Fig 1- the cloud is not bothered about the outer environment

Securing cloud from DDOS Attacks using Intrusion Detection System in

virtual machine
AMAN BAKSHI
B.TECH-Computer Science
SRM University
Chennai,TN,India
Email: [email protected]
Contact: +91-9962270027

YOGESH B
B.TECH-Computer Science
SRM University
Chennai,TN,India
Email: [email protected]
Contact: +91-9884563676

AbstractInnovation is necessary to ride the
inevitable tide of change.
The buzzword of 2009 seems to be "cloud
computing" which is a futuristic platform to provides
dynamic resource pools, virtualization, and high
availability and enables the sharing, selection and
aggregation of geographically distributed
heterogeneous resources for solving large-scale
problems in science and engineering.
But with this ever developing cloud concept,
problems are arising from this golden solution in
the enterprise arena. Preventing intruders from
attacking the cloud infrastructure is the only realistic
thing the staff, management and planners can foresee.
Regardless of company size or volume and
magnitude of the cloud, this paper explains how
maneuver I T virtualization strategy could be used in
responding to a denial of service attack. After picking
up a grossly abnormal spike in inbound traffic,
targeted applications could be immediately
transferred to virtual machines hosted in another
datacenter.
Were not reinventing the wheel. We have lots of
technology and standardized solutions we can already
use to engineer into the stack. We are just
introducing them in the way least expected.
I. INTRODUCTION
Cloud computing describes a data-processing
infrastructure in which the application softwareand
often the data itselfis stored permanently not on
your PC but rather a remote server thats connected
to the Internet. When you need to use the application
or access the data, your computer connects to the
server through the Internet and some of that
information is cached temporarily on your client
machine.
The cloud revolves around one single concept. I
DONT CARE(fig 1)
As the name suggests, the function of the cloud is to
provide individuals and small and mid-sized
businesses access to an array of powerful applications
and services through the internet and not concerned
about the basic underlying complexities involved in
delivering services.
Cloud is accessible through any digital devicebe a
laptop, a cell phone or a smart phone that are capable
to connect to internet, cloud based services like web-
mail, social networking, photo sharing, and video
viewing are already interwoven into fabric of our
daily lives.
While the very definition of Cloud suggests the
decoupling of resources from the physical affinity to
and location of the infrastructure that delivers them,
many descriptions of Cloud go to one extreme or
another by either exaggerating or artificially limiting
the many attributes of Cloud. This is often purposely
done in an attempt to inflate or marginalize its scope.

A. Characterstics of cloud computing
Virtual Physical location and underlying
infrastructure details are transparent to users.

Scalable Able to break complex workloads into
pieces to be served across an incrementally
expandable infrastructure.

Efficient Services Oriented Architecture for
dynamic provisioning of shared compute resources.

Flexible Can serve a variety of workload types
both consumer and commercial.


B. Benefits of a cloud

As cloud computing has taken hold, there are six
major benefits that have become clear:

Anywhere/anytime access It promises universal
access to high-powered computing and storage
resources for anyone with a network access device.
Specialization and customization of applications- it
is a platform of enormous potential for building
software to address a diversity of tasks and
challenges.
Collaboration among users cloud represents an
environment in which users can develop software-
based services and from which they can deliver
them.
Processing power on demand the cloud is an
always on computing resource that enables users
to tailor consumption to their specific needs.
Storage as a universal service the cloud represents
a remote but scalable storage resource for users
anywhere and everywhere
Cost benefits the cloud promises to deliver
computing power and services at a lower cost.


The major portion of industry cost about 50 %
goes to obtain the strategic project raw materials. If
these are available on cloud, the 50% cost employed
is eradicated.(fig2)

At first, just a handful of employees at Sanmina-
SCI (SANM) began using Google Apps (GOOG) for
tasks like e-mail, document creation, and
appointment scheduling. Now, just six months later,
almost 1,000 employees of the electronics
manufacturing company go online to use Google
Apps in place of the comparable Microsoft (MSFT)
tools.

II. SECURITY CONCERNS OF THE CLOUD

Looking at the list of benefits, they actually
highlight what we think are the top three concerns
organizations have with Cloud computing. It revolves
around understanding how:

Software As A Service (SaaS) provides a large
amount of integrated features built directly into the
offering with the least amount of extensibility and a
relatively high level of security. Since the user can
only access or modify the data on the pre-defined
application the underlying security issues are not of
much concern.

