Comparative Analysis of State-Of-The-Art Edos Mitigation Techniques in Cloud Computing Environment
Comparative Analysis of State-Of-The-Art Edos Mitigation Techniques in Cloud Computing Environment
Comparative Analysis of State-Of-The-Art Edos Mitigation Techniques in Cloud Computing Environment
Malaysia
2
ST Engineering Electronics - SUTD Cyber Security Laboratory, Singapore
University of Technology and Design (SUTD), 8 Somapah Road, 487372, Singapore
shafiq rehman@sutd.edu.sg
1 Introduction
Cloud Computing [25,15], is the next revolution in the Information and Commu-
nication Technology (ICT) arena [1]. It is a model in which computing is delivered
as a commoditized service like electricity, water, and telecommunication. Cloud
computing (CC) provides software, platform, infrastructure, and other hybrid
models, which are delivered as subscription-based services in which customers
pay based on usage [4]. Nevertheless, security is one of the main factors that
inhibit the proliferation of CC [26,17].
Economic Denial of Sustainability (EDoS) is a new breed of security and
economical threats to the CC paradigm [22]. Unlike the traditional Distributed
Denial of Service (DDoS) [10] which brings down a service by exhausting the
2 P. Singh et al.
processing power will not be able to re-solve the puzzles, thus unable to access
the cloud resources [9]. Secondly, the Server must create separate channels to
address each request. In case of large number of incoming requests, server will
generate number of puzzles which leads to puzzle accumulation attack if puzzles
do not resolve in time.
Later in 2011, Sqalli et al. proposed another mitigation technique called
EDoS-Shield [23]. This technique distinguishes the legitimate and malicious re-
quests by checking the users presence at client-side machine. EDoS-Shield archi-
tecture consists of Virtual Firewall (VF) and Verifier Nodes that functions in
tandem to execute the EDoS mitigation tasks. The incoming requests are filtered
by firewall based on white and black-lists. When client makes access request, the
verifier node verifies it through a Turing test. In case client passes that test, its
IP address will be maintained in white-list and the subsequent requests received
from the same client are forwarded directly to the cloud scheduler, approving
resource allocations. Whereas, if a client fails that Turing test, its IP address will
be included in the black-list and the subsequent requests from the same client
will be dropped down by the firewall itself. Nevertheless, the proposed technique
has certain constraints. First, it is vulnerable to spoofing attack. By performing
IP address spoofing, attacker can use IP address belonging to the white-list of
the verifier node to carry out an EDoS attack that would remain undetected.
Second, due to its designed mechanism it can possess higher false positive rate
by blocking of many IP addresses belonging to the legitimate users, as the two
lists are not updated in a timely and accurate manner.
In-cloud scrubber service is another mechanism proposed to mitigate the
EDoS attack [14]. This mechanism uses on-demand web service (Scrubber Ser-
vice) to address such attack by using crypto puzzle approach to validate the
legitimate users request [13]. This mechanism offers two modes namely; nor-
mal mode and suspected mode. Based on the requirement service providers can
choose the one accordingly. For instance, during normal scenario when the web
server is perceived normally it runs in normal mode. Whenever service provider
observes the web server resource exhaustion beyond an acceptable limit and
high bandwidth utilization, this could be considered as attempt of EDoS attack.
Thus, service provider enables its suspected mode and an On-demand call is di-
rected to the Scrubber service to generate and verifies hard puzzle. But there are
certain limitations with this mechanism as follows: it can only detect and miti-
gate HTTP attacks, also it depends on third party application for authentication
purpose.
In 2013, Mudassar proposed an EDoS mitigation framework known as EDoS
Armor [16] specifically meant for E-Commerce applications. It uses two-step
approach, comprises of admission control and congestion control. At first, when
user initiates a session, the server sends a challenge to the user, it could be
an image or a cryptographic puzzle to be resolved, in case user resolves the
challenge, the request is being directed to admission control. Otherwise, the
session of the user gets dropped and the number of connections to the server
are limited for the user. This technique applies port hiding approach to restrict
4 P. Singh et al.
the users, as attack cannot be initiated in the absence of a valid port number.
Next, the behavior of the user browsing is consistently being traced. whenever an
abnormal behaviour is detected, service priority is being set for that particular
user based on his previous records. Thus, in this manner, EDoS Armor can
mitigate EDoS application. However, in E-commerce applications new users may
find it complicated system due to its complexity in design. Therefore, in practice,
the implementation of this method seems to be doubtful.
Recently, Chowdhury et al. proposed a new approach known as EDoS Eye
to counter the EDoS attack [7]. This model applies game theory approach to
mitigate the EDoS traffic. Authors claim to develop a Game Based Decision
Module (GBDM) that can get threshold values to restrict the incoming traffic.
