Securing Cloud, SDN and Large Data Network

Environments from Emerging DDoS Attacks

Jeanette Smith-perrone (Author) Jeremy Sims (Author)
Networking and Cyber Security Program Networking and Cyber Security Program
Tacoma Community College Tacoma Community College
Tacoma, Washington, USA Tacoma, Washington, USA
Jsmith-perrone@tacomacc.edu jsims@tacomacc.edu

Abstract— Distributed denial-of-service (DDoS) and the cyber

threat landscape is evolving faster than traditional IPS/IDS II. DDOS ATTACKS
solutions can manage using known attack signatures. The size,
scope and variations of the attacks can now overwhelm large A. The Evolving Threat Landscape
enterprise environments and diminish resource availability for The cyber threat landscape is evolving faster than vendors
ecommerce, cloud, hosting and carrier platforms. This paper can create mitigations for attacks. In the past, a 1 to10 Gb
provides an overview of the problem of Distributed Denial of attack would have been highly unusual and require a botnet of
Service (DDoS) attack, current mitigation process and proposed
100,000+ victim systems to participate. Today, 300+ Gb
automation for identification and precise mitigation. In this
attacks have become a norm. Botnets are increasing in number
paper, we present an available mechanism for preventing DDoS
attacks without human intervention to mitigate 0-day attacks. and size. Hybridization of the enterprise and cloud solutions
This paper provides an understanding of the DDoS problem increases the surface area of exposure to DDoS threats. To
facing cloud, SDN, and large enterprise networks. (Abstract) effectively mitigate an attack the scale and complexity seen
today requires automated attack identification and response.
Keywords—DDoS, DoS, SDN, Cloud, attack, defense, Enterprise and cloud environments are evolving to meet the
enterprise, mitigation changing needs of clients and platform development. Cyber
criminals are advancing in the complexity and automation of
I. INTRODUCTION attack tools as well. There is no shortage of easy to use tools to
This paper focuses on the challenges of protecting a perpetrate attacks available freely or a nominal cost on the
hybridized enterprise or cloud computing environment from Internet. Denial of Service as a Service (DaaS) is a growing
the ravages of rapidly evolving Distributed Denial of Service business. The ability for the neophyte to hire a well provisioned
(DDoS) attacks. A Distributed Denial of Service attack is an botnet for a specified attack duration is within reach of anyone.
attack on a server where a massive number of packets are sent Hence, the threat landscape continues to expand and become
to create an outage or service degradation for legitimate users more complex.
or depriving the organization of necessary computer services, We have entered the age of the hybridized enterprise and
such as access to the Internet, email, on premise, hosted, or cloud environment. Hence, solutions that can fit the diversity in
cloud services [1]. Carrier, hosting, large enterprise networks, vendor and platform are needed. When assets are dispersed
and cloud environments are vulnerable to DDoS attacks. There geographically and the network becomes more porous the
was an assumption that this type of attack would not effect mitigation solutions must match this paradigm. Attack
cloud computing due to size and distribution of resources. detection must utilize the telemetries from all peers and
However, this has proven to be an erroneous assumption. possibly integrate with solutions from other vendors.
DDoS attacks are a limiter to availability of virtual Mitigation must be automated to stay at pace with the
applications. Platform as a Service (PaaS), Infrastructure as a availability demands of service based environments. Lastly,
Service (IaaS), and Software as a Service (SaaS) are service mitigation must be accurate, immediate and effective.
models of cloud computing potentially impacted by resource
consumption leading to degraded of availability. DDoS attacks B. Botnets
performed using a botnet can and now do exceed 300 Gb
regularly. The Mirai based botnets have proven that the Botnets are an army of compromised computers. The
Internet of Things (IoT) botnet members can create DDoS botnet is created through malware being installed on the
attacks that can exceed 100 to 300 Gb in volume [2]. computers through a variety of methods. The malware software
Organizations that depend on cloud computing can be greatly can be installed via phishing or SPAM messages received and
impacted by the effects of DDoS attacks. Obtaining the best of opened, through a website link or download, USB drive, or
breed protections against DDoS attacks is essential to other exploited pathway to the unsuspecting victim’s computer.
maintaining the availability of the service environment. Once the malware is installed the computer will contact the
command and control (C&C) server of the botnet owner. The
computer is now a member of the botnet. Software updates,