Platform As A Service (PaaS) generally offers
less integrated features since it is designed to enable
developers to build their own applications on top of
the platform and is therefore more extensible than
SaaS by nature, but due to this balance trades off on
security features since user is responsible for program
security and security issues.

Infrastructure As A Service (IaaS) provides few,
if any, application-like features, provides for
enormous extensibility but generally less security
capabilities and functionality beyond protecting the
infrastructure itself since it expects operating systems,
applications and content to be managed and secured
by the consumer.

The 3 amenities user-friendliness, security and
features are the basic requirements of the cloud. The
ball diagram states that if we have one ball and only
one feature can posses that ball shown in green then
only that feature is fully available and the rest two are
affected. (fig3)

Hence the design should be proposed to balance
all the 3 requirements


Fig 2- operations compute 50% of cost of
projects & can be eradicated with cloud
Fig 3- the single entity possessing the green ball is
preserved and rest 2 suffer
III. PROPOSED IDEA FOR PREVENTION
AGAINST DDOS ATTACKS ON CLOUD
INFRASTRUCTURE USING IDS

The lead topic of every IT conversation today is
cloud computing. The key point within each of those
conversations is inevitably cloud computing security.
While protecting data from corruption, loss,
unauthorized access, etc. are all still required
characteristics of any IT infrastructure, cloud
computing changes the game in a much more
profound way.

Before defining our own proposed idea we would
like to review the concept of virtualization.

Virtualization refers to the abstraction of logical
resources away from their underlying physical
resources in order to improve agility and flexibility,
reduce costs and thus enhance business value. In a
virtualized environment, computing environments
can be dynamically created, expanded, shrunk or
moved as demand varies.
The server virtualization is accomplished by the use
of a hypervisor to logically assign and separate
physical resources. The hypervisor allows a guest
operating system, running on the virtual machine, to
function as if it were solely in control of the
hardware, unaware that other guests are sharing it.
Each guest operating system is protected from the
others and is thus unaffected by any instability or
configuration issues of the others. Hypervisors are
becoming a ubiquitous virtualization layer on client
and server systems.

A. METHODOLOGY : virtualization in
cloud

Virtualization is extremely well suited to a dynamic
cloud infrastructure, because it provides important
advantages in sharing, manageability and isolation
(that is, multiple users and applications can share
physical resources without affecting one another).

Virtualization allows a set of underutilized physical
servers to be consolidated into a smaller number of
more fully utilized physical servers, contributing to
significant cost savings.

Virtual worlds require significant amounts of
computing power, especially as those virtual spaces
become large or as more and more users log in.
Massively multiplayer online games (MMPOG) are a
good example of significantly large virtual worlds.
Several commercial virtual worlds have as many as
nine million registered users and hundreds and
thousands of servers supporting these environments.

Intrusion Detection System is installed on the
virtual switch which logs the network traffic in-
bound and out-bound into the database for auditing.
The packets are examined in real-time (fig 4) by the
intrusion detection system for a particular type of
attack based on predefined rules. The rules are
defined based on well known attack strategies by the
intruders. The IDS could determine the nature of
attack and is capable of notifying virtual server the
amount security risks involved.
IDS (like SNORT) installed on
virtual switch for auditing.
The inbound-outbound traffic is
logged
If spike in graph then check for
acknowledgements from senders
end.
Fig 4- flow view showing the PROPOSED IDEA to
prevent attack on the cloud data
YES
SYN
ACK
received
NO
IDS requests Honeypot to ping the IP
addresses mentioned by intruder. No
reply declares DDOS attack.
The botnet formed by all the zombie
machines are blocked.
Move the server to another virtual
server using switch and update the
routing tables.
Fig 5- TCP synchronization in lab environment

The virtual server on examining the security risks
involved performs emergency response to the attack
by identifying the source IP addresses involved in the
attack could automatically generate the access lists
that would drop all the packets received from that IP.
If the attack type is DDoS attack, the botnet formed
by all the zombie machines are blocked. The virtual
server then responds to the attack by transferring the
targeted applications to virtual machines hosted in
another datacenter. Router automation would
immediately re-route operational network links to the
new location.

