Professional Documents
Culture Documents
Abstract—Distributed Denial-of-Service (DDoS) attack has of cloud computing is from the Denial-of-Service (DoS)
been a “nightmare” for cloud. A countermeasure is to establish attack and its distributed version, i.e., Distributed Denial-of-
an Intrusion Detection and Prevention System (IDPS) for cloud. Service (DDoS) attack, making cloud service unavailable to
Nevertheless, current IDPSes fail to achieve the detection and
prevention in a flexible and lightweight way. In this paper, we its intended users by draining the system or network resource
propose a novel scheme of IDPS for overcoming the above prob- [5], [6].
lem, termed as Auto-scaling IDPS (AsIDPS). AsIDPS is based A current countermeasure is to establish an Intrusion Detec-
on Software-Defined Networking (SDN) and Docker container tion and Prevention System (IDPS) inheriting both detection
technologies. It first detects abnormal traffic based on the flow and prevention capability against DDoS attack for cloud [7].
statistics collected in SDN switches in real-time. By the SDN
controller, the abnormal traffic will be directed to the created However, there are several challenges to establish an eligible
Docker containers with Snort running on them for further IDPS for cloud. First, since the cloud services and users are
detection and clean-up. Particularly, the Docker containers can numerous, an eligible IDPS should be transparent to them
be automatically scaled out or scaled down on demand. The Snort and should not largely impact the performance of those cloud
will also deliver an alert to the SDN controller if it detects attack services. Second, on account of the uncertainty of traffic in
traffic so as to perform a countermeasure if necessary. Benefitting
from the flexible network management offered by SDN and the cloud, the location and the volume of abnormal traffic could
lightweight Docker container, AsIDPS is able to build a flexible change at any time, an eligible IDPS should be flexible to
and lightweight defense against DDoS attack in cloud. Based on adjust itself for accommodating the change. Third, because
our prototype implementation, we validate the effectiveness of DDoS attack against cloud will bring huge attack traffic,
AsIDPS in defending DDoS attack, and also verify its flexibility e.g., 500 Gbps [8], and thus an eligible IDPS should be as
and lightweight.
lightweight as possible to tackle huge attack traffic with low-
Index Terms—Cloud, IDPS, DDoS, SDN, Docker container cost and quick-response characteristics.
The remarkable advantages of Software-defined network
I. I NTRODUCTION (SDN), e.g., logically centralized control, global network view,
dynamic update of forwarding rules, and software-based traffic
Cloud computing develops rapidly in recent years owing analysis, bring a relatively easier way to detect and prevent
to its remarkable characteristics, e.g., on-demand self-service, DDoS attack [9], and some SDN based methods are proposed
broadband network access, resource pooling, rapid elasticity, to overcome the above challenges, e.g., OpenSAFE [10], NICE
and measured service [1], [2]. More and more applications [11], SnortFlow [12], SDNIPS [7], DaMask [5], and [13].
ranging from high computation-intensive applications down However, the IDPSes mentioned above are static, lacking
to lightweight applications [3] are developed and deployed the flexibility that an eligible cloud IDPS needs. In addition,
based on cloud computing. Meanwhile, the security of cloud DEIDtect [14] and BroFlow [15] are able to elastically allocate
computing is gradually becoming the primary barrier of its the compute resource to IDPS. Nevertheless, their flexibility
further development. Among its security requirements, the is still not satisfying because they are unable to adjust the
availability is most critical since the core function of cloud placement of IDPS. Moreover, none of the above works
computing is to provide on-demand services of different levels proposes a lightweight IDPS with low-cost and quick-response
for numerous users [4]. The primary threat to the availability characteristics. It follows that the challenges remain till date.
This work is supported by the National Key Research and Development In this paper, we propose a novel scheme of IDPS termed
Program of China (2016YFB0800102, 2016YFB0800201), the Science and as Auto-scaling IDPS (AsIDPS) to guard cloud against DoS
Technology Project of State Grid Corporation of China (52110118001F), the and DDoS attacks in a flexible and lightweight way. With the
Key Research and Development Program of Zhejiang Province (2017C01064,
2017C01055, 2018C01088, 2018C03052), Ministry of Industry and Informa- aid of Chi-square test [16], it first detects abnormal traffic
tion Technology of China for Testing, Solution Verification and Application based on the flow statistics collected in SDN switches in
Promotion of Industrial Information Physics System and the Fundamental real-time. Afterwards, according to the location and volume
Research Funds for the Central Universities (2016XZZX001-04). (Corre-
sponding Author: Wei Ruan. ruanwei@zju.edu.cn, Chunming Wu. wuchun- of the abnormal traffic, it then creates corresponding Docker
ming@zju.edu.cn) containers (with Snort [17] running on them) to handle the
Upon attack traffic detected, Snort drops it and alerts AsIDPS !"#
Application. In contrast, it passes the legitimate traffic to its
Data Flows
original target. To create an AsIDPS Agent, Snort is regarded Controlling Flows
Container
time after the initialization phase. Therefore once an AsIDPS Controller plane SDN Controller Daemon
4
Agent has been deployed, the related Snort application will
3
work immediately. 8
AsIDPS Application: It is serving as the “brain” of AsIDPS, 1 Snort Application
1 5 Snort Application
Docker
running atop the SDN controller.
