Stratum Filtering: Cloud-based Detection of Attack Sources

Proceedings of the 2016 ACM on Cloud Computing Security Workshop Pub Date : 2016-10-28 DOI:10.1145/2996429.2996440

A. Herzberg, Haya Schulmann, M. Waidner

{"title":"Stratum Filtering: Cloud-based Detection of Attack Sources","authors":"A. Herzberg, Haya Schulmann, M. Waidner","doi":"10.1145/2996429.2996440","DOIUrl":null,"url":null,"abstract":"Denial of Service (DoS) attacks pose a critical threat to the stability and availability of the Internet. In Distributed DoS (DDoS) attacks multiple attacking agents cooperate in an attempt to cause excessive load in order to disconnect a victim. The frequency and volume of DoS attacks continue to break records, reaching 400Gb/s. Although many defenses were proposed, very few are adopted, due to low effectiveness, high costs and the changes required to integrate them into the existing infrastructure. To improve resilience against DDoS attacks the service providers move their operations to cloud platforms. Unfortunately, even if the cloud applies filtering, rate limiting and deep packet inspection, the attacker can subvert those defenses by distributing the attack among multiple attacking IP addresses and aiming the flood at the victim. In this talk we focus on DDoS attacks which disrupt the availability of a service by depleting the bandwidth or the resources of an operating system or application on the server side. Such attackers typically employ a botnet to generate large traffic volumes. A botnet consists of bots (compromised computers) located in different parts of the Internet. The bots, depending on their privileges on the victim host, send multiple packets either from spoofed or using their real IP addresses. We utilize the cloud platform to implement Stratum Filtering, a novel mechanism aimed at protecting the availability and resilience of the web servers hosted on clouds. Our mechanism is easy to integrate into the cloud platform and does not require changes to the existing infrastructure nor the protected servers. Stratum Filtering facilitates the large IP address blocks allocated to the clouds, distributed availability zones and the support of service migration within the cloud platforms. These advantages offered by clouds enable us to restrict the attacker to a naive strategy where the best possible attack is to simply flood the entire IP address block allocated to the cloud. However, such an attack requires huge volume of traffic exposing malicious sources. In addition, controlling and coordinating a large number of bots that would suffice for disconnecting a cloud is not trivial to accomplish. Stratum Filtering is comprised of three layers, such that each successive layer applies filtering targeted at blocking a different type of attack traffic on network, transport or application layers. The filtering uses the difference in behavior of legitimate clients vs bots, to identify and filter traffic arriving from non-standard clients. To characterize …","PeriodicalId":373063,"journal":{"name":"Proceedings of the 2016 ACM on Cloud Computing Security Workshop","volume":"27 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2016 ACM on Cloud Computing Security Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2996429.2996440","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Denial of Service (DoS) attacks pose a critical threat to the stability and availability of the Internet. In Distributed DoS (DDoS) attacks multiple attacking agents cooperate in an attempt to cause excessive load in order to disconnect a victim. The frequency and volume of DoS attacks continue to break records, reaching 400Gb/s. Although many defenses were proposed, very few are adopted, due to low effectiveness, high costs and the changes required to integrate them into the existing infrastructure. To improve resilience against DDoS attacks the service providers move their operations to cloud platforms. Unfortunately, even if the cloud applies filtering, rate limiting and deep packet inspection, the attacker can subvert those defenses by distributing the attack among multiple attacking IP addresses and aiming the flood at the victim. In this talk we focus on DDoS attacks which disrupt the availability of a service by depleting the bandwidth or the resources of an operating system or application on the server side. Such attackers typically employ a botnet to generate large traffic volumes. A botnet consists of bots (compromised computers) located in different parts of the Internet. The bots, depending on their privileges on the victim host, send multiple packets either from spoofed or using their real IP addresses. We utilize the cloud platform to implement Stratum Filtering, a novel mechanism aimed at protecting the availability and resilience of the web servers hosted on clouds. Our mechanism is easy to integrate into the cloud platform and does not require changes to the existing infrastructure nor the protected servers. Stratum Filtering facilitates the large IP address blocks allocated to the clouds, distributed availability zones and the support of service migration within the cloud platforms. These advantages offered by clouds enable us to restrict the attacker to a naive strategy where the best possible attack is to simply flood the entire IP address block allocated to the cloud. However, such an attack requires huge volume of traffic exposing malicious sources. In addition, controlling and coordinating a large number of bots that would suffice for disconnecting a cloud is not trivial to accomplish. Stratum Filtering is comprised of three layers, such that each successive layer applies filtering targeted at blocking a different type of attack traffic on network, transport or application layers. The filtering uses the difference in behavior of legitimate clients vs bots, to identify and filter traffic arriving from non-standard clients. To characterize …

查看原文本刊更多论文

分层过滤:基于云的攻击源检测

拒绝服务(DoS)攻击对Internet的稳定性和可用性构成严重威胁。在分布式DoS (Distributed DoS, DDoS)攻击中，多个攻击代理合作，试图造成过载，从而断开受害者的连接。DoS攻击的频率和数量不断刷新记录，达到400Gb/s。尽管提出了许多防御措施，但由于效率低、成本高以及将它们集成到现有基础设施中所需的更改，采用的防御措施很少。为了提高抵御DDoS攻击的弹性，服务提供商将其业务转移到云平台。不幸的是，即使云应用了过滤、限速和深度包检测，攻击者也可以通过将攻击分散到多个攻击IP地址并将洪水瞄准受害者来破坏这些防御。在本次演讲中，我们将重点关注DDoS攻击，它通过耗尽服务器端操作系统或应用程序的带宽或资源来破坏服务的可用性。这种攻击者通常使用僵尸网络来产生大量流量。僵尸网络由位于互联网不同部分的机器人(受感染的计算机)组成。这些机器人，根据他们在受害主机上的特权，从欺骗或使用他们的真实IP地址发送多个数据包。我们利用云平台实现层过滤，这是一种新的机制，旨在保护托管在云上的web服务器的可用性和弹性。我们的机制很容易集成到云平台中，不需要更改现有的基础设施和受保护的服务器。分层过滤可以方便地为云分配大的IP地址块、分布式可用区以及支持云平台内的业务迁移。云提供的这些优势使我们能够将攻击者限制在一种简单的策略中，其中最好的攻击是简单地淹没分配给云的整个IP地址块。然而，这种攻击需要大量的流量暴露恶意源。此外，控制和协调足以断开云连接的大量机器人并非易事。分层过滤由三层组成，每一层都对网络、传输或应用层上不同类型的攻击流量进行过滤。过滤使用合法客户端与机器人的行为差异来识别和过滤来自非标准客户端的流量。描述……

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2016 ACM on Cloud Computing Security Workshop

自引率

0.00%

发文量