Download - Security and Privacy in Cloud Computing
Ragib HasanJohns Hopkins Universityen.600.412 Spring 2011
Lecture 1104/25/2011
Security and Privacy in Cloud Computing
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Attacking Availability
• Goal: To see how availability of a cloud can be affected by DoS attacks launched from inside the cloud.
• Review Assignment #10: – Han Liu, A New Form of DOS Attack in a Cloud and
Its Avoidance Mechanism, ACM Cloud Computing Security Workshop 2010
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Announcement
• Next week (5/2), we’ll have our final class, where we will discuss – A wrap-up of things we learned– A high level view of cloud security problem space
• No new papers will be discussed next week (but you do have to turn in Review Assignment #10 by 5/2)
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Recap: Anti-virus as a service
• Pros
• Cons
• Ideas
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
DoS attack on cloud
• Network provisioning in data centers:– Many servers share the same link/router, so
bandwidth is shared.
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Data center networks are typically grossly under-provisioned
• Typical ratios are 2.5:1 to 8:1– 8:1 means servers get at most 1/8 of the
bandwidth of their interface• Bandwidth is limited by the hierarchical nature
of network, routers, and switches• Multiplexing in routers reduce the amount of
bandwidth each server ultimately gets
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Typical data center network
Communication between H1-H4 and H5-H8 are routed through R5 and R6.
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Under provisioning is not a problem in traditional networks
• Network admins can co-locate related servers in the same subnet
• Network admins can redesign network topologies to fine tune for worst case performance
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Under provisioning IS a problem in clouds
• There are many more servers in a cloud, so provisioning ratios are much higher (e.g. 45:1)
• Many clients use the same network, and malicious clients can launch DoS
• Application owner/designer has no control over network topology
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
DoS attacks on clouds
• DoS attacks on traditional systems (from the outside) can be prevented via clever tricks such as moving to a cloud based virtualized model
• DoS attacks on clouds launched from *inside* the cloud are much harder to prevent
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
DoS attack on clouds
• Adversary launches attack from inside the cloud data center network
• After probing the network and reverse-engineering the topology, the adversary can identify bottlenecks
• Then the adversary can send DoS traffic to the bottleneck link to saturate it
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Example
• To attack Link B, adversary sends packets from R1’s subnet to another subnet
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Types of attacks
• Untargeted attack: No particular link or host is targeted
• Targeted attack: Adversary gains critical mass in a network to target a specific victim
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Topology identification• Knowledge of topology is important for the
adversary
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
How to identify topology
• Technique #1: Traceroute– Run traceroute between all pairs of hosts– Due to ip provisioning schemes, running
traceroute for a few pairs of hosts is enough
– Disadvantages:• Can’t identify switches (layer 2)• Can be disabled at router level
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
How to identify topology
• Technique #2: Network probing– Idea: Use observed traffic rates to infer number of
router between two hosts
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
How many malicious hosts is enough?
• Untargeted attack:– Easy to get many hosts if VM assignment algorithm
can be reverse engineered (as in “Hey You!” paper– Even brute force attack succeeds in getting many
hosts in the same subnet
– (Note: this is different fro co-location attack, where the goal was to co-locate of physical hardware rather than network)
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
How many malicious hosts is enough?
• Targeted attack:– Pick victim, launch brute force attacks– Tests show it is easy to get VMs in same subnet as
target
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Launching the attack
• Process:– Send a flood of packets through the link– UDP used. (Why?)– For adaptive applications, do not saturate link
completely, rather “almost” saturate it (Why?)
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Mitigation strategy
• Use a user side monitoring agent to monitor link saturation
• When a link degrades, or server detects bottleneck and sends help packet, the monitor initiates app migration
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Comments
• Experiments / attacks were run on a real cloud (without knowledge of data center admin)
4/25/2011