…
Snort Application
1 Docker
Snort Application
Container
Docker
Snort Application
Container Docker
1) Detection: AsIDPS Application obtains the global view 1
Container
Docker
Container
Container
of the network by collecting the flow statistics in the Detected DDoS Attackers
6
AsIDPS Agent
Detected Switch
Switches (switches on the edge of the network) periodically.
Data plane
Base on these flow statistics, AsIDPS Application detects Detected Switch
Distributing Switch
whether there is abnormal traffic from endusers of cloud with Detected Switch 7
Aggregation
Edge
Switch A Switch B Switch C
… … … … …
1 Legitimate Server
{
{
{
{
{
1 DoS 1 Legitimate User
Attacker
20 DDoS 20 DDoS 20 DDoS 20 DDoS 20 DDoS
Attackers Attackers Attackers Attackers Attackers
Snort Application
Docker 20
Container Flow: Port 1 to Port 2
Flow: Port 1 to Port 3
15 Flow: Port 4 to Port 2
Abnormal traffic 0
0 5 10 15 20 25 30
End User Server Time(s)
Fig. 3: Relationship between paths and ports. Fig. 5: Rate of flow while legitimate flash crowd.
20 10
Flow: Port 1 to Port 2 DoS Attack
Flow: Port 1 to Port 3 Flash Crowed
15 Flow: Port 4 to Port 2
# of IPDS Agent
Rate(packet/s)
10 5
t1 t2 t3
t1 t2 t3
5
0 0
0 5 10 15 20 25 30 0 5 10 15 20 25 30
Time(s) Time(s)
Fig. 4: Rate of flow while DoS attack. Fig. 6: Number of AsIDPS Agents.
B. DDoS Attack t2, AsIDPS Agents start to detect and clean up attack traffic.
1) Scenario of DDoS Attack: As for DDoS attack, based It is clearly that AsIDPS can tackle a DDoS attack of 500
on [30], the average attack rate is 500 packets/s. Therefore we packer/s effectively within 30 seconds. It means that AsIDPS
made each DDoS attacker launch an attack to the server at the covers the characteristic of responsive.
rate of 5 packets/s, and the total rate is 500 packets/s. Also 2) Resource consumption: We chose the CPU consumption
we made the legitimate user send packets to the server at the as a reference measure. For keeping the normal operation of
rate of 2 packet/s. We measured the rate of flow in Switch C. the testbed, the upper bound of the CPU consumption is set
As Figure 7 shows, at time t4, there is only the traffic from below 50%. We adjusted the rate of DDoS attack and measured
the legitimate user left. Unlike the scenario of DoS attack, at the CPU consumption. Figure 8 shows AsIDPS can handle a
time t1, AsIDPS Agents start to be scaled out, and until time large number of DDoS packets without consuming too much
https://www.arbornetworks.com/images/documents/WISR2016 EN
Web.pdf, 2015.
400 t2 t4 [9] Q. Yan, F. R. Yu, Q. Gong, and J. Li, “Software-defined networking
t1 t3
(sdn) and distributed denial of service (ddos) attacks in cloud computing
environments: A survey, some research issues, and challenges,” IEEE
200 Communications Surveys and Tutorials, vol. 18, no. 1, pp. 602–622,
2016.
[10] J. R. Ballard, I. Rae, and A. Akella, “Extensible and scalable network
0 monitoring using opensafe,” in Internet Network Management Confer-
0 5 10 15 20 25 30 ence on Research on Enterprise NETWORKING, 2010, pp. 8–8.
Time(s) [11] C. J. Chung, P. Khatkar, T. Xing, J. Lee, and D. Huang, “Nice: Network
intrusion detection and countermeasure selection in virtual network
Fig. 7: Rate of flow while DDoS attack. systems,” IEEE Transactions on Dependable and Secure Computing,
vol. 10, no. 4, pp. 198–211, 2013.
[12] T. Xing, D. Huang, L. Xu, C. J. Chung, and P. Khatkar, “Snortflow:
A openflow-based intrusion prevention system in cloud environment,”
in Second Geni Research and Educational Experiment Workshop, 2013,
50 pp. 89–92.
[13] Y. Chi, T. Jiang, X. Li, and C. Gao, “Design and implementation of cloud
CPU Consumption(%)