Hence, the firewall located at the new server will
block all the IP addresses that attacker used and if
any genuine user is trying to connect to the server, he
will be redirected to the new server.
B. Implementation of proposed idea
To explain the concept of attack, in our lab
environment we performed DOS attack on the target
(fig5).





As it could be seen from the trace file snapshot, the
intruder (192.168.0.107) is sending multiple SYN
flagged TCP request to the target machine
(192.168.0.221) with a very low delay time.

A known intruder is trying to scan open ports on the
target machine by sending out [SYN] request and
waiting for the response. If our target machine
responds with [SYN, ACK], the port is open on the
target machine and if the target machine responds
with [RST, ACK], the port is not open and the
connection is reset. These types of attacks are done
using Zombie machines over the botnet by the
intruder. Multiple Zombie machines trying to scan
causes DDOS attack.









Fig 6- INTRUSION DETECTION SENSORs SCAN DOS ATTACK

DOS attacks reduce the bandwidth and increases the
congestion causing poor service to the needy. The
DOS attacks over botnet are becoming highly
sophisticated and are not easily preventable.


To explain implementation of idea consider figure
6.Here we employed intrusion detection sensor such
as SNORT installed on VMware virtual ESX machine
running over the internet which sniffs all the traffic
in-bound and out-bound over the virtual interface.
The SNORT analyzed the packets arriving over the
Ethernet and looks for an Intrusion pattern that might
be used, based upon the statistics. It was seen there
are multiple TCP SYN scans that are captured by the
IDS. The IDS does an Emergency response to the
DOS Attack by dropping all the packets from that IP
address.

If the DOS attack is distributed using botnet, then the
virtual machine is shifted from one datacenter to
another with fast re-convergence of routing table
updates over the network. This totally prevents the
Virtual Infrastructure Service from DOS attack.


Fig 7- IDS scanning over network traffic



If the DOS attack is distributed using botnet, then the
virtual machine is shifted from one datacenter to
another with fast re-convergence of routing table
updates over the network. This totally prevents the
Virtual Infrastructure Service from DOS attack.

IV. CONCLUSION

Todays IT realities make cloud computing a good fit
for meeting the needs of both IT providers who
demand unprecedented flexibility and efficiency,
lower costs and complexity and support for varied
and huge workloads and Internet users who expect
exceptionally high availability, function and speed.

It can be beneficial to consumers and businesses
alike, and, for businesses, the cloud's greatest benefit
may be infrastructure on demand. Among the
potential economic benefits the new business
opportunities and markets make possible by lower-
cost, high-end computing; the elimination of data
center startup and maintenance costs; real-time
collaboration, and more.

We would hope that companies like IBM could be
more secure in the cloudand maybe even cook up
something that would be self healing. Overall, cloud
computing security is an untapped field. Once cloud
computing gains some more traction rest assured that
it will be a big target for hackers. There would be a
lot of glory and financial gain by bringing down a
cloud or two.

With every new technology packs in a world of
limitations. The ultimate fact that arises in the end is
that though the developers are responsible for the
applications, but in the end we ourselves are
responsible for the data and our usage.

Eradication of the DOS attacks using IDS over the
cloud will fade away majority of these problems and
ease the usage of the cloud. A proposed strategy like
one we stated above can be an optimum solution to
the problem

V. REFERENCES

[I]. James Staten, Forrester Is Cloud Computing
Ready for the Enterprise? , April 2007
[II]. Frank E. Gillett, Forrester Future View: The
New Tech Ecosystems of Cloud, Cloud Services,
and Cloud Computing,, Dec. 2006, pp. 2127-
2130,
[III]. Alisha Mant Amazon storage 'cloud' service
goes dark, January 2009
[IV]. Rusell Bolton Gmail is down, Twitter sizzling
with the news April 2009
[V]. Jae Peterson warning for cloud computing , ,
November 2008
[VI]. Spitzner, "Honeypots, tracking the hackers", May
2002
[VII]. Chappel,David(august 2008)-" a short
introduction to cloud platforms" August 2008
Article in a journal:
[VIII]. R.hangsman and mark spenson, advanced
security concepts on data management,
technology, vol,326,apr 2009, pp. 1076-1128.