2012 IEEE Students’ Conference on Electrical, Electronics and Computer Science

A Comber Approach to Protect Cloud

Computing against XML DDoS and HTTP
DDoS attack
Tarun Karnwal T. Sivakumar G. Aghila
Dept.of Computer Science Dept.of Computer Science Dept.of Computer Science
Pondicherry University Pondicherry University Pondicherry University
Puducherry, India Puducherry, India Puducherry, India
karnwals@gmail.com tsivakumar.csc@pondiuni.edu.in aghila.csc@gmail.com

Abstract-Cloud computing is internet based computing
whereby shared resources, software and information
provided to computers and other device on demand. It is
still in its infancy in regards to its Software as a Service
(SaaS), Web Services, Utility Computing and Platform as
a Service (PaaS). One of the most serious threats to cloud
computing itself comes from Denial of Service attack,
especially HTTP, XML or REST based Denial of Service
attacks because the cloud computing users makes their
request in XML then send this request using HTTP
protocol and build their system interface with REST
protocol such as Amazon EC2 or Microsoft Azure. So the
threaten coming from distributed REST attacks are more
and easy to implement by the attacker, but to security
expert very difficult to resolve. So to resolve these attacks
this paper introduce a security service called filtering tree,
which work like a service broker within a SOA model. It is
converting the consumer request in XML tree form and
use a virtual Cloud defender which will defend from these
types of attacks.
Keywords–REST, Network security, Denial of Service
Attacks, Cloud Computing, SaaS
I. INTRODUCTION
Cloud computing is a combination of distributed
system, utility computing and grid computing. In cloud
computing we use combination of all these three in
virtualized manner. Cloud computing converts desktop
computing into service based computing using server
cluster and huge databases at data center. Cloud
computing gives advanced facility like on demand, pay
per use, dynamically scalable and efficient provisioning
of resources. Cloud computing the new emerged
technology of distributed computing systems changed
the phase of entire business over internet and set a new
trend. The dream of Software as a Service becomes
true; Cloud offers Software as a Service (SaaS),
Platform as a Service (PaaS) and Infrastructure as a
Service (IaaS). Providing the basics of Cloud
Computing is not part of this paper, for basic
knowledge go through. Cloud offers these services with
the help of Web Services.Cloud and Web Services are
related in two ways.
1) Cloud offers its Core Services as Web Services.
2) Business Services are provided over Cloud as Web
Service.
Cloud computing providing services to its consumers
at abstract level and take care of all the internal
complex tasks. With cloud computing consumer life
became easy. But “as the nature rule with increase in
facility vulnerability also increases”.
The same concept apply in cloud computing also, it
is provides the facility to consumers in the same way it
provides facility to attackers also. There are more
chance of attacks in cloud computing. As cloud
computing mainly provides three types of services so in
each layer have some soft corners which invite
attackers to attack. Some of these soft corners are
(1) SaaS vulnerability
(a)Insecure Application Programming
Interface (API)
(b)Account or Service hacking
(c)Attack on cloud firewall / Attack on public
firewall
(d)Attack on consumer browser
(e)Integrity, Confidentiality and Availability
(2) PaaS vulnerability
(a)Insecure Application Programming
Interface (API)
(b)Unknown risk profile (Heartland Data
Breach)
(c)Integrity, Confidentiality and Availability
(3) IaaS vulnerability
(a) Data leakage in Virtual Machine
(b) Shared technology issues

