including the strong aspects of the existing solutions and strengthen the
weak ones. It is a proactive technique that is implemented in the customers’ side to protect
them from DDoS attacks and proactively protect them and their cloud providers from EDoS
attacks. The framework is called Enhanced DDoS-Mitigation System (Enhanced DDoS-
MS).

6
 3.METHODOLOGY
In order to achieve the general and specific objectives mentioned above, I will use the
following methods.
Literature review: related literature from different sources (books, Internet, journals, etc.)
will be reviewed to understand DoS attack problems on cloud computing environment. The
major activities are
✓ The most current researches in the area of cloud computing on DoS attacks problems
will be review.
✓ Identifying the strength and weakness of solutions proposed by previous researchers.
✓ In this thesis, we will use a new solution called Enhanced- Mitigation System
(Enhanced-MS) is proposed to encounter these attacks by utilizing the firewall
capabilities in controlling a verification process to protect the targeted system.
✓ Its principle, architecture, mechanism, and evaluation using OPNET simulation tool
will be present.

Figure 1 the proposed system of the Research Methodology

7
 4. RESULTS AND DISCUSSION
Our work is designed based on the cloud computing infrastructure security to mitigate DoS
attack using Optimized Network Engineering Tools (OPNET), and was created by OPNET
Technologies, which was founded in 1986 as open source network simulation tool. So this design
work shows four different scenarios.

The reason to use these scenarios is to see the clear impact of DDoS attack on the cloud users and
how our mitigation architectural framework mitigates the attack to provide reasonable services
assurance for legitimate users.

The first scenario considered the basic implementation for the network systems represented in Fig.
2 without an active Firewall configuration where no assign for scheduled attacks in the system.
This scenario examines the best case implementation of the assigned network system without DDoS
issues in the Server.

The second scenario considered the network system with the existence of the Firewall and without
active attacks in the network system. This scenario examines the network efficiency with the
existence of the Firewall component to check the network system overhead that may added to the
system with its effect on the network performance.

The third scenario considered a network system with the existence of the Firewall under active
attacks where no security policies had assigned on the Firewall. This scenario examines the
efficiency issues that could result with the existence of the Firewall without the implementation of
the network protection policy on the Firewall which represents the worst case as the network
performance is affected with serious level of DDoS attacks.

The fourth scenario considered the implementations of the network system with an active policy
system on the Firewall that preventing the infected traffic generated by the infected users which
represents the protected scenario from the DDoS attacks of the implemented system. The results of
these implemented scenarios will be compared and studied in terms of the performance and
protection efficiency throughout this research

4.1 implementation for server under attack with the configured

network

In Fig. 2, the system design is shown where the Server is accessible by users from the
internal network and connected with an IP Cloud for other users through the Cloud and

8
with different applications. The Attacker is influencing the users’ devices that connected
to switch 1 (S1) where all the devices are infected. The Attacks on these devices will flood
the Server with the traffic requests for the HTTP applications and initiate large number of
applications on the Server. The Legitimate HTTP clients are connected with switch 2 (S2)
and all connected users in this zone are not affected by the Attacker actions.

4.2 Number of Requests received by the Server for HTTP applications

For the implemented HTTP applications for web browsing, the users are trying to access
the Server during the simulation time where the attacker is affecting the users based on the
identified scenarios. Fig. 3 shows the average volume of request traffic received by the
Server from the users in the network system for HTTP applications in bytes per second. All
the scenarios considered about 75 seconds at the beginning of the simulation for the system
setup time for the users connection within the network system. The representations of the
best effort scenarios has shown an ideal traffic volume for average HTTP requests (150 to
350 bytes/seconds) that received by the Server where no assigned attacks been considered
over the implemented system. On the other hand, the largest volume for the average HTTP
requests has 300 to 550 bytes/second as shown in the scenario with active attacks without
an active policy on the Firewall for the increased volume of HTTP requests. However, with
the implementation of Firewall policy, the volume of HTTP requests received by the Server

9
has reduced to a level between 250 to 380 bytes/second which is close to the optimum level
of the received traffic.

4.3 Response time for HTTP applications

The average response time for HTTP applications that initiated between the system users
and HTTP Server reflects the performance level of the implemented DDoS prevention
system as shown in Fig. 4. The shortest average response time is between 80 to 90 ms with
scenarios that has no assigned attacks where this value increased and reached to average
time between 120 to 140 ms. However, with the implementation of the Firewall policy, the

10
average response time for HTTP applications has reduced to a level from 110 to 125 ms.
The reduction in the average response time has enhanced the performance level of HTTP
applications in the implemented system as a result of applying the Firewall prevention
policy over the flooded traffic.

