Professional Documents
Culture Documents
Abstract-Cloud computing is internet based computing the help of Web Services.Cloud and Web Services are
whereby shared resources, software and information related in two ways.
provided to computers and other device on demand. It is
still in its infancy in regards to its Software as a Service 1) Cloud offers its Core Services as Web Services.
(SaaS), Web Services, Utility Computing and Platform as 2) Business Services are provided over Cloud as Web
a Service (PaaS). One of the most serious threats to cloud Service.
computing itself comes from Denial of Service attack,
especially HTTP, XML or REST based Denial of Service Cloud computing providing services to its consumers
attacks because the cloud computing users makes their at abstract level and take care of all the internal
request in XML then send this request using HTTP complex tasks. With cloud computing consumer life
protocol and build their system interface with REST became easy. But “as the nature rule with increase in
protocol such as Amazon EC2 or Microsoft Azure. So the
facility vulnerability also increases”.
threaten coming from distributed REST attacks are more
and easy to implement by the attacker, but to security The same concept apply in cloud computing also, it
expert very difficult to resolve. So to resolve these attacks is provides the facility to consumers in the same way it
this paper introduce a security service called filtering tree, provides facility to attackers also. There are more
which work like a service broker within a SOA model. It is
converting the consumer request in XML tree form and
chance of attacks in cloud computing. As cloud
use a virtual Cloud defender which will defend from these computing mainly provides three types of services so in
types of attacks. each layer have some soft corners which invite
attackers to attack. Some of these soft corners are
Keywords–REST, Network security, Denial of Service
Attacks, Cloud Computing, SaaS (1) SaaS vulnerability
I. INTRODUCTION (a)Insecure Application Programming
Cloud computing is a combination of distributed Interface (API)
system, utility computing and grid computing. In cloud (b)Account or Service hacking
computing we use combination of all these three in (c)Attack on cloud firewall / Attack on public
virtualized manner. Cloud computing converts desktop firewall
computing into service based computing using server (d)Attack on consumer browser
cluster and huge databases at data center. Cloud (e)Integrity, Confidentiality and Availability
computing gives advanced facility like on demand, pay (2) PaaS vulnerability
per use, dynamically scalable and efficient provisioning
of resources. Cloud computing the new emerged (a)Insecure Application Programming
technology of distributed computing systems changed Interface (API)
the phase of entire business over internet and set a new (b)Unknown risk profile (Heartland Data
trend. The dream of Software as a Service becomes Breach)
true; Cloud offers Software as a Service (SaaS), (c)Integrity, Confidentiality and Availability
Platform as a Service (PaaS) and Infrastructure as a (3) IaaS vulnerability
Service (IaaS). Providing the basics of Cloud
Computing is not part of this paper, for basic (a) Data leakage in Virtual Machine
knowledge go through. Cloud offers these services with (b) Shared technology issues
SCEECS 2012
but in real time it is not possible. Suriadi et. al. [20] SOAP Signature: SOAP message is nothing but XML
using client puzzle but if each packet of client request tags. The process of SOAP signature as: for every
will pass through client puzzle filter then this solution message part a reference element is created and the
will face time bottleneck problem. Ashley Chonka et. message part is hashed and cannibalized. The resulting
al. [21] are using BPNN scheme to detect DDoS attack digest added with digest value as well as the reference
but this scheme work on expert system based of signed message is added in URI field. In last this
approximate threshold value. Until attacker will not message part and digest cannibalized and put in Signed
cross threshold value it is possible that attacker may Info part and Signature element is added in security
attack. M.A. Rahaman et. al. [22] are using inline header.
approach but the disadvantage of this method is that it <Signature>
is securing only some properties of SOAP message. <SignedInfo>
Further N. Gruschka et. al. [23] are introducing first <CanonicalizationMethod
real XML SOAP Message wrapping attack on Amazon Algorithm="..."/>
EC2 services in 2008. Here attackers are changing <SignatureMethod Algorithm="..."/>
XML tags and making vulnerability in SOAP Message <Reference URI="..." >
<DigestMethod Algorithm="...">
request validation. By which any unauthorized user can <DigestValue>...</DigestValue>
access the services of Amazon’s EC2. One simple </Reference>
example of this is creating multitude virtual machines </SignedInfo>
to send spam mails. <SignatureValue>...</SignatureValue>
</Signature>
Other paper also said that with cloud, DoS/DDoS
attack will still crash application it will just take longer. Fig. 2 SOAP Message Signature
Cloud take all application at a place so it may be
possible that attack on one application may harm the To detect coercive parsing attack using SOAP
other application too so in this worst scenario the whole signature.
cloud will become offline.
