Arxiv:1512.08187V2 [Cs.CR] 28 Aug 2017 Keywords: Edo Dsmtgto Ouin Novn Ut-Ee in Multi-Level Involving Solutions the Mitigation to Ddos of Mechanisms

arXiv:1512.08187v2 [cs.CR] 28 Aug 2017 Keywords: edo DSmtgto ouin novn ut-ee in multi-level involving solutions the mitigation To DDoS of mechanisms. need defense designing e in on community guideline research definite a provide we end, the In ut-ae iiain n ees sn rfudresour profound keepin using defense designed and are mitigation, which multi-layer solutions, metri of important requirement on strong discussion com comprehensive a a present provide we also Additionally, attacks. these detail of a with mechanisms survey comprehensive a present we particular, susa issues rpitsbitdt Elsevier to submitted Preprint taki h lu pc.I hsppr epeetdevelopm present we paper, this In space. cloud the in attack etos optrCmuiain,Vlm 0,21,Page a 2017, taxonomy, http: 107, Issues, 0140-3664, Volume Communications, computing: Computer cloud Cont rections, in Mauro attacks Sanghi, DDoS Dheeraj Gaur, Buyya, Singh Manoj Somani, Gaurav Introduction 1. i community research security cyber the relevant breaches, are data computing cloud from the to related issues Security Abstract uiycnen r o iia otererirequivalent earlier their to se similar infrastructures. most not non-cloud control, transparent are no concerns loca with is curity server logic cloud business remote and a data on As app attacks. being targeted now cloud are to solutions tradition Their the infrastructures. for IT well-addressed cloud secur many are are that There attacks, rel [3]. related security specifically logic are lit business questions in and these data discussed of to is number Most which large [2]. mind a [1] adopters is erature cloud there in hand, questions other of the On no overhead. and, tenance losses, depreciation on- on- in-house no better include utilization, to billing, go ware advantages you compared as These pay as availability, resource advantages demand clo infrastructure. of Infrastructure fixed number premise cloud. large the mos a or into whole promise infrastructure their IT migrated the industries, of as well Go demand. as on ernments, services and capabilities computing to access o it as plementations 1 1 motn nomto:Pes ieti ae as: paper this cite Please Information: Important lu optn sasrn otne otaiinlI im- IT traditional to contender strong a is computing Cloud ff c ugt eoremngmn,adsrieqaiy Dist quality. service and management, resource budget, ect lu optn,DsrbtdDna fSrie(DS,and (DDoS), Service of Denial Distributed Computing, Cloud // dx.doi.org arvSomani Gaurav ff / r o-otad“a-syug”based “pay-as-you-go” and low-cost ers 10.1016 / j.comcom.2017.03.010. a,b sus aooy n uueDirections Future and Taxonomy, Issues, ao ig Gaur Singh Manoj , DSAtcsi lu Computing: Cloud in Attacks DDoS b aaiaNtoa nttt fTcnlg,Jiu,India Jaipur, Technology, of Institute National Malaviya e h nvriyo ebun,Mlore Australia Melbourne, Melbourne, of University The ff a c cieslto uligaddtie ouinrequiremen solution detailed and building solution ective eta nvriyo aata,Amr India Ajmer, Rajasthan, of University Central ninIsiueo ehooy apr India Kanpur, Technology, of Institute Indian 04,ISSN 30-48, s d nvriyo au,Pda Italy Padua, Padua, of University dftr di- future nd ,Rajkumar i, lnon- al main- e ntecod r oeo h e eurmnso h desir the of requirements key the of some are cloud, the in ces b hard- disgtit h hrceiain rvnin detecti prevention, characterization, the into insight ed hea Sanghi Dheeraj , ated omto o n e and flow formation in s ovrossaeodr o nifre lu dpindeci adoption cloud informed an for stakeholders various to lied uds ted tlt optn oesi id cuaeat-cln d auto-scaling Accurate mind. in models computing utility g ity st vlaevrossltos hssre ocue tha concludes survey This solutions. various evaluate to cs v- rhnieslto aooyt lsiyDo taksolut attack DDoS classify to taxonomy solution prehensive - - t eiiigteatc pc o lu-pcfi ouin a solutions cloud-specific for space attack the revisiting s eto u nweg,ti oki oe tep oidentif to attempt novel a is work this knowledge, our of best nsrltdt DSatc iiainsltosi h clou the in solutions mitigation attack DDoS to related ents ftems motn n aa hetaogtmn [6]. many amongst threat one fatal it and makes important which most ri DDoS, the high of of a incidents is reported There of [5]. ma- number of the service group particular a a are targeting attackers chines where DDoS, or di DoS, A service Distributed queue. the pendin service that requests the of such overflowing number manner and large a a to in due server unavailable attack active becomes DoS flood to customer, to service legitimate try ers a a Do like providing Traditionally, Behaving is which [4]. consumers. server, attack the (DoS) target Service attackers of Denial the is niet nurdhaydwtm,bsns ossadman and losses business downtime, heavy atta These incurred attack. EC2 incidents DDoS Amazon massive another example, ser- faced attack servers its spectacular cloud on another attack an DDoS In massive vices. a provide service by Cloud targeted 2015. was in Rackspace, day down Christmas took on cloud- which services attacked Sony attention the and Squad of Microsoft Lizard of lot services gaming a [8]. based attacks, gained community research which recent the attacks many in popular Amongst anticipa few attack are report. these there the support at- in years DDoS presented two serv tions the last and in about infrastructure attacks cloud anticipation Many towards strong shift a target show tackers [7]. [8] infrastructure in their on thors incident attack DDoS reported iue eilo evc Do)atc soesc serious such one is attack (DDoS) Service of Denial ributed n fteeatcs hc a enamc iil attack visible much a been has which attacks, these of One oeta 0 fetrrssi h ol a tlatone least at saw world the in enterprises of 20% than More euiyadProtection. and Security c ar Conti Mauro , ff ciersuc aaeetdrn h