4.4 Server Performance

Another parameter that reflects on the performance level of the implemented DDoS
prevention system is the evaluation of the Server performance with the loaded performance
for tasks which have been executed per second. The Server is operating in the best effort
conditions where no DDoS attacks are implemented where the average load level on the
Server is between 5 to 12 tasks/sec. On the other hand, with the scenario that has
implemented attacks without any configured policy on the Firewall, the average load level
is between 13 to 33 tasks/sec. Furthermore, the evaluation shows that when applying the

11
policy constrains on the Firewall, the average load level on the Server has enhanced to be
between 7 to 27 tasks/sec.

5.CONCLUSIONS AND RECOMMENDATIONS

1.1. Conclusions

DDoS attacks are quiet advanced methods of attacking a network system to make it unusable
to legitimate network users. These attacks are an annoyance at a minimum and if they are
against a critical system, they can be severely damaging. Loss of network resources costs
money, delays work and cuts off communication between network users. The negative

12
effects of a DoS attack make it important that solutions and security measures be developed
to prevent these types of attacks.

This study introduces a new solution called Enhanced DDoS-MS as an attempt in this
regard. It depends on the firewall security features. These features are evaluated in a
simulation environment that proves the effectiveness of the firewall as a filtering device in
defeating DDoS attacks.

In this thesis, we presents the DDoS attack on the cloud computing environment as a
problem and we propose DDoS attack mitigation architecture on the cloud. In addition, our
proposed architectural framework effectiveness was evaluated using an OPNET simulation
tool for legitimate users and for attacker based on their behaviors observed. We have
evaluated and analyzed our DDoS attack mitigation on the cloud infrastructure using
OPNET simulation tools based on four scenarios.

1.2. Recommendations

Future work involves implementing more complex scenarios of the Enhanced DDoS-MS
framework in the same simulation environment. Furthermore, the proposed system will be
validated in a real testbed for verification purposes. There are still several issues regarding
the DDoS attacks on cloud computing environment that warrant further research to

13
check the credential of the sender for legitimate users packets and mitigate an
unintentional internal attack from legitimate users.

REFERENCE
[1] Tamer Özsu M. and Patrick V., Principles of Distributed Database Systems, 3rd ed,
Springer Science and Business Media, LLC, USA , November 2010.
[2] Lee B., “Draft Cloud Computing Synopsis and Recommendations”, United States
National Institute of Standards and Technologies (NIST), Special Publication
800-146, USA, May 2011.

14
[3] Siani P., “Privacy, Security and Trust in Cloud Computing”, Springer, USA, June2012.
[4] Priya M. and Geeta S., “Privacy Issues and Challenges in Cloud computing”,
International Journal of Advanced Engineering Sciences and Technologies
(IJAEST), Vol. 5, No. 1, pp. 001 – 006, 2011.
[5] Adam H., “Cloud Computing Takes Off”, Morgan Stanley Research, Global
Technology and Telecommunications Team, May 23, 2011.
[6] Eric B. and Randee A., “Reliability and Availability of Cloud Computing”, 1st ed.,
IEEE, John Wiley & Sons, 2012

[8] Lonea A., Popescu D., and Tianfield H., “Detecting DDoS Attacks in Cloud
Computing Environment, International Journal of Computing and Communication,
February, 2013.

[9] Joseph L., Philippe M., Syed N., Benny R., and Massimo V., “Scalable Cloud Defenses
for Detection, Analysis and Mitigation of DDoS Attacks Towards the Future Internet”,
IOS Press, 2010.

[10] Syed Navaz A., Sangeetha V., and Prabhadevi C., “Entropy based Anomaly
Detection

System to Prevent DDoS Attacks in Cloud”, International Journal of Computer Applications

,January 2013.

[11] Aboosaleh M., Saeed K., Mehdi A., Baharak S., and Mohammad G., “Availability
Challenge of Cloud Cystem under DDOS Attack”, Indian Journal of Science and
Technology, June 2012.

[12] Harkeerat S. and Sajjan S., ”Securing Cloud Infrastructure Against Co-Resident
DoS Attacks Using Game Theoretic Defense Mechanisms”, ICACCI '12, August 03 - 05
2012.

[13] Biswajit Panja, Bharat Bhargava, Sourav Pati, Dayton Paul, Leszek T. Lilien and
Priyanka Meharia, “Monitoring and Managing Cloud Computing Security using Denial
of Service Bandwidth Allowance”, 2011.

15