978-1-4673-1515-9/12/$31.00 ©2012 IEEE

 (c)Integrity, Confidentiality and Availability
So among these different vulnerabilities this paper
focused on SaaS layer. This paper is concentrating on
API security. Every Cloud will have its own APIs or
adapters that need to be installed or consumed if anyone
wants to use that Cloud.
These adapters are publically available and this paper
objective is to provide security to this Open API from
HTTP, XML or REST based Denial of service attacks.
The largest DDoS attacks have now grown to 40
gigabit barrier this year and may reach to 100 gigabits
soon. So if someone threatens to bring down the cloud
system with DDoS attack cloud may become
worrisome. XML-based DDoS and HTTP-based DDoS
are more destructive than the traditional DDoS because
of these protocols widely used in cloud computing and
lack of the real defense against them. HTTP and XML
are important elements of cloud computing so security
become crucial to safeguard the healthy development of
cloud platforms. But as a virtual environment, cloud
poses new security threats that differ from attacks on
physical system.
A. Hop Count Filter
Hop count filter counts the number of hopes taken by
message. It works on TTL (Time to Live) value. it takes
initial TTL as TTLi and final TTL as TTLf, then it
subtract both TTL value and calculate Hop Count value
Hop Count = TTLf - TTLi
Now it compares this Hop Count value with the
value stored in the IP to Hop Count table. If value does
not match then it means the coming message is spoofed
message and it will be drop otherwise send to next
filter.
B. IP Packet Frequency
In flooding attack attacker send the IP packets in
flood. So attacker does not create new IP packets again
and again but he sends same old IP flood again and
again. So these flooding packets are having same
frequency.
II. RELATED WORK
A lot of research has been done in the domain of
network security but security for cloud computing is
still a very new open challenge. Lot of research is going
in security aspects in cloud computing. Now a days
daily it is going to see that Cloud is facing the problem
regarding new vulnerabilities as there are various latest
real time examples in which cloud is suffering from
new attacks. Among these different cloud
vulnerabilities this paper is focusing on cloud API
vulnerability mainly HTTP and XML DDoS attacks.
SCEECS 2012
Since cloud computing security follows the idea of
cloud computing, there are two main areas that security
experts look at security in a cloud system: These are
VM (Virtual Machine) vulnerabilities and message
Availability, Integrity and Confidentiality between
cloud systems.
In the next following section paper is discussing
about various vulnerability issues (as Shared
Technology, Data Leakage and Insecure API) in IaaS
layer.
In [8] Shared Technology issues work on IaaS layer.
In [9] Data Loss or Data Leakage is a big problem on
IaaS layer. There are many ways to compromise data
deletion and alteration of records without a backup of
original content is an obvious example. Unlinking a
record from a larger context may be render it
unrecoverable.
In [10] insecure API is big threat in cloud computing.
Cloud computing providers exploit a set of software
APIs that customer use to manage and interact with
cloud services. Provisioning, management and
monitoring are all performed using these interfaces. The
security and availability of general cloud services is
dependent upon the security of these basic APIs. From
authentication and access control to encryption and
activity monitoring, these interfaces must be design to
protect against both accidental and malicious attempts
to circumvent policy. Furthermore organizations and
third party often build upon these interfaces to offer
value added services to their consumers. This
introduces the complexity of the new layered API. It
also increases risk, as organizations may be required to
relinquish their credentials to third-parties in order to
enable their agency.
Further section is discussing about different existing
solutions and techniques to detect and protect from
HTTP flood attack and XML attack in Cloud
Computing.
In [6] the traffic into network TCP SYN packet and
the imbalance, SYN/ACK packets the number of poor
in 2 factors as index, combined with double-size
detection method. Chu-Hsing Lin et. al. [16] is using
Semantic Web concept to find flooding attack by
dividing attacks in three categories but this solution
limited to identifying malicious browsing behaviors.
Yifu et. al. [17] proposing DDoS Filtering Algorithm
Based on IP Flow but this algorithm will identify only
those IP flood which have same type of frequency.
Tuncer et. al. [18] is using fuzzy logic to find flooding
attack. This solution will give more false positive
results. Liming Lu et. al. [19] using Probabilistic Packet
Marking for IP Traceback. This method is useful only
when we already have attackers IP Address in traceback
but in real time it is not possible. Suriadi et. al. [20] SOAP Signature: SOAP message is nothing but XML
using client puzzle but if each packet of client request tags. The process of SOAP signature as: for every
will pass through client puzzle filter then this solution message part a reference element is created and the
will face time bottleneck problem. Ashley Chonka et. message part is hashed and cannibalized. The resulting
al. [21] are using BPNN scheme to detect DDoS attack digest added with digest value as well as the reference
but this scheme work on expert system based of signed message is added in URI field. In last this
approximate threshold value. Until attacker will not message part and digest cannibalized and put in Signed
cross threshold value it is possible that attacker may Info part and Signature element is added in security
attack. M.A. Rahaman et. al. [22] are using inline header.
approach but the disadvantage of this method is that it <Signature>
is securing only some properties of SOAP message. <SignedInfo>
Further N. Gruschka et. al. [23] are introducing first <CanonicalizationMethod
real XML SOAP Message wrapping attack on Amazon Algorithm="..."/>
EC2 services in 2008. Here attackers are changing <SignatureMethod Algorithm="..."/>
XML tags and making vulnerability in SOAP Message <Reference URI="..." >
<DigestMethod Algorithm="...">
request validation. By which any unauthorized user can <DigestValue>...</DigestValue>
access the services of Amazon’s EC2. One simple </Reference>
example of this is creating multitude virtual machines </SignedInfo>
to send spam mails. <SignatureValue>...</SignatureValue>
</Signature>
Other paper also said that with cloud, DoS/DDoS
attack will still crash application it will just take longer. Fig. 2 SOAP Message Signature
Cloud take all application at a place so it may be
possible that attack on one application may harm the To detect coercive parsing attack using SOAP
other application too so in this worst scenario the whole signature.
cloud will become offline.
According to literature survey traditional web facing
application crashes at approx 800 concurrent user
sessions under a DDoS attack in 15 minutes.
Cloud hosted web application crashes at approx 3000
concurrent user sessions under a DDoS attack in about
20 minutes.
III. SYSTEM ARCHITECTURE

Fig. 3 Embed SOAP Message

A. Double signature
To give the extra protection against XML rewriting
attack in this paper using Double Signature by making
some parameters signed again. These parameters are as
Fig. 1 Proposed Architecture Model
(1) Number of children
Figure 1 showing the abstract architecture used to (2) Number of header element
protect against DDoS attack. (3) Number of body element
IV. EMBED SOAP MESSAGE and keeping these signed parameter in SOAP Header.