attack. the during management resource ective d akmrBuyya Rajkumar , st eptecbrsecurity cyber the help to ts ff rn ao fDSis DoS of flavor erent e n n mitigation and on, uut2,2017 29, August dsolutions. ed in Apart sion. hr sa is there t os We ions. ecisions, these s .In d. the y ein se ices. Au- its ck S r, y g - - long-term and short-term effects on business processes of vic- gather solutions related to resource management aspects tims. A report by Verisign iDefense Security Intelligence Ser- of utility computing. vices [9] shows that the most attacked target of DDoS attacks 3. Economic aspects of the DDoS attack (quoted as EDoS) in the last number of quarters is cloud and SaaS (Software as a and its consequences on cloud resource allocation is en- Service) sector. tirely missing from existing surveys; thus, the solutions More than one-third of all the reported DDoS attack mitigations specific to these issues are required. were on cloud services. One of the most importantconsequence of DDoS attack in the cloud is “economic losses”. Report in [7] estimates the average financial loss due to a DDoS attack to 1.2. Survey Methodology around 444K USD. There are other reports by Neustar [10], which presents the economic loss data of Q1, 2015. In this re- We performed literature collection by doing an exhaustive port, the average financial loss is more than 66K USD/hour. systematic search on all the indexing databases and collecting DDoS attacks and their characterization become completely a huge number of papers related to the area. An initial scan different when applied to the context of the cloud. The dif- resulted into a subclass of the collection. Another deep scan ference arises mainly due to the consequences of an attack on resulted in the papers we used in our survey and are used in the victim server. Infrastructure as a Service (IaaS) clouds run the taxonomy preparation. We believe that the contributions client services inside Virtual Machines (VMs). listed in this survey are exhaustive and lists all the important Virtualization of servers is the key to the elastic and on- contributions in the emerging area till date. demand capabilities of the cloud, where VMs get more and more resources when needed and return unused resources when 1.3. Contributions idle. Cloud computing’s heavy adoption trend is due to the on- demand computing and resource availability capabilities. This We make following contributions in this paper: capability enables the cloud infrastructure to provide profound resources by scaling, as and when there is a requirement on a 1. We introduce DDoS attack scenario in infrastructure VM. Therefore, a VM will not experience a resource outage clouds and identify how various elements of cloud com- as ample amount of on-demand resources are available in the puting are affected by DDoS attacks. cloud. This feature of “elasticity” or “auto-scaling” results into 2. We present a detailed survey and taxonomy of solutions of economic losses based DDoS attack which is known as Eco- DDoS attacks in cloud computing. Based on the developed nomic Denial of Sustainability (EDoS) attack or Fraudulent Re- taxonomy, we identify weaknesses in the state-of-the-art source Consumption (FRC) attack [11]. solution space leading to future research directions. In this paper, we aim to provide a survey of DDoS attacks in 3. For a uniform comparison and verification among attack ff the cloud environment. We also di erentiate these attacks with solutions, we provide a comprehensive set of performance the traditional DDoS attacks and survey various contributions and evaluation metrics. in this space and classify them. For this purpose, we prepare a detailed taxonomy of these works to provide aid to comprehend 4. This paper presents a detailed set of design aspects of ef- this survey. fective DDoS mitigation at the end. It includes mitigation strategies at resource allocation level instead of preventive and detection strategies used by existing solutions. 1.1. Need of a survey on DDoS attack in cloud 5. This work would help security researchers to deal with the There are a number of survey papers available which deal DDoS differently as compared to the treatment given while with DDoS attacks, both from the perspective of attacks and considering traditional IT infrastructure. mitigation in networks. There are surveys and taxonomies available which include traditional DDoS mitigations methods including attack traceback, attack filtering and attack prevention [12] [13]. Taxonomies like [14] highlight DDoS in the 1.4. Organization cloud with the perspective of Software Defined Networks. Sur- veys such as [15] focus on the solutions which are designed We discuss cloud computing and its essential features, which around traffic and behavior change detection. The following are affected by the DDoS attacks in Section 2. Section 3 de- are some of the important requirements for this survey: tails recent attack statistics to help in understanding the need for this survey. Section 4 offers a detailed and comprehensive 1. Cloud computing and technologies around it are recent taxonomy to help the reader to understand the broad solution phenomenon. It requires a different treatment regarding space for DDoS attacks applicable to cloud computing. This the characterization of the attack, detection and preven- taxonomy has three major branches which we discuss in three tion. The desirable difference is evident in many recent different sections. These three sections are attack prevention attack incidents [8]. (Section 5), attack detection (Section 6) and attack mitigation 2. There are quite a good number of recent studies available (Section 7). In Section 8, we provide the guideline towards so- on DDoS attacks, but there is no specific survey (including lutions to DDoS attack mitigation. We draw conclusions of this surveys on Cloud DDoS attacks) available to consider and work in Section 9. 2 VM VM VM VM VM

