The rate of acceptance of clouds each year is making cloud computing the leading IT computational technology. While cloud computing can be productive and economical, it is still vulnerable to different types of external threats, one of which is a Denial of Service (DoS) attack. DoS attacks have long been an open security problem of the internet. Most proposed solutions to address DoS attacks require upgrades in routers, modification in the BGP (Border Gateway Protocol), usage of additional control bits in the IP packets, or adjustments to legacy routers in the routing path. It is extremely difficult to manipulate all these criteria, considering that the internet, and potentially a cloud, consists of a very large number of autonomous systems with routers from different vendors deployed over decades. Authentication protocols are typically implemented by some of the leading companies manufacturing DoS prevention routers. However, authentication protocols and embedded digital signatures are very expensive and vulnerable. This is contrary to the benefits of renting a cloud system, which is to save capital expenditure as well as operational expenditure.;Rather than depending on cloud providers, we proposed a model, called FAPA (Flooding Attack Protection Architecture), to detect and filter packets when DoS attacks occur. FAPA can be deployed at different levels of the system, such as at the user's end. FAPA can run locally on top of the client's terminal and is independent of the provider's cloud machine. There is no need to deploy any expensive packet capturing tools nor does it require any embedded digital signature inside the packets. There is no additional charge from the provider's end since the application runs in the customer's end. Moreover, automatic message propagation invokes the cloud server to trace the source or adversary.;In FAPA, detection of denial of service is handled by the periodic analysis of the traffic behavior from the raw packets. It generates an alarm if any DoS attack is detected and removes flooding by filtering. Because FAPA is employed on the client's side, customers have control over traffic trends, which is absent in other DoS prevention approaches. FAPA is comprised of five individual modules, where each module has an assigned task in detecting DoS attacks and removing threats by filtering the spoof packets. A module fetches the traffic packets and does the unwrapping. Another module records the pertinent parameters of network packets.;Implementation of a FAPA prototype and experimental results has demonstrated the feasibility of FAPA. From our initial experiments we observed that in the event of a DoS attack, some of the network parameters change. Hence, in FAPA a separate module is dedicated for storing information about traffic behavior. If FAPA observes any inconsistent traffic behavior, it invokes the filtering modules to remove the compromised network packets. FAPA filtering detects the threat by using previously recorded information. FAPA filtering was implemented for a cluster environment and we ran experiments to determine its effectiveness. The filtering module was then modified to run in a cloud environment and was able to handle a large set of network packets. We investigated the impact of DDoS attacks on co-resident virtual machines and their neighbors. Later we conducted DDoS attacks from a commercially launched public cloud onto private cloud instances to observe the amplification of an attack and checked the efficiency of FAPA in terms of filtering those non legitimate packets. We also measured FAPA performance in terms of false positive and false negative rates. We deployed several commercially used stress testing tools to observe FAPA's performance. Both in the cloud and on the cluster, our experimental results demonstrated that FAPA was able to detect and filter packets to successfully remove a DoS attack.
展开▼