Clients or Consumers use SOAP message to request B. IP Marking

any resource from cloud providers. SOAP message
used to start the communication with cloud, it works
with HTTP protocol. SOAP message written in XML
because XML is universally accepted language and it
can run on any platform.
At the edge router mark the IP address of
client/consumer in the SOAP header.
C. Client puzzle
Client puzzle are simple type of puzzles which can
be solve by any intelligent system. Client puzzle is very

SCEECS 2012
effective in confirming HTTP DDoS attack. Its working (2) HOP Count filter: It will calculate the Hop Count
is very simple, Client puzzle will be part of the WSDL value and compare with stored Hop Count value. If no
file and its solution is embedding in the header of match then it marks those messages as suspicious IP
SOAP Message. If any time cloud defender feels any otherwise send to next filter.
possibility of DDoS attack, that time cloud defender
(3) IP Frequency Divergence: if found same frequency
simply send back the puzzle embed SOAP message to
of IP messages then it marks those messages as
IP in doubt. If the cloud defender get back solved
suspicious IP otherwise send to next filter.
puzzle it means request sent by legitimate user only
otherwise it will be HTTP DDoS attack. B. Detect HTTP DDoS Attack
<wsdl:definitions…> All suspicious packets come to the Puzzle Resolver.
<wsp:Policy wsu:Id=”clientPuzzlePolicy”>
<wsp:ExactlyOne> <wsp:All>
It resolves the SOAP header of these suspicious
<wsp:clientPuzzle a:difficulty=”8” xmlns:a=”” > messages. Firstly it finds the suspicious messages IP
abcdef</wsp:clientPuzzle> addresses and then send the puzzles to these IP address
</wsp:All></wsp:ExactlyOne></wsp:Policy>
<wsd:types…>…</wsp:types>…
</wsdl>
Fig. 4 Client Puzzle in a WSDL

<s:Envelope…><s:Header…>
<ClientPuzzleSolution xmlns=”…”…>
<timestamp>6342438044717802</timestamp>
<clientNonce>LMBfqB</clientNonce>
<puzzleSolution>abcdef….</puzzleSolution>
</ClientPuzzleSolution> …..
</s:Header></s:Body>….</s:Body></s:Envelope>

Fig. 5 Client Puzzle solution in SOAP request

V. IP TRACE-BACK

IP Trace-Back is a logical file system which stores IP

address in a form of list. In proposed architecture the
work of IP Trace-Back is to store IP address given by
Cloud Defender.
When client message request pass through IP Trace-
Back it matches coming message source IP address
with already stored IP address. If IP matched then it
discard request message otherwise it send request
message to Cloud Defender.
VI CLOUD DEFENDER

Cloud defender filters the attack in five stages. These

five stages are
(1) Sensor Filter
(2) Hop Count Filter
(3) IP Frequency Divergence Filter
(4) Puzzle Resolver Filter
(5) Double Signature Filter
First four filters detect HTTP DDoS attack and fifth
filter detects XML DDoS attack.
A. Detect the suspicious message
(1) Sensor: Sensor monitors the incoming request
messages. If the sensor finds that there is hypothetical
increase in the number of request messages coming
from any particular consumer then it marks those
messages as suspicious IP otherwise send to next filter. Fig. 6 Cloud Defender