978-1-5090-3519-9/17/$31.00 2017
c IEEE 466
attack instructions, etc. will be provided to the botnet members high and not likely to have localized correction to reduce the
by the C&C server [3]. risk [7]
C&C servers are evolved botnet management platforms.
The C&C servers hosting the botnet herder’s victims are III. METHODS OF DEFENSE
designed to easy deploy a wide array of network and Security professionals are trained to stop DDOS attacks by
application attacks, provide implementation scripts to botnet identifying volumetric change in the ingress traffic using
victims, and quickly scale the attacks. The servers are capable network monitoring tools, the professional will choose to
of Peer to Peer (P2P) communication and collaboration. The reroute traffic to a scrubbing center. Abnormal packet
botnet can then be controlled by single or multiple botnet characteristics are identified and a signature is created to drop
herders (owners). the offending traffic. The legitimate traffic is then rerouted to
How big does a botnet need to be to cause significant the protected environment.
impact? Depending on the type of attack a botnet of 2,000
members can cause significant damage. However, botnets of a A. DDoS Attack Identification
few thousand victim members are passé. A botnet size is based The existence of a DDoS attack is determined by a
in the overall number of the respective malware infected volumetric change. The volumetric change is identified
population. Botnet capacity is based on the types of attack tools through the use of NetFlow based telemetries that are gathered
and capacity for throughput of each botnet member [4]. by a flow collection and analysis tool.
In the past, botnet victim systems were limited by the
capacity of their internet connections. Today, the casual B. Defense Footprint
Internet user often has access a home connection to rival small A distinctive defense footprint or signature is the keystone
enterprise environments at 50+ Mb throughput capacity. This to the matching of attack packets while allowing legitimate
makes the home system capable to generating and transmitting traffic. The goal is to have the footprint distinctive enough to
large attack volumes. When multiplied times the size of a block attack traffic but not create false positives, dropping
botnet the realities start to set in. Even a small botnet of 2,000 legitimate traffic. False positives are very common in most
participants can potentially create a volume exceeding mitigation solutions because of the additional time needed to
validate the footprint characteristics manually. Hence, blocking
DaaS is the monetization of the botnet. Botnets-for-hire are of legitimate traffic is a potential hazard of manual footprint
assets that offer DDoS services at auction, traded, and sold for determination.
a defined time of usage. Online marketplaces provide a
platform for botnet herders to trade compromised, malware Security professionals are trained to stop DDOS attacks by
infected systems. Attack tools and DaaS services often identifying the commonalities in the DDoS attack packets. A
camouflage as pentesting or stress testing services. These packet capture is collected and analyzed for potential nefarious
services provide richly-featured platforms and a distribution packets. The analyst then identifies the most common
network of attackers to execute DDoS attacks. characterizes of the attack packet. This process takes a
minimum of 30+ minutes for skilled professionals. A signature
IP spoofing is a tactic for concealing the identity of the is then manually configured on a defense device or application
attacking system. In network attacks, hiding the attacking to match each incoming packet to the signature footprint. This
system Internet Protocol (IP) address is commonplace. The use process is time intensive and human resource consuming.
of a spoofed or false IP address makes blocking an attack by IP Precious minutes to hour are lost to this antiquated process.
a futile action. The IP can be randomized during an attack or
can provide the IP address of a real system owned by another
C. Traditional Defense Implementation
entity. This then leads to the assumed attacker IP to lose
credibility or receive a reflected attack of packets returning to The Intrusion Detection/Prevention System (IDS/IPS) is a
the source IP. Basically, you cannot trust the IP as a means of traditional method for mitigating DDoS attacks. This system
blocking or identifying attacks. It is no “who is attacking” but may have an existing signature that will be matched to the
the characteristics of the attack that matter. offending packets. These packets are dropped to mitigate the
attack. If the ISP does not have a signature for a known attack,
Mirai botnet used a variety of cycling network and then the security professional must analyze the traffic to
application level attacks. Mirai is malware that infects IoT identify unique characteristics of the attack. As you can
devices to recruit victims to the botnet for DDoS attacks. The imagine, this process can impact availability to cloud based
unusual aspect of the 2016 Mirai botnest spawned attacks was applications and environments. Service Level Agreements
the use of GRE floods. The volumes indicated a dispersed, (SLAs) define the level of accessibility required by the client
large botnet. Incapsula researchers indicated botnet included and dictated by contract. Hence, DDoS attacks even when
over 50,000 unique IPs located in over 164 countries, mitigated in this manner impact availability, revenue, and
consisting of mostly CCTV cameras, DVRs and routers [5]. damage the cloud provider reputation.
The Mirai based attacks reached a traffic peak of 620+ gigabits
per second with botnets with potentially over 100,000 members Not all IPS/IDS solutions are created equal. Cloud
[6]. These devices have operating systems that are configured providers have traditionally implemented scrubbing centers to
at manufacture and are not updated, patched or secured after route the DDoS traffic when a volumetric change is
installation. Hence, the risks presented by the IoT devices is recognized. This manual process takes time, at an average of