According to literature survey traditional web facing
application crashes at approx 800 concurrent user
sessions under a DDoS attack in 15 minutes.
Cloud hosted web application crashes at approx 3000
concurrent user sessions under a DDoS attack in about
20 minutes.
III. SYSTEM ARCHITECTURE
SCEECS 2012
effective in confirming HTTP DDoS attack. Its working (2) HOP Count filter: It will calculate the Hop Count
is very simple, Client puzzle will be part of the WSDL value and compare with stored Hop Count value. If no
file and its solution is embedding in the header of match then it marks those messages as suspicious IP
SOAP Message. If any time cloud defender feels any otherwise send to next filter.
possibility of DDoS attack, that time cloud defender
(3) IP Frequency Divergence: if found same frequency
simply send back the puzzle embed SOAP message to
of IP messages then it marks those messages as
IP in doubt. If the cloud defender get back solved
suspicious IP otherwise send to next filter.
puzzle it means request sent by legitimate user only
otherwise it will be HTTP DDoS attack. B. Detect HTTP DDoS Attack
<wsdl:definitions…> All suspicious packets come to the Puzzle Resolver.
<wsp:Policy wsu:Id=”clientPuzzlePolicy”>
<wsp:ExactlyOne> <wsp:All>
It resolves the SOAP header of these suspicious
<wsp:clientPuzzle a:difficulty=”8” xmlns:a=”” > messages. Firstly it finds the suspicious messages IP
abcdef</wsp:clientPuzzle> addresses and then send the puzzles to these IP address
</wsp:All></wsp:ExactlyOne></wsp:Policy>
<wsd:types…>…</wsp:types>…
</wsdl>
Fig. 4 Client Puzzle in a WSDL
<s:Envelope…><s:Header…>
<ClientPuzzleSolution xmlns=”…”…>
<timestamp>6342438044717802</timestamp>
<clientNonce>LMBfqB</clientNonce>
<puzzleSolution>abcdef….</puzzleSolution>
</ClientPuzzleSolution> …..
</s:Header></s:Body>….</s:Body></s:Envelope>
V. IP TRACE-BACK
SCEECS 2012
If the suspense IP address send the correctly solved
[11] Daniel Nurmi, Rich Wolski, Chris Grzegorczyk, Graziano
puzzle to puzzle resolver it means it is genuine client
Obertellli, Sunil Soman, Lamai Youseff, Dmitrii Zagorodnov,
request otherwise puzzle resolver drops the request “The Eucalyptus Open-source Cloud computing System”,
message and send suspicious IP address to IP Trace- http://www.eucalyptus.com/whitepapers
Back otherwise it send the request message to Double [12] Rajkumar Bhuya, Rajiv Ranjan and Rodrigo N. Calheiros,
“Modeling and Siulation of Scalable Cloud Computing
signature filter.
Environments and the CloudSim Toolkit: Challenges and
C. Detect Coercive Parsing/XML DDoS Attack Opportunities”, Proceedings f the 7th High Performance
Computing and Simulation Conference, Leipzig, Germany, June
Check the incoming request message for any open 21-24, 2009.
[13] Lin Fan et. al. “A Group Tracing and Filtering Tree for REST
tag. If open tag found in incoming message then it DDoS in Cloud Computing” International Journal of Digital
discards that message otherwise send the request Content Technology and its Applications vol 4, Number 9, Dec.
message to cloud provider to provide services to clients. 2010
[14] Bakshi, A.; Yogesh, B.; "Securing Cloud from DDOS Attacks
VII. CONCLUSION Using Intrusion Detection System in Virtual Machine,"
Communication Software and Networks, 2010. ICCSN '10.