Similarly, another technique proposed by Shawahna et al. is known as EDoS At-
tack Defense Shell (EDoS-ADS) [21]. According to the authors, this technique is
applicable to Network Address Translation (NAT) based networks where it gets
triggered if it sniffs any incoming abnormal traffic. For instance, in an attack
scenario, it triggers a checking component to differentiate between legitimate
users and attackers. However, both techniques were evaluated in simulation en-
vironments that have their own limitations as well as not closely representing
the real-world scenario.
In the context of this work, a summary of previous efforts and research has
been done in the area of network worm, network scanning and signature automa-
tion approaches. The main observations that can be derived from the literature
review are:
In this section, we describe our proposed mitigation mechanism for Cloud Compu-
ting (CC) environments known as EDoS Mitigation Mechanism (EMM) [3]. The
aim of this mechanism is to be effective enough to mitigate different type of
EDoS attacks while consume less resources. It consists of three major modules
namely Data preparation, Detection, and Mitigation, which work in conjunction
to achieve this objective. Fig.1, depicts the architecture of the proposed EMM
technique.
EDoS Mitigation Techniques in Cloud Computing Environment 5
In first phase, the network traffic is sampled using sFlow agents and sent
for analysis to sFlow collector. Network statistics are generated using the inputs
received by the sFlow collector and traffic is then segregated based on source IP,
source port, destination IP, destination port, and counter. In the second phase,
network statistics are compared against the threshold value defined using HD
and classified for suspicious behaviours based on an entropy analysis. In the final
phase, Open Flow (OF) controllers drop the network traffic of suspicious source
IP addresses by updating switching rules and continue monitoring the network
for anomalies. The functionality of these EMM components are described as:
6 P. Singh et al.
In this module, data is being collected during the flow-based monitoring [19,11].
sFlow agent is used to collect the flow of network traffic and passed to sFlow
collector for information extraction. EMM leverages sFlow packet sampling tech-
nique to monitor traffic in real-time, Packet sampling decouple the flow collec-
tion process form the forwarding plane and provides all flow related statistical
information. This method provided efficient and aggregated packet forwarding,
eliminating the specific flow entries requirement of native OF approach and
overcome flow-table size limitations by reducing the number of flow entries in
OF switches. EMM uses a simplified flow collection algorithm to minimize the
system resource requirements and provides adequate information for a reliable
attack detection process.
Based on the protocol type such as TCP, UDP or ICMP, the collected data is
processed and segregated before being summarized and later passed to detection
module. The 6 tuple information like switch ID, source IP, destination IP, source
port, destination port and counter from the datagram are being extracted. This
information is later utilized by detection module to set a dynamic threshold using
Hellinger distance and entropy based flood detection for alerting and mitigation
of attack.
The collected datagram packets are being analyzed to extract the information
such as source and destination IP, port number, and number of packets per sec-
ond. By using Hellingers distribution [18] and entropy methods [20], this module
defines the dynamic threshold settings as well as performs anomaly detection
tasks respectively.
1 Xn √ p
H 2 (P, Q) = i = 1( P i − Qi)2 (1)
2
HD value will vary between 0 and 1, where 0 represent identical distribution
and 1 represents different probability distribution. Low probability among two
distribution implies no significant deviation and abrupt elevated HD simply in-
dicates the anomaly or attack in the network. To indicate the anomaly in the
network, a detection threshold is required. To obtain a dynamic threshold that
allows the proposed mechanism to be used in any kind of network environment,
EMM relies on HD probability distribution method [3].
We adopted entropy method [20] in our proposed EMM technique as the
anomaly detection algorithm. The opted method not only effectively classifies
EDoS Mitigation Techniques in Cloud Computing Environment 7
attack patterns, but also distinguishes the attackers and the victims. Once net-
work anomaly is detected, this method examines and correlates definite network
metrics identifying the attack and revealing all related information to the attack
mitigation module.
4 Experimental Setup
Before going to the results of the evaluation, it is imperative to understand the
design of the experiments upfront. They are detailed as follows:
5 Performance Evaluation
All conducted experiments were carried out for a duration of 5 minutes. The
duration of 5 minutes was used because the auto scaling timers used for the
upper threshold is assumed to be duration of 5 minutes [2]. Specifically, the
evaluation was performed to answer the following research question:
a) What is the influence of network traffic from different communication
protocols, i.e., HTTP, (TCP) and UDP in the effectiveness of EMM in a cloud
computing environment?
EDoS Mitigation Techniques in Cloud Computing Environment 9
In addition to the attack traffic, normal UDP traffic is also generated using
10Mb as bandwidth for a 300 sec interval using IPerf command line as shown
below:
Fig. 2. Network utilization comparison between EMM and EDoS-Sheild in new attack
scenario.
