CLOUD DDoS ATTACK SIMULATION
Step1: Setup a cloud using Open Stack
Step2: Build an attack environment and generate attacks.
Step1: IMPLEMENTATION OF CLOUD SETUP
A cloud environment can be created using Open Stack which is an open- source software platform for cloud computing deployment, which is Infrastructure as a service model of cloud. The main three nodes are Network node, Controller node, Compute Node.
For the simulation of the attack, created three instances in the cloud. One instance works as the victim while the other two are used for attacking the system. The tools to be installed include,
1.fping
2. Nmap
3. Hping3
4. tcpdump
5. Wireshark
Step1: Install fping in required VMs:apt-get install fping
Step2: Install nmap in attacker VM: apt-get install nmap
Step3: Install hping3 in attacker VM: apt-get install hping3
Step4: Install wireshark in required VMs: Download the installer and execute the file.
Step2: ATTACK SIMULATION
1. Simulation of SYN flood attack: SYN flood attack can be simulated using hping3.
#hping3 –S ipaddress –flood
-S: SYN set SYN tcpflag
-flood: to send packets as fast as possible IP address: victim’s address
To capture SYN packets at the target machine, #tcpdump –i interface “ tcp[tcpflags](tcp-yn)!=0”
After stimulating the SYN flood attack the packets can be analyzed using wireshark as shown in Fig. 1
In this Fig. 2, for IOgraph it shows the time Vs the number of packets. At each time the number of packets coming into the system can be analyzed.
In SYN flood attack bandwidth consumed by the packets is comparatively low [7]. Packets are coming in a regular interval and the maximum number of packets can be seen at 84–86 th seconds and it is limited to a maximum value of 100. In SYN flood attack after sending each packet, it’s waiting for an acknowledgment then after a time period it will resend the packets.[3]
2. Simulation of TCP flood attack: TCP flood attack can be simulated using hpinh3.
# hping3 ipaddress –flood
To capture the packets for analysis at the target, # tcpdump –w filename.pcap –I eth0 tcp
After stimulating the TCP flood attack the packets can be analyzed using wireshark as shown in Fig. 3
In this Fig. 4, for IOgraph it is plotted with the time Vs the number of packets. At each time the number of packets coming into the system can be analyzed. In a TCP flood attack if a connection is established, then the server continuously receives the packets and after this, it drops to null packets. The bandwidth consumed during the TCP attack is very less compared to the SYN flood attack. In a TCP attack, the number of packets is not at all fluctuating and ranges between 1–2 packets/second [22].
3. Simulation of ICMP flood: ICMP flood can be simulated using hping3
#hping3 ipaddress –icmp –flood To capture packet at target using,
# tcpdump –w file.pcap –I eth0 icmp
After stimulating the ICMP flood attack the packets can be analyzed using wireshark as shown in Fig. 5
In this Fig. 6, for IOgraph it’s plotted with the time Vs the number of packets At each time the number of packets coming into the system can be analyzed. From the IOgraph it is clear that the ICMP attack is the maximum bandwidth- consuming attack. The number of packets is varying in a very random fashion. Also, it engages the server continuously so the attack becomes very effective on the server-side. Denial of service is quite effective in ICMP attacks.
4. Simulation of UDP flood: UDP flood can be simulated using hping3
#hping3 ipaddress –udp –flood
To capture UDP packets at target,
#tcpdump –w filename.pcap –I interface udp
After stimulating the ICMP flood attack the packets can be analyzed using wireshark as shown in Fig. 7
In this Fig. 8, for IOgraph its plotted with the time Vs the number of packets. At each time the number of packets coming into the system can be analyzed.
In UDP flood bandwidth consumed is comparatively high but not as that of the ICMP attack. Here in this case, there is a time interval between each packet received which is caused by the target(server) sending the ICMP unreachable messages back and it creates a loop and overloads the network.