VM VM VM VM VM VM

C&C Server

VM VM VM VM Server 3 VM Server 2 Server 4 VM VM VM VM VM VM VM VM VM Server 1 Server 5

Server 12 VM VM Server 6 Cloud Network VM

Various Bots Server 11 Server 7 Server 10 Server 8 Server 9 VM VM VM VM VM VM

VM VM VM

VM VM VM VM VM

Figure 1: DDoS Attack Scenario in Infrastructure Cloud 2. DDoS Attacks and Cloud Computing web services, which allows cloud consumers to decide the resource need on the basis of resource utilization or similar ma- Cloud computing provides an on-demand utility computing trices. The same feature is extended towards adding more VM model where resources are available on “pay-as-you-go” ba- instances on more physical servers and stopping when there is sis. In particular, the cloud provider is an “Infrastructureasa no need. Machine level scaling (vertical scaling) and data cen- Service (IaaS)” provider, who provisions VMs on-demand. On ter or cloud level scaling (horizontal scaling) are two crucial the other hand, a service provider is a cloud consumer who has features of utility computing. placed the web service in the form of a VM (say an e-commerce Scalability is achieved by spreading an application over mul- application) in the infrastructure cloud provided by the cloud tiple physical servers in the cloud. Scalability is driven by provider. Figure 1 depicts a typical cloud computing environ- high speed interconnects and high speed as well as ample stor- ment with a large number of servers running VMs. age. Virtualization of operating systems plays an important role while considering the scalability of VMs. VM cloning and its 2.1. DDoS Attack and Cloud Features subsequent deployment are quite fast. Hence, whenever there is a requirement, cloned VMs can be booted on other servers and DDoS attacks have recently been very successful on cloud used to share the load. Scalability is also strongly supported by computing, where the attackers exploit the “pay-as-you-go” the live migration of VMs, where a running virtual server can model [8]. There are three important features which are the be migrated to another bigger physical server without almostno major reasons behind the success trends of cloud computing. downtime offering uninterrupted scalable operation. On the other hand, the same set of features is proven to be very helpful to DDoS attackers in getting success in the attacks (dis- 2.1.2. Pay-as-you-go accounting cussed in Section 2.2). We now discuss these three features in On-demand utility model has become very attractive for con- detail: sumers due to its leaner resource accounting and billing model. “Pay-as-you-go” model allows a cloud consumer to use re- 2.1.1. Auto Scaling sources without physically buying them. A VM owner may Hardware virtualization provides a feature to shrink-expand want to add or remove more resources on-the-fly as and when resources of a VM while it is running. These properties per- needed. Other benefits of using cloud platform offer better mit the allocation of additional CPUs, main memory, storage hardware utilization and no need of arrangements like power, and network bandwidth to a VM when required. Additionally, space, cooling and maintenance. Pricing or accounting playsan this can also be used to remove some of the allocated resources important role while understanding DDoS attacks in the cloud. when they are idle or not needed. Multiple providersuse this re- Mostly, cloud instances are charged on an hourly basis and thus source allocation mechanism with the help of auto scaling [16] the minimum accounting period is an hour. Resources can be 3 allotted on fixed basis, pay-as-you-go basis and by auctions. in “Denial of Service” and all the attractive features of the cloud Similarly, storage and network bandwidth are measured using will be lost. total size and total data (in and out) transfer. It is very clear that these models are “pay-as-you-go”models and are still evolving. 3. Attack Statistics and Impact Characterization 2.1.3. Multi-tenancy In this section, we provide a coverageof various attack statis- Multi-tenancy gives the benefit of running more than one tics and their impact on various victim organizations. We have VMs from different VM owners on a single physical server. also covered few characterization studies to quantify the effects Multi-tenancy is a way to achieve higher hardware utilization of DDoS attacks in the cloud. The attack scenario as depicted and thus higher ROI (Return on Investment). An individualuser in Figure 1 can be expanded further in the form of Figure 2. may want to have more than one VMs running similar or differ- This figure shows details about the attack origin and the resul- ent applications on a single physical server. tant attack impacts. The DDoS attacks are mostly botnet driven attacks where a botnet controller directs a large number of auto- 2.2. DDoS Attack Scenario in Cloud mated malware driven bots to launch the attack. We also show A typical attack scenario is as shown in Figure 1. An infras- cloud originated attacks in the Figure 2. We show directly visi- tructure cloud will