Fig. 3 shows the CPU utilization rate between both compared mechanisms.
Both mechanisms utilized pretty much the same amount of CPU utilization to
perform in mitigating the EDoS attack.
Fig. 4 illustrates the memory utilization comparison between the two miti-
gation mechanisms. Throughout the evaluation, the memory utilization between
the two mechanisms remained the same.
12 P. Singh et al.
Fig. 3. CPU utilization comparison between EMM and EDoS-Sheild in new attack
scenario.
Fig. 4. Memory utilization comparison between EMM and EDoS-Sheild in new attack
scenario.
old is exceeded, all network traffic with the attackers source IP address will be
blocked for an hour.
Fig. 5 depicts the measurement of the network utilization during the attack
with each mechanism in place. When EDoS shield is in place, the attack traffic
surges up to 800Mb of network utilization. Meanwhile, for EMM, the utilization
rate remains below 100Mb throughout the experiment. Another observation that
can be inferred from the results of the analysis is: EMM is able to protect the
cloud users by conserving up to 700Mb of the network bandwidth utilization.
Fig. 6 shows the measurement of the CPU utilization during the attack with
each mechanism in place. When EDoS shield is in place, the attack traffic surges
up to 80% of utilization rate. Meanwhile, for EMM, the utilization rate remains
below 30% throughout the experiment. Another observation that can be inferred
from the results of the analysis is: EMM is able to protect the cloud users by
conserving up to 45% of the CPU utilization rate.
Fig. 7 represents the memory utilization of the victim machine under attack
condition with the two mitigation mechanisms in place. Since EDoS-shield is not
able to filter the traffic origination from white-listed IP addresses, the memory
consumption has increased slightly more than 50% from that of the consumption
for EMM. In the case of cloud computing services, when the initially allocated
resources are depleted or almost exhausted, additional VMs are allocated. How-
ever, these translates as additional costs for the providers of the service, i.e.,
cloud users. This is further exploited to cause EDoS attack on them by the
attacker.
Moreover, EMM was also compared with some other existing EDoS mecha-
nisms such as sPoW, and In-Cloud Scrubber based on their designed method-
ologies, resistance against EDoS (traffic types) and features that describes their
functionalities. Both mechanisms were designed to mitigate the HTTP attacks.
It orders to do so, sPoW performs packet filtering which is based on cryptogra-
phy puzzles methodology whereas In-Cloud Scrubber does puzzle generation and
verification process. However, these methods have certain limitations: 1) they re-
quire authentication from third party applications, 2) due to their design, delay
is encountered while setting up the connection, 3) Likewise EDoS-Shield, these
mechanisms can only mitigate HTTP based attacks. In contrast to that, EMM
mechanism does not require an authentication process nor it relies on any kind
of support from third party applications. Moreover, it is effective in terms of
resource usage i.e. network, CPU, and memory.
In summary, Table 2 provides the comparison between the various state-
of-the-art EDoS mitigation techniques, namely: EDoS Shield, sPoW, In-cloud
Scrubber, and EMM.
Our area for future work would be to investigate and assert the feasibility of
extending EMM to detect and mitigate EDoS/DDoS attacks as a SaaS model
in cloud. Such a service could not only allow the users to ensure their bills
are not inflated due to ongoing EDoS attacks, but also allow the cloud service
providers to convince their new and existing customers that their cloud service
incorporates EMM to provide a unique service that brings back the confidence
to the users.