Table 1
COMPARISON TABLE OF DIFFERENT DOS ATTACKS IN CLOUD
Sl.No |
Name of the Attack |
Strategy used |
Total Bandwidth Taken |
No.of packets per second(Avg) |
Level of effect on target |
1 |
SYN flood attack |
A 3-way handshake |
Average |
0–5 |
Average |
|
|
Method |
|
|
|
2 |
TCP flood attack |
Connectionoriented |
Low |
0–3 |
Low |
|
|
Attack |
|
|
|
3 |
ICMP flood attack |
Attack based on vulnerability |
Very large |
10–20 |
Large |
4 |
UDP flood attack |
Random packets in a connection less method |
Large |
5–12 |
Large |
5. Mitigation of DDoS Attack
Since the effect of DDoS attack in a cloud environment is crucial, we have to think about mitigation strategies which are helpful to avoid the effect in the cloud. For that, the analysis based on the type of attack is necessary i.e, for each type of attack we have to follow a particular set of steps to mitigate the probability of execution in the client machine.[23][24][25][26]
a. SYN flood attack
SYN flood attacks can be prevented only by certain firewall filtering policies. Most of the SYN attacks filtering is an easy process since they will have the TCP header parameters which is common. The main parameter which can be used is MSS (maximum segment size). When a host initiating a connection wants to allow a particular maximum segment size which is known as MSS. Most attacking tools (including hping) by default do not set this parameter. Normal values that can be set is between 536 and 65535[26].
#iptables –t mangle –I PREROUTING –p tcp –m tcp -dport 80 –m state –state NEW –m tcpmss! –mss 536:65535 –j DROP.
Another method to mitigate SYN flood attack is, by enabling SYN cookies. SYN cookies prevent an attacker from filtering up the SYN queues but sometimes make the services unreachable to legitimate users.
UDP flood attack
To mitigate UDP flood attack, one solution is to limit the rate of ICMP responses, but it has an impact on legitimate traffic and can perform Deep Packet Inspection (DPI) using a combination of factors like IP repudiation, abnormal attribute checking, and suspicious behavior [27]. In between the virtual machines, it can be configured using two parameters so that the UDP flood attack can be mitigated.
1. Specify the threshold value for UDP flood E.g.: set security screen ids- option 1000-udp-flood threshold 1000 Also do modification on external screen.
2. For external screen set the security zone E.g.: set security zone security zone the external screen 1000-udp-flood.
3. ICMP flood attack.
For ICMP flood detection check the following parameters like Time, TTL (Time to Live), and packet size. The time parameter is used to find the time taken to get the response came back. If the response time is 100ms it means that there are more than 10 hopes between source and destination. TTL gives us information about the operating system. Eg: If TTL is 128, the operating system is windows and in windows, the packet size default is 32 bytes even though it ranges from 0-65500. Also, set the packet size according to the operating system so that prevention of ICMP flood with large packet size can be possible.
ie, # Ping –I packet size IP address
d. HTTP flood attack
HTTP flood attacks are usually very difficult to differentiate from valid traffic because of the usage of standard URL requests. It’s the most advanced non-vulnerable security challenge faced by servers and applications. So use a combination of traffic profiling methods which includes identifying IP reputation and keeping track of abnormal activity etc [28][29].
To avoid HTTP flood attack a method that can be adopted at the network layer is only by restricting the number of connections. ie, restrict the number of concurrent connections per IP. This will give the ability to define how many connections a client can request simultaneously. It can be set in the IPtables by,
# iptables –p tcp –SYN –dport 80 –m connlimit –connlimit –above 20 –connlink –mask 24 –j.
Another method is by using “Tarpitting”. It automatically sets the connections window size to few bytes after the successful establishment of a connection. In a normal case as the attacker sent the data target will send its response again and again until the attacker receives that response and acknowledges it.
By using tarpitting the victim will stop responding to the attacker that didn’t respond the first time so that its possible to protect the server from unwanted HTTP requests by,
#iptables –A input –s ip –p tcp –j TARPIT.
Because of the way it is done halting a DDoS attack at the source is incredibly difficult and can be only reduced by a distributed, hardened, and secure infrastructure like the cloud.[30]
Table 2
COMPARISON TABLE OF PREVENTION METHODS
Sl.No |
Attack |
Parameters controlled for mitigation |
Percentage of attack reduction |
Method adoptability |
1 |
SYN flood attack |
a.Max. segment |
86% |
Good |
|
|
Size (MSS) |
79% |
|
|
|
b. SYN cookies |
|
|
2 |
TCP flood attack |
a.Setting up the threshold |
91% |
High |
3 |
ICMP flood attack |
a. Time, TTl, packet |
93.5% |
Very high |
|
|
Size |
|
|
4 |
UDP flood attack |
a. No. of connection b. Tarpitting |
76% 89% |
High |