have many servers capable of running VMs ble attack effects as well as attack effects which are not directly in multi-tenant virtualized environments. In addition to aiming visible or become visible post-attack. Direct attack effects in- at “Denial of Service”, attackers might aim to attack economic clude service downtime, economic losses due to the downtime, sustainability aspects of cloud consumers. Discussions on this auto-scaling driven resource/economic losses, business and rev- attack have started right after the inception of cloud comput- enue losses, and the downtime and related effects on services ing [11]. There are few other contributions where this attack which are dependent on the victim service. There are a num- has been termed as Fraudulent Resource Consumption (FRC) ber of indirect effects to the cloud DDoS attacks. Attack mit- attacks [17]. Attackers thoroughly plant bots and trojans on igation costs, energy consumption costs, reputation and brand compromised machines over the Internet and target web ser- image losses, collateral damages to the cloud components and vices with Distributed Denial of Service attacks. DDoS takes the effects due to recent smoke-screening attacks. Reputation the shape of an EDoS attack when the victim service is hosted and brand image losses may not be well quantified and may be in the cloud. Organizations exist (also known as “Booters”), treated as long-term losses [20]. Collateral damages include in- which provide a network of bots to their consumers to plan direct DDoS attacks, addition migrations and scaling, and the DDoS attacks on their rival websites [18]. Motives of these energy consumption effects as given in [21]. We discuss all attacks range from business competition, political rivalry, ex- these attack effects in more detail in this section. tortions to cyber wars among countries. The cloud paradigm provides enormous opportunities and 3.1. Attack Statistics benefits to consumers and the same set of features are available Denial of service attacks are quantified and studied by many and may be useful for DDoS attackers. An attacker who plans a security solutions providers in the market [22] [23] [24] [25]. DDoS attack would send enough fake requests to achieve “De- There are a number of other reports which state about the im- nial of Service”. However, this attack would generate heavy pact and rise of DDoS/EDoS attacks in the cloud. It was also resource utilization on the victim server. “Auto scaling” [16] anticipated that there will be a major target shift of the DDoS would take this “overload” situation as feedback and add more attackers from traditional servers to cloud-based services [8] CPUs (or other resources) to the active pool of resources of and it has even been proven by the Q1 reports of 2015 [9]. As this VM. Once a VM gets deployed, it starts as a “Normal load per this report [9], most of the attack targets were cloud ser- VM”. Now, let us assume that the DDoS attack has started and vices in Q1, 2015. According to the report by Neustar [10], consequently VM gets overloaded (“Overloaded VM”). The economic losses per hour at peak times are 470% more than the overload condition triggers auto-scaling features of cloud re- previous year. Lizard Squad planned attacks on Microsoft and source allocation, and it will choose one of the many strategies Sony gaming servers, is the first example. Similarly, Amazon available in the literature for VM resource allocation, VM mi- EC2 servers and Rackspace servers, which are cloud service gration, and VM placement [19]. Overloaded VM may be given providers, were attacked using a large DDoS attack in early some more resources or migrated to a higher resource capacity 2015. Economic aspects of these attacks are also challenging. server or may be supported by another instance started on an- Greatfire.org was targeted by a heavy DDoS attack in March other server. If there is no mitigation system in place, this pro- 2015, costing it an enormous bill of $30,000 daily on Amazon cess will keep adding the resources. This situation may last till EC2 cloud [26]. As per report in [7], the average financial dam- service provider can pay or cloud service provider consumes all age by a DDoS attack is up to 444,000 USD. the resources. Finally, it will lead to “Service Denial”. In turn, Even the innovative “DDoS as a Service” tools are making it this leads to on-demand resource billing, and thus economic easier for hackers to plan these attacks. As per Q1, 2014 report losses over and above the planned budget may occur. One triv- of [24], the total DDoS attacks within last one year has in- ial solution is to run VMs on fixed or static resource profile creased by a significant number (47%). Another paramount fig- where the SLA does not have any provision for additional re- ure to ponderis targetservers. Morethan half ofthese DDoS at- sources on demand. In this case, the DDoS will directly result tacks targeted towards entertainment and media industry which 4 Attack Service Mitigation Benign User Benign User Downtime Benign User Costs

