NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Protecting the Cloud Computing Environment with CEP Shield against
DDoS Attacks
Venkatesan Pillai (aka VP)
Cybersecurity Practitioner & Instructor
Way11 Consulting
11/10/2017
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Bio
• Cybersecurity Practitioner & Instructor
• Specialized in Network Security, Data Security & Application Security
• Independ Technology Evaluator
• Cybersecurity Instructor @ Collin College
• Served member of EC Council review board
• Working group member of Healthcare cybersecurity
2
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Outline
•Introduction
•Problem
•Objectives
•Existing System
•Proposed System
•Implementation
•References
3
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Introduction
• Cloud computing environment is the most popular business model adopted by organizations worldwide.
• As cloud deployment is increasing in the recent years, there is a paradigm shift of the attackers taking benefit of cloud resources for unintended purpose.
• DDoS is the one of the security attack in the cloud that needs efficient detection and prevention mechanisms.
4
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Top Cloud Threats
5
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
DDoS Targets
6
45% 23%
Q2 2016 DDoS Trends Report by Verisign
14%
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
DDoS Attacks
7
2016
2015
2013
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Problem
• Cloud environment is exposed to threats and the security risk is very high when the virtual machines patches are not updated frequently.
• Anomalies in the computing environment affect the normal functioning of the cloud services.
8
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Objectives
• Develop DDoS Detection system with highdetection accuracy.
• Respond to the attack traffic with fastresponse time.
9
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
DDoS Attack Taxonomy
DDoS Attack
Bandwidth Depletion
Attacks
Flood Attack
ICMP Attack UDP Attack
Specified Port Random Port
Amplification Attack
Smurf Fraggle
Direct Loop
Resource Depletion
Attacks
Protocol Exploit Attack
TCP SYN
PUSH-ACK
Malformed Packet Attack
IP Address
IP Packet Options
10
B. Prabadevi and N.Jeyanthi, Distributed Denial of service Attacks and its effects in Cloud Environment- a Survey , IEEE, 2014
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Cloud Attacks
11
Cloud Attacks
Browser level attacks
1.Cache poisoning
2.Hidden field manipulation
3.SQL injection attacks
4. Man-in-middle attacks
5.Cloud malware injection attack
Application level attacks
1.Backdoor and debug options
2. CAPTCHA breaking
3. Google hacking
4. Cross site scripting attack
5.Hypervisor level attacks
6. Dictionary attack
Network level attacks
1. Sybil attack
2. BGP prefix hijacking
3. Port scanning
4. DNS attacks
5. Sniffer attacks
6. Amplification attack
7. Reflector attack
8. Smurf attack
9. Bandwidth attack
10. ICMP flood
Server level attacks
1. DoS attacks
2. DDoS attack
3. XML signature element wrapping
B. Prabadevi and N.Jeyanthi, Distributed Denial of service Attacks and its effects in Cloud Environment- a Survey , IEEE, 2014
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Cloud Attacks
12
Attack Type Definition Detection/Prevention technique
VM level attacks Vulnerabilities in the hypervisor
Advanced cloud protection system
Bandwidth attack Consumes target resources MULTOPS detects disproportional packets both incoming and outgoing
ICMP flood Variation of bandwidth due to ICMP packets
ScreenOS
Amplification attack Induces the device to generate large responses
High performance OS, load balancer, rate limiting
Reflector attack Third parties bounce the traffic from the attacker
Deterministic edge router marking
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Cloud Attacks
13
Attack Type Definition Detection/Prevention technique
SMURF ICMP echo request to generate DoS attacks
Ingress filtering
DNS attack DNS server name poisoning Radware carrier solution, DNS Security Extensions
BGP Prefix hijacking Flawed announcement about the IP addresses in Autonomous system (AS) is made
Autonomous security system
Port scanning Due to open ports Encrypted security portsFirewall against port attacks
Sniffer attack Data loss by capturing sensitive data transferred through the over the transmission channel
Detection based on ARP and RTT
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Cloud Attacks
14
Attack Type Definition Detection/Prevention technique
Issue of reused IP Remains in the DNS cache memory each insertion and when it is assigned to new user
DNS cache cookies need to be cleared
Cookie poisoning Impersonates the legitimate user Encryption, Web application firewall
Hidden field manipulation Retrieve contents in the hidden fields of web page
Security policies and session token
SQL injection attacks Malicious SQL query Parametrized queries
Man-in-middle Overhear the information in communication channel
Encryption
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Cloud Attacks
15
Attack Type Definition Detection/Prevention technique
Cloud malware injection attack Malicious code in the cloud Utilization of the file allocation table
Backdoor and debug options unauthorized use of the website in the debug mode to hack the website
Should be disabled after use
CAPTCHA breaking Audio system to track the CAPTCHA
Increase string length
Cross site scripting Disguising the script in the URL Active content filtering. Content based data leakage prevention