2017 7th International Conference on Cloud Computing, Data Science & Engineering – Confluence 467
20 minutes to an hour from identification to data reroute for • Hybrid Cloud DDoS Protection Service: This solution
mitigation. Blocking of attack traffic is usually by IP rather includes the DefensePro on premise providing
than by the characteristics of the attack. Blacklist are often immediate inline or out of path protection. The
used to inhibit traffic from known nefarious sources. Again, device(s) can be managed by the enterprise or fully
these processes represent delay is unacceptable and costly. managed by Radware.
• Always-On Cloud DDoS Protection Service: This
D. Automated Defense Against DDoS
option is where all the traffic is routed through
Automation of attack detection, mitigation, and reporting Radware’s cloud centers.
are essential to meeting SLAs and regulatory compliance;
hence, maintaining revenue and reputation. One solution stands • On-Demand Cloud DDoS Protection Service: This
out as meeting the automated response necessary, the Radware option is where traffic is diverted to Radware’s cloud
Attack Mitigation System (AMS). The focal point of the centers only when an attack is detected.
Radware AMS is the DefensePro [8].
E. Automatic Detection in the SDN
The DefensePro identifies the volumetric change indicating
a DDoS attack. The DefensePro then uses behavioral analysis Extending the automation of attack detection, mitigation,
to determine the footprint characteristics of attack traffic. The and reporting to include cloud, large enterprise, and SDN
initial footprint is in place and able to block only the attack controlled environments is challenging. The size and scope of
traffic without impacting legitimate traffic in 8 minutes or less. the required protections creates an untenable condition.
The response is faster than humanly possible. The behavioral Providing coverage for the everchanging applications and
module then uses a closed-feedback loop to validate the number of clients is a difficult endeavor in a single vendor
footprint and determine a low to no false positive footprint environment, even more challenging in the increasingly
within an additional 10 seconds. The closed feedback process hybridized environments. Radware provides solutions that
and surgical precision blocking of the attack traffic occurs in meet these challenges while continuing to expand protections
18 seconds or less. The DefensePro can be implemented in an already available in the on premise and cloud solution Radware
inline placement at the ingress of the network to provide AMS. The solution focuses on attack detection, mitigation,
automatic detection and mitigation of ingress and egress traffic reporting with the addition of automation in out of path
or ingress only. positioning of the DefensePro mitigation device.
The DefensePro uses the Radware’s patented behavioral DefenseFlow is a software solution that provides attack
detection and analysis modules provide automated 0-day DDoS detection and centralized attack detection, mitigation,
attack protection through patent-protected real-time signature reporting, and automation for known and emerging network
creation in real-time within seconds. The behavioral module attacks that threaten network resource availability.
detects statistical traffic anomalies, creates an accurate attack DefenseFlow utilizes NetFlow telemetries from detection
footprint based on heuristic analysis of the packet distribution, devices dispersed throughout a network, coalesced by a flow
and validates the signature created to assure legitimate traffic is collector, to detect the attacks. DefenseFlow then uses
not effected by the mitigation measure. behavioral analysis of the traffic to determine the footprint of
the attack. DefenseFlow will select the mitigation device,
Volumetric attacks can be detected by the on premise populate the device with a protection policy and workflow,
DefensePro DDoS protection device placed at the ingress to the then announce the route change. The selected DefensePro takes
network at the perimeter. Behavioral analysis determines the over from here with the assigned mitigation. DefenseFlow
footprint of the attack and migration starts immediately. provides attack life cycle control to the automate the mitigation
If the attack threatens to saturate the Internet pipe, provider from start to finish. For software defined networks (SDN) with
service, the on premise DDoS protection device communicates OpenFlow DefenseFlow communicates and works with the
the risk to the cloud based scrubbing center. Redirection of SDN controller to redirect the traffic to the mitigation device.
traffic for scrubbing can be automated or semi-automated enables Carriers, Internet Service Providers (ISP), cloud
based on the client’s preference. Traffic is rerouted and the service providers, and large hybridized, geographically
attack traffic is blocked, allowing only the legitimate traffic to dispersed enterprise networks using DefenseFlow with the
be routed to the client ingress point. Radware AMS can assure availability through automated
mitigation of network and application DDoS attacks.
The DefensePro solution adapts to the changing attacks
often seen in attack campaigns. The attacks are triggered to IV. FINAL THOUGHTS
overwhelm and circumvent protections. Hence, attacks will
often cycle on/off, vary in volume, size and frequency. Human DDoS attacks are occurring in increasingly greater scale
response time is too slow to keep abreast of the changing attack and frequency. Monetization of the business of cybercrime
vectors. There is a strong need to automated response that can through DDoS attacks has dramatically changed the number of
control the mitigation, constantly analyze traffic patterns, and botnets and attackers. Adaptation to the changing threat
learn to legitimate traffic baselines. landscape is untenable using IPS/IDS for only known attacks,
mitigation by rate limit, and at a high occurrence of false
Radware offers cloud DDoS protection services to meet the positives. Automation using behavior analysis and cyber
unique needs networks and applications, including: control for automation are necessary to meet SLA availability
requirements.