References
1. Adamov, A., Erguvan, M.: The truth about cloud computing as new paradigm in
it. In: 2009 International Conference on Application of Information and Commu-
nication Technologies. pp. 1–3. IEEE (2009)
2. Baig, Z.A., Sait, S.M., Binbeshr, F.: Controlled access to cloud resources for miti-
gating economic denial of sustainability (edos) attacks (2016)
3. Bawa, P.S., Rehman, S.U., Manickam, S.: Enhanced mechanism to detect and mit-
igate economic denial of sustainability (edos) attack in cloud computing environ-
ments. INTERNATIONAL JOURNAL OF ADVANCED COMPUTER SCIENCE
AND APPLICATIONS 8(9), 51–58 (2017)
4. Bhardwaj, S., Jain, L., Jain, S.: Cloud computing: A study of infrastructure as
a service (iaas). International Journal of engineering and information Technology
2(1), 60–63 (2010)
5. Chapade, S., Pandey, K., Bhade, D.: Securing cloud servers against flooding based
ddos attacks. In: 2013 International Conference on Communication Systems and
Network Technologies. pp. 524–528. IEEE (2013)
6. Chaudhary, D., Bhushan, K., Gupta, B.B.: Survey on ddos attacks and defense
mechanisms in cloud and fog computing. International Journal of E-Services and
Mobile Applications (IJESMA) 10(3), 61–83 (2018)
7. Chowdhury, F.Z., Idris, M.Y.I., Kiah, M.L.M., Ahsan, M.M.: Edos eye: A game
theoretic approach to mitigate economic denial of sustainability attack in cloud
computing. In: 2017 IEEE 8th Control and System Graduate Research Colloquium
(ICSGRC). pp. 164–169. IEEE (2017)
8. De Oliveira, R.L.S., Schweitzer, C.M., Shinoda, A.A., Prete, L.R.: Using mininet
for emulation and prototyping software-defined networks. In: 2014 IEEE Colombian
Conference on Communications and Computing (COLCOM). pp. 1–6. IEEE (2014)
9. Green, J., Juen, J., Fatemieh, O., Shankesi, R., Jin, D.K., Gunter, C.A.: Recon-
structing hash reversal based proof of work schemes. In: LEET (2011)
10. Hoff, C.: Cloud computing security: From ddos (distributed denial of service) to
edos (economic denial of sustainability). Rational Survivability (2008)
11. Hulboj, M.M., Jurga, R.E.: Packet sampling and network monitoring (2007)
12. Joshi, B., Vijayan, A.S., Joshi, B.K.: Securing cloud computing environment
against ddos attacks. In: 2012 International Conference on Computer Commu-
nication and Informatics. pp. 1–5. IEEE (2012)
13. Khor, S.H., Nakao, A.: spow: On-demand cloud-based eddos mitigation mechanism.
In: HotDep (Fifth Workshop on Hot Topics in System Dependability) (2009)
14. Kumar, M.N., Sujatha, P., Kalva, V., Nagori, R., Katukojwala, A.K., Kumar, M.:
Mitigating economic denial of sustainability (edos) in cloud computing using in-
cloud scrubber service. In: 2012 Fourth International Conference on Computational
Intelligence and Communication Networks. pp. 535–539. IEEE (2012)
EDoS Mitigation Techniques in Cloud Computing Environment 17
15. Kuyoro, S., Ibikunle, F., Awodele, O.: Cloud computing security issues and chal-
lenges. International Journal of Computer Networks (IJCN) 3(5), 247–255 (2011)
16. Masood, M., Anwar, Z., Raza, S.A., Hur, M.A.: Edos armor: a cost effective eco-
nomic denial of sustainability attack mitigation framework for e-commerce appli-
cations in cloud environments. In: INMIC. pp. 37–42. IEEE (2013)
17. Popović, K., Hocenski, Ž.: Cloud computing security issues and challenges. In: The
33rd International Convention MIPRO. pp. 344–349. IEEE (2010)
18. Sengar, H., Wang, H., Wijesekera, D., Jajodia, S.: Detecting voip floods using the
hellinger distance. IEEE transactions on parallel and distributed systems 19(6),
794–805 (2008)
19. Shalimov, A., Zuikov, D., Zimarina, D., Pashkov, V., Smeliansky, R.: Advanced
study of sdn/openflow controllers. In: Proceedings of the 9th central & eastern
european software engineering conference in russia. p. 1. ACM (2013)
20. Shannon, C.E.: A note on the concept of entropy. Bell System Tech. J 27(3),
379–423 (1948)
21. Shawahna, A., Abu-Amara, M., Mahmoud, A., Osais, Y.E.: Edos-ads: An enhanced
mitigation technique against economic denial of sustainability (edos) attacks. IEEE
Transactions on Cloud Computing (2018)
22. Singh, P., Manickam, S., Rehman, S.U.: A survey of mitigation techniques against
economic denial of sustainability (edos) attack on cloud computing architecture. In:
Proceedings of 3rd International Conference on Reliability, Infocom Technologies
and Optimization. pp. 1–4. IEEE (2014)
23. Sqalli, M.H., Al-Haidari, F., Salah, K.: Edos-shield-a two-steps mitigation tech-
nique against edos attacks in cloud computing. In: 2011 Fourth IEEE International
Conference on Utility and Cloud Computing. pp. 49–56. IEEE (2011)
24. Swami, R., Dave, M., Ranga, V.: Software-defined networking-based ddos defense
mechanisms. ACM Computing Surveys (CSUR) 52(2), 28 (2019)
25. Velte, A.T., Velte, T.J., Elsenpeter, R.C., Elsenpeter, R.C.: Cloud computing: a
practical approach. McGraw-Hill New York (2010)
26. Zissis, D., Lekkas, D.: Addressing cloud computing security issues. Future Gener-
ation computer systems 28(3), 583–592 (2012)