DDoS attack is more dangerous in cloud computing Second International Conference on , vol., no., pp.260-264, 26-
because all resources are at single place they are not 28 Feb. 2010
distributed so attackers need to concentrate at the single [15] Palvinder Singh Mann, Dinesh Kumar “Improving Network
place to affect all the services. As much easy to make Performance and Mitigate Attacks using Analytical Approach
under Collaborative Software as a Service(SAAS) Cloud
attacks on cloud for attackers that much hard to resolve Computing Environment” IJCST vol. 2, Issue 1, ISSN: 0976-
those attacks for researches so this paper filter 8491 , March 2011
requested message at different stages firstly matching [16] Chu-Hsing Lin; Chen-Yu Lee; Jung-Chun Liu; Ching-Ru Chen;
the request client IP with previously stored suspicious Shin-Yang Huang; , "A detection scheme for flooding attack on
application layer based on semantic concept," Computer
IP in Trace-Back and then cloud defender is using for Symposium (ICS), 2010 International , vol., no., pp.385-389,
detecting the HTTP DDoS, Coercive parsing DDoS, 16-18 Dec. 2010
XML DDoS. Cloud Defender is firstly identifying [17] Suriadi, S.; Stebila, D.; Clark, A.; Hua Liu; , "Defending Web
suspicious messages and then detecting attacks. Services against Denial of Service Attacks Using Client
Puzzles," Web Services (ICWS), 2011 IEEE International
VIII. REFERENCES Conference on , vol., no., pp.25-32, 4-9 July 2011
[18] Yifu Feng; Rui Guo; Dongqi Wang; Bencheng Zhang; ,
[1] Cloud Security Alliance; see "Research on the Active DDoS Filtering Algorithm Based on IP
https://cloudsecurityalliance.org/research/topthreats Flow," Natural Computation, 2009. ICNC '09. Fifth
[2] Europe Network and Information Security Agency; see International Conference on , vol.4, no., pp.628-632, 14-16
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud- Aug. 2009
computing-risk-assessment [19] Tuncer, T.; Tatar, Y.; , "Detection SYN Flooding Attacks Using
[3] Belenky A, Ansari N.Tracing multiple attackers with Fuzzy Logic," Information Security and Assurance, 2008. ISA
deterministic packet marking(DPM). In: Proceedings of IEEE 2008. International Conference on , vol., no., pp.321-325, 24-26
pacific Rim conference on communications, computers and April 2008
signal processing, vol. 1, 2003. p. 49-52. [20] Liming Lu et. al.; ”A General Model of Probabilistic Packet
[4] Danchev D.Iranian opposition launches organized cyber attack Marking for IP Traceback,” ASIACCS ’08, ACM, Tokyo, Japan
against pro-Ahmadinejad sites. ,18-20 march 2008
ZDNetblog,<http://blogs.zdnet.com/security/?p=3613>,june 15 [21] Ashley Chonka,YangXiang n, WanleiZhou,
2009a. AlessioBonti(2011), “Cloud security defense to protect cloud
[5] Amazon Web Services, Amazon Web Services, LLC; see computing against HTTP-DoS and XML-DoS attacks” Network
http://aws.amazon.com and Computer Applications 34 (2011) 1097–1107.
[6] Salesforce.com and Force.com, Inc; see www.salesforce.com [22] M.A. Rahaman, A. Schaad and M.Rits, "Towards secure SOAP
[7] GoogleAppEngine GoogleCode, Google, Inc,; see message exchange in a SOA," in SWS'06: Proceedings of the
http://code.google.com/appengine 3rd ACM workshop on Secure Web Services.ACM Press, 2006,
[8] Microsoft Security Bulletin MS10;see pp. 77-84
www.microsoft.com/technet/security/bulletin/ms10-070.mspx [23] N.Gruschka and L.Lo lacono, "Vulnerable Cloud: SOAP
[9] Security of data ;see http://news.cnet.com/8301-13846 3- Message Security Validation Revisited," in ICWS'09:
20052571-62 proceedings of the IEEE International Conference on Web
[10] Security labs Blogs Services. Los Angeles, USA: IEEE, 2009.
http//:securitylabs.websense.com/content/Blogs/3402.aspx
SCEECS 2012