Dictionary attack Possible word combinations for successful decryption of the data residing in/flowing over the network
Encryption, challenge-response system
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Cloud Attacks
16
Attack Type Definition Detection/Prevention technique
Sybil attack Malicious code in the cloud Firewall
Google hijacking Sensitive information through google search
Standard security
DoS No.of requests that exceeds the server capacity
IDS
DDoS DoS attack with multiple nodes IDS
XML signature element wrapping Hacker changes the message and signature value in XML document
Digital signature
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
IP Spoofing
17
Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
SYN Flooding
18
Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
SMURF
19
Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Ping of Death
20
Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Land
21
Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Existing System
22
Type of Attack External Internal Defense Mechanism Disadvantages
IP Spoofing Hop count filtering in PaaS
IP2HC table can be built by the attacker
Trust based in IaaS
SYN Flooding SYN cache in PaaS Increased latency
SYN cookies in PaaS Low performance of the cloud
Reduced time in SYN-Rx in PaaS
Possibility of legitimate packet dropping
Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Existing System
23
Type of Attack External Internal Defense Mechanism Disadvantages
SYN Flooding Filtering in IaaS Not reliable
Firewall in PaaS Performance of the cloud is affected
Monitoring in IaaS Possibility of legitimate packet dropping
SMURF Configuring virtual machines in PaaS
Configuring network resources in IaaS
Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Existing System
24
Type of Attack External Internal Defense Mechanism Disadvantages
Buffer overflow Analysing static and dynamic code in SaaS
Time consumption
Array bound checking in SaaS
Runtime instrumentation in SaaS
Ping of death
Land
Teardrop
Layered filtering Attack may propagate to other layers if is unnoticed in the previous layers
Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Complex Event Processing
25
• Complex event processing or CEP is an event processing
method to combine information from multiple sources to
understand an event or patterns.
• In networked systems, the event correlation technique
analyses the huge events and detects the attacks with event
patterns.
• CEP can link low level events with low significance to high
level events with criticality.
• CEP is the aggregation of multiple simple events into complex
event.
Event
Action
CEP
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Complex Event Processing
26
Event Sources
CEP Engine System,
Processes and
Sensors
Event Output
Alerts and
triggered and
actions
CEP Query
Select src.IP and dest.IP where pkt.cnt>threshold #window time
30s
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
CEP Applications
• Monitoring and security
• Object and Inventory tracking
• Financial Trading
• Fraud detection
27
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Proposed System
28
Event Tracking
Event Detection
Even
t P
roce
ssin
g
Event
Sources
Prediction Analysis
Statistical Data
Event Patterns
Knowledge Base
GUI
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Proposed System
• Cloud Dataset: Cloud environment is used to generate DDoS attack traffic with
selected virtual machines installed with DDoS attack tools to send flooding
packets against target.
• DDoS Detection: The parameters of the traffic such as source address, source
port, protocol, destination address, destination port is fed into the CEP engine to
classify the attack and legitimate sources.
• DDoS Response: The alerts contain the source IP that need to blocked
immediately. The block list is passed to the attack response system to block the
attack traffic.
29
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Implementation
• Openstack Cloud
• Esper engine
• Machine learning algorithms
30
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Metrics
• Memory usage
• CPU utilization
• Bandwidth
• Response time
• Availability
31
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Future Directions
• Collaborative detection system for DDoS attacks using learning algorithms
32
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
References
• https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
• https://blog.verisign.com/security/verisign-q2-2016-ddos-trends-layer-7-ddos-attacks-a-growing-trend/
• http://www.datacenterdynamics.com/content-tracks/security-risk/major-ddos-attack-on-dyn-disrupts-aws-twitter-spotify-and-more/97176.fullarticle
• https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/,
• http://www.theregister.co.uk/2015/12/17/hackers_threaten_xbox_live_psn
• http://www.darkreading.com/attacks-breaches/wave-of-ddos-attacks-down-cloud-based-services/d/d-id/1269614, November 6, 2014.
33
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
References
• http://www.infosecurity-magazine.com/news/ddos-ers-launch-attacks-from-amazon-ec2/
• https://blogs.microsoft.com/cybertrust/2014/02/06/threats-in-the-cloud-part-2-distributed-denial-of-service-attacks/
• http://www.darkreading.com/attacks-and-breaches/bank-attackers-restart-operation-ababil-ddos-disruptions/d/d-id/1108955?
34
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Contact
Email : [email protected]
www.linkedin.com/in/venkatesanpillai/
35
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
36
Thank you