Economic Energy Losses Benign User Consumption due to Downtime Costs Botnet Scaling Reputation and Controller VM VM Driven Brand Image PCs/Servers Economic Losses Losses

Business Collatoral Victim VM Laptops/PDAs and Revenue Damages Victim Cloud Losses in Cloud VM VM VM Infrastructure Dependent Smoke- Attack Services screening Clouds Downtime Attacks Direct Effects Indirect Effects Smartphones

Figure 2: DDoS Attack in Cloud: Direct and Indirect Effects is mostly hosted in the cloud. A detailed report regarding the The authors in [17] characterized the effectiveness of the various statistics is covered in [27]. As per this report, the EDoS attack on cloud consumer’s bills. Authors in [17] have DDoS attack bandwidth has grown to more than 500 Gbps in calculated the additional cost when there is only one attacker 2016 from just 8 Gbps in 2004. There are some other reports that is sending one request per minute for one month. Even this by Arbor Networks [25], which state that NTP based reflection could gather total 13GB of data transfer assuming a normal web and amplification attacks are the new forms of the DDoS. There request size of 320KB. A similar experiment was conducted is an additional attack that is termed very dangerous, has been in [29] where a web server cluster running on extra-large in- started showing its effect parallel to a DDoS attack. This at- stance at Amazon EC2 was targeted with an EDoS attack. The tack is known as Smoke screening which is an attack to plan observation showed that bills grew on the basis of the num- information or data breach behind a DDoS. While DDoS dis- ber of requests and deployment of additional resources. Au- tract whole staff in mitigating or preventing from the present thors in [30] have presented the potential of malicious use of situation, the attacker may plan other attacks to harm. browsers of legitimate users to plan an EDoS attack. As per this report by Neustar [23], around 50% of the organiza- Authors use social engineering based web-bug enabled spam tions have suffered from the “Smoke screening” attack while email to use legitimate browsers for the attack [30]. Authors they were only mitigating DDoS. Repetition of the attack is have argued that rented bots are easy to detect by the DDoS also a major issue, and most of the targeted companies (90%) mitigation infrastructure and web-bugs in the form of a spam have faced repetitive attacks leading to vast business losses. email to plan an EDoS attack can be used easily. They planned The growth and adoption of cloud and DDoS mitigation solu- an attack on Amazon S3 infrastructure and characterized the tions in the cloud are two major points complementary to each attack effects. Authors in [21] have shown the characterization other. Enterprises took few years to start adopting infrastructure by showing EDoS effects and convergence to DDoS. Similarly, clouds after its inception in 2007, and now many of organiza- they have conducted a cloud level simulation to show that a tions are entirely or partly transformed their IT infrastructure DDoS attack in the cloud, may show many side-effects to non- into cloud. targets including co-hosted VMs, other physical servers, and the whole cloud infrastructure. These effects have formed an 3.2. DDoS Attack impact studies in the Cloud important part of the cloud threat and attack model presented in [31]. After the inception of the term “EDoS attack” by Christofer Hoff in 2008 [11], there are some works related to characterization of the DDoS attack in the cloud and study its im- 4. Taxonomy of DDoS Solutions pacts. To see the effect of the DDoS attack, authors in [28] have conducted an important experiment, where they wanted This section presents the detailed solution taxonomy of to calculate the maximum possible charges on a cloud ser- DDoS attacks in the cloud. The final set of contributions in vice. The authors conducted the experiment by sending 1000 this area were gathered using systematic search methodology requests/second with 1000 Megabits/second data transfer on a discussed in Section 1.2. The works related to DDoS defense web-service hosted on Amazon CloudFront for 30 days. This in the cloud have been comprehensively surveyed and prepared experiment accumulated an additional cost of $42,000 for these as a taxonomy as shown in Figure 3. To help the particular additional requests. direction of research, we have included many of works from 5 DDoS Defense in Cloud Computing

