There are five general requirements to remove an attack in the cloud: (i) Detect the attack asap and determine its size; (ii) Attempt to mitigate its effects as much as is possible; (iii) Migrate the Virtual Machine (VM), which is under attack to safe physical servers if necessary; (iv) In order to migrate the VM, ensure that network bandwidth is guaranteed; (v) Stop the attack with a countermeasure, such as one of the following.
Firewalls
Similar to traditional computing systems, firewalls are usually treated as the first line of defense in the cloud computing environment. They protect the front access points of the cloud, and filter traffic in various ways, including the following: (i) inspecting only header information such as destination address (ii) analysing request and server responses via a state table (iii) analysing the protocol syntax by breaking off the client/server connection.
Clusterized Firewall
- Liu et al. in their 2014 article, A clusterized firewall framework for cloud computing, suggest dividing the cloud service into application layers and grouping the servers into clusters. Each cluster has a firewall, which protects applications per the arrival rate, thus guaranteeing quality of service for legitimate users.
Hybrid Firewalling Architecture
There are hybrid firewall architectures available, which combine physical and virtual firewalling services. The physical firewalls represent the company’s physical IT-security infrastructure, and the mitigation service aims to load balance the traffic that is sent to virtual firewalls. The virtual firewalls analyze, monitor and report and reside on virtual machines.
Infrastructure
Amazon Web Services (AWS) proposes an Infrastructure Layer Defense against DDoS attacks. It uses a resizable compute capacity, selects AWS regions for the best latency and throughput, considers Elastic Load Balancing (ELB), uses a CDN service and uses a scalable DNS service. The Application Layer defense deploys web application firewalls to protect the vulnerabilities within an app, or to block unknown source IP addresses, HTTP methods, etc.
Virtual Machine Monitor (VMM)
The goal of a VMM is to monitor and figure out the amount of available resources and compare it to a threshold in order to identify an attack is happening. The VMM is composed of a tagger, a duplicator and a detector, which allow it to monitor and evaluate what the attacker is doing. If the system does come under attack, the OS and all its applications can be moved to a new isolated entity. As the VMM exists, there is no service interruption for the victim because their applications are running in both the original VM and the newly isolated one. Once the migration is complete, the original VM is destroyed, and the attacker can no longer impact its target. Downsides to the VMM include the fact that it is difficult to determine the VMM threshold and that it exists, whether there is an attack or not, so will often sit idle.
Intrusion Detection Systems (IDS)
Traditional IDS can’t offer full visibility into a company’s cloud environment, but
specifically geared Intrusion Detection Systems (IDS) can be used in Virtual Machines (VMs) as a Mitigation technique in cloud computing. Cloud IDS can be separated into two categories: (i) Network-based Intrusion Detection Systems (NIDS); (ii) Host-based Intrusion Detection Systems (HIDS).
For NIDS, the detection affects all network traffic whereas HIDS applies only to a specific host. The IDS can block an intruder’s address through analysing inbound and outbound traffic.
IDSs can analyse the network traffic using a predefined rule set, and protect classified or confidential data in defense zones. Each layer or defense zone requires its own IDS to identify new potential attacks and vulnerabilities within their systems.
Overall Security Architecture
Security architecture in the cloud necessitates numerous different elements: servers, switch controller, router, protocols and applications.
A Security Aware Cloud Architecture should always offer protection to secure public clouds and data centers through various mechanisms, including (i) trust delegation and negotiation architecture; (ii) DDoS specific defense and worm containment; (iii) developing a reputation system for different sites; (iv) fine-grain access control; and (v) collusive privacy prevention.
Software-Defined Networking (SDN) and cloud computing can improve the DDoS Attack Mitigation Architecture (DaMask). The DaMask architecture involves three different layers: network switches, network controllers and network applications. There are two defined modules: (i) DaMask-D, a network attack detection system, and (ii) DaMask-M, an attack reaction module. DaMask-M defines three straightforward operations: forward, drop and modify the packet. These operations are implemented as a series of APIs, allowing the defenders to customize the countermeasures.