SCEECS 2012
If the suspense IP address send the correctly solved
puzzle to puzzle resolver it means it is genuine client
request otherwise puzzle resolver drops the request
message and send suspicious IP address to IP Trace-
Back otherwise it send the request message to Double
signature filter.
C. Detect Coercive Parsing/XML DDoS Attack
Check the incoming request message for any open
tag. If open tag found in incoming message then it
discards that message otherwise send the request
message to cloud provider to provide services to clients.
VII. CONCLUSION
DDoS attack is more dangerous in cloud computing
because all resources are at single place they are not
distributed so attackers need to concentrate at the single
place to affect all the services. As much easy to make
attacks on cloud for attackers that much hard to resolve
those attacks for researches so this paper filter
requested message at different stages firstly matching
the request client IP with previously stored suspicious
IP in Trace-Back and then cloud defender is using for
detecting the HTTP DDoS, Coercive parsing DDoS,
XML DDoS. Cloud Defender is firstly identifying
suspicious messages and then detecting attacks.
VIII. REFERENCES
[1] Cloud Security Alliance; see
https://cloudsecurityalliance.org/research/topthreats
[2] Europe Network and Information Security Agency; see
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-
computing-risk-assessment
[3] Belenky A, Ansari N.Tracing multiple attackers with
deterministic packet marking(DPM). In: Proceedings of IEEE
pacific Rim conference on communications, computers and
signal processing, vol. 1, 2003. p. 49-52.
[4] Danchev D.Iranian opposition launches organized cyber attack
against pro-Ahmadinejad sites.
ZDNetblog,<http://blogs.zdnet.com/security/?p=3613>,june 15
2009a.
[5] Amazon Web Services, Amazon Web Services, LLC; see
http://aws.amazon.com
[6] Salesforce.com and Force.com, Inc; see www.salesforce.com
[7] GoogleAppEngine GoogleCode, Google, Inc,; see
http://code.google.com/appengine
[8] Microsoft Security Bulletin MS10;see
www.microsoft.com/technet/security/bulletin/ms10-070.mspx
[9] Security of data ;see http://news.cnet.com/8301-13846 3-
20052571-62
[10] Security labs Blogs
http//:securitylabs.websense.com/content/Blogs/3402.aspx
SCEECS 2012
[11] Daniel Nurmi, Rich Wolski, Chris Grzegorczyk, Graziano
Obertellli, Sunil Soman, Lamai Youseff, Dmitrii Zagorodnov,
“The Eucalyptus Open-source Cloud computing System”,
http://www.eucalyptus.com/whitepapers
[12] Rajkumar Bhuya, Rajiv Ranjan and Rodrigo N. Calheiros,
“Modeling and Siulation of Scalable Cloud Computing
Environments and the CloudSim Toolkit: Challenges and
Opportunities”, Proceedings f the 7th High Performance
Computing and Simulation Conference, Leipzig, Germany, June
21-24, 2009.
[13] Lin Fan et. al. “A Group Tracing and Filtering Tree for REST
DDoS in Cloud Computing” International Journal of Digital
Content Technology and its Applications vol 4, Number 9, Dec.
2010
[14] Bakshi, A.; Yogesh, B.; "Securing Cloud from DDOS Attacks
Using Intrusion Detection System in Virtual Machine,"
Communication Software and Networks, 2010. ICCSN '10.
Second International Conference on , vol., no., pp.260-264, 26-
28 Feb. 2010
[15] Palvinder Singh Mann, Dinesh Kumar “Improving Network
Performance and Mitigate Attacks using Analytical Approach
under Collaborative Software as a Service(SAAS) Cloud
Computing Environment” IJCST vol. 2, Issue 1, ISSN: 0976-
8491 , March 2011
[16] Chu-Hsing Lin; Chen-Yu Lee; Jung-Chun Liu; Ching-Ru Chen;
Shin-Yang Huang; , "A detection scheme for flooding attack on
application layer based on semantic concept," Computer
Symposium (ICS), 2010 International , vol., no., pp.385-389,
16-18 Dec. 2010
[17] Suriadi, S.; Stebila, D.; Clark, A.; Hua Liu; , "Defending Web
Services against Denial of Service Attacks Using Client
Puzzles," Web Services (ICWS), 2011 IEEE International
Conference on , vol., no., pp.25-32, 4-9 July 2011
[18] Yifu Feng; Rui Guo; Dongqi Wang; Bencheng Zhang; ,
"Research on the Active DDoS Filtering Algorithm Based on IP
Flow," Natural Computation, 2009. ICNC '09. Fifth
International Conference on , vol.4, no., pp.628-632, 14-16
Aug. 2009
[19] Tuncer, T.; Tatar, Y.; , "Detection SYN Flooding Attacks Using
Fuzzy Logic," Information Security and Assurance, 2008. ISA
2008. International Conference on , vol., no., pp.321-325, 24-26
April 2008
[20] Liming Lu et. al.; ”A General Model of Probabilistic Packet
Marking for IP Traceback,” ASIACCS ’08, ACM, Tokyo, Japan
,18-20 march 2008
[21] Ashley Chonka,YangXiang n, WanleiZhou,
AlessioBonti(2011), “Cloud security defense to protect cloud
computing against HTTP-DoS and XML-DoS attacks” Network
and Computer Applications 34 (2011) 1097–1107.
[22] M.A. Rahaman, A. Schaad and M.Rits, "Towards secure SOAP
message exchange in a SOA," in SWS'06: Proceedings of the
3rd ACM workshop on Secure Web Services.ACM Press, 2006,
pp. 77-84
[23] N.Gruschka and L.Lo lacono, "Vulnerable Cloud: SOAP
Message Security Validation Revisited," in ICWS'09:
proceedings of the IEEE International Conference on Web
Services. Los Angeles, USA: IEEE, 2009.