Attack Prevention (P) Attack Detection (D) Attack Mitigation (M)

Challenge Response (P1) Anomaly Detection (D1) Resource Scaling (M1)

Hidden Servers/Ports (P2) Source/Spoof Trace (D2) Victim Migration (M2)

Restrictive Access (P3) Count Based Filtering (D3) OS Resource Management (M3)

Resource Limits (P4) BotCloud Detection (D4) Software Defined Networking (M4)

Resource Usage (D5) DDoS Mitigation as a Service (M5)

Figure 3: DDoS attack prevention, detection and mitigation in cloud: a taxonomy

Request Access Benign Requests Victim Server Challenge Benign User Response Allow VMCloud VM Attack Requests Turing VM Test Drop VM Attacker Request Access Challenge Attacker Response X

Attacker

Attack Prevention Attack Detection Attack Mitigation and Recovery

Figure 4: DDoS Protection in cloud at various levels the DDoS defense in traditional infrastructure. We prepare this at each stage, and they are listed in the next section. However, taxonomy by keeping a view that this work would serve the in the Figure 4, we could just show a simplified gist, which purpose of providing a clear, detailed and complete picture of misses many other solutions at each stage. Before moving on to the solutions space, different ideas, and approaches available in the discussion of various DDoS solution categories in the next the literature. Taxonomy fields are provided a nomenclature to section, we make an effort to propose important evaluation and classify different contributions. performance metrics for various categories of our taxonomy. We segment the taxonomy in three important parts which are Table 1 shows the metrics related to the all three subclasses and attack prevention (P), attack detection (D) and attack mitiga- their subcategories. It is important to highlight that in the next tion and recovery (M). Though, many of these works have con- sections, we use these metrics in our discussion to compare the tributed in all three or two divisions of this classification, hence, suitability of various solutions. There are many solutions which those works are discussed in all those sections individually. The do not use any evaluation or performancemetrics. However, we typical solution space looks like the one shown in Figure 4. believe that these important metrics can help the community to At the first instance when the requests come, a simple “Tur- orchestrate solutions which are verifiable against the important ing test” may help in preventing the attack. The next stage is properties we list in the Table 1. anomaly detection to both prevent and detect the attack. There is a large number of contributions in the area of traffic monitor- 5. Attack Prevention (P) ing and analysis. The third stage is based on the methods which are helpful in mitigation as well as recovery. Cloud computing DDoS prevention in the cloud is a pro-active measure, where features and profound resources help at this stage. suspected attackers’ requests are filtered or dropped before We have highlighted the need for more solutions at this stage these requests start affecting the server. Prevention methods do in section 7. There is a large number of contributions available not have any “presence of attack” state as such, which is usually 6 Subcategory Important metrics to benchmark the solutions Challenge Response Accessibility, usability, puzzle generation, storage, and verifiability, and false alerts Hidden Servers/ports Redirection, overhead of server replicas and load balancing, and all other puzzle metrics Restrictive Access Accessibility, usability, response delay and false positives and negatives in admission control