468 2017 7th International Conference on Cloud Computing, Data Science & Engineering – Confluence
 ACKNOWLEDGMENT [3] E. Alomari, S. Manickam, B. B. Gupta, S. Karuppayah, and R. Alfaris,
“Botnet-based Distributed Denial of Service (DDoS) attacks on web
The research for this paper was supported by Tacoma servers: Classification and art,” International Journal of Computer
Community College, Radware Ltd., EMC and Dell. We extend Applications, vol. 49– No.7, July 2012.
our gratitude to the anonymous reviewers for their insightful [4] M. A. Rajab, J. Zarfoss, F. Monrose, and A Terzis, “My botnet is bigger
comments and help improve this paper. than yours (maybe, better than yours): Why size estimates remain
challenging,” Usenix Conference, 2007.
[5] Incapsula, “Breaking down Mirai: An IoT DDoS botnet analysis,” 2016,
REFERENCES https://www.incapsula.com/blog/malware-analysis-mirai-ddos-
[1] D. L. Meena1 and Dr. J. S. Jadon, “Distributed denial of service attacks botnet.html
and their suggested defense remedial approaches,” International Journal [6] S. Gallangher, “Double-dip Internet-of-Things botnet attack felt across
of Advance Research in Computer Science and Management Studies, the Internet,” 2016, http://arstechnica.com/security/2016/10/double-dip-
vol. 2 No. 4, April 2014. internet-of-things-botnet-attack-felt-across-the-internet/
[2] Dr. R. S. Jadon2R. V. Deshmukh and K. K. Devadkar, “Understanding [7] A. Manion, “Security and the Internet of Things,” podcast, 08/25/2016
DDoS attack & its effect in cloud environment,” Procedia Computer [8] Radware Ltd., “DDoS survival handbook”, 2013.
Science, vol. 49, 2015.

2017 7th International Conference on Cloud Computing, Data Science & Engineering – Confluence 469