Attack Prevention Resource Limit Cost and overhead of management of additional reserved resources Anomaly Detection Overhead cost of training and profiling and false positives and negatives Source and Spoof Trace TTL data verification and traceback costs and false positives and negatives Count Based Filtering Suitability to various static and dynamic counts in minimizing the false alerts BotCloud Detection Overhead cost of learning and verifying traffic flows and false alerts Attack Detection Resource Usage Overhead of employing monitors and counters, and threshold suitability Resource Scaling Auto-scaling decision and threshold suitability Victim Migration Migration downtime, costs and network overhead for deltas OS Resource Management Attack mitigation, reporting and downtime, and attack cooling down period Software Defined Networking Overhead cost of training, profiling, and false positives and negatives Attack Mitigation DDoS Mitigation as a Service Solution costs, service downtime and other metrics based on different solutions

Table 1: Various performance metrics to benchmark the DDoS attack solutions in cloud computing available to the attack detection and mitigation methods. There- For example, let us consider a hash function f (x, y) with inputs fore, prevention methods are applied to all users whether legit- a and b. The client is expected to compute f (a, b) and return imate or illegitimate. Most of these methods are tested against the answer back in some stipulated time. their usability, which incurs an overhead for the server as well as legitimate clients. We further classify this direction in four Now, we discuss few important strategies related to challenge subclasses: response schemes to prevent DDoS attack in cloud computing. EDoS Shield [35] and Alosaimi et al. [36] used graphical Tur- 1. Challenge Response. ing tests to prevent the bot driven attack from occurring. Au- 2. Hidden Servers/ports. thors in [36] proposed a DDoS Mitigation System (DDoS-MS), 3. Restrictive Access. where initial two packets from the client side, form the basis 4. Resource Limit. of the attack identification and subsequent mitigation. In their work, they used both graphical Turing tests and crypto puz- For a quickview, the overalltheme of each set of these methods, zles to identify the attacker. Authors in [35] proposed a solu- their strengths, challenges, and weaknesses are listed in Table 2. tion that filters requests on the basis of graphical Turing tests We also prepare a list of important individual contributions in (CAPTCHAs). In this mode, a Virtual Firewall (VF) shield is Table 3. We enlist a brief theme of each solution to provide an designed which distinguishes the incoming requests on the ba- overview about the variety of contributions available in each of sis of two lists, white and black. These records are updated on the subclass. the basis of the success and failures of graphical Turing tests. To prove the effectiveness and novelty of their solution, authors 5.1. Challenge Response (P1) have conducted simulations to show the effect of their scheme Challenge-Response Protocols (CRP) are designed to iden- on end-to-end delay, cost, and other performance indicators like tify the presence of real users. Many times, this concept has throughput and bandwidth. There are a variety of crypto puz- been applied in an opposite manner, where the protocol tries zles with different difficulty levels in [32] [33] [34]. Authors to determine if the user is a bot/attacker machine, especially in in [32] presented sPoW (Self-Verifying Proof of Work) method- the case of crypto-puzzles or proof-of-work. One of the most ology to mitigate EDDoS (Distributed EDoS). They provided a common prevention technique is a Turing test in the form of a method to mitigate both network-level EDDoS and Application CAPTCHA, which is usually one of the most preferredmethods level EDDoS by extending the work proposed in [39]. In [39], in the category of challenge-response protocols. In addition to instead of accepting all the traffic, they are only accepting the the methods related to cloud, some important CRPs from tradi- traffic that they are capable of taking. The authors in [32] pro- tional DDoS defenses are also added to this discussion. Graph- vided an innovative solution where they use crypto-puzzle to ical Turing tests are popular CRP implementations available to- identify legitimate customers. These crypto-puzzles are self- day. Instead of showing plain text challenge and seeking an verifying and do not run on the server. Instead of the server, the answer, these tests may present an image and a question re- client computes the solution. On the basis of the time taken to lated to that image. The image may have a picture, text with solve the crypto-puzzle servers/nodes in the intermediate path, various impurities like an arc, distortion, and noise. Graphical it will be decided whether the incoming traffic is legitimate traf- CAPTCHA may have moving images in the form of .GIF or set fic or not. The salient feature of this approach is that DDoS of multiple pictures to choose from. Crypto puzzles are used to attacker may send their traffic even at a higher rate by speedily assess the computational capability of a client. Crypto puzzles computing the puzzle, even in this case, sPoW approach does are questions seeking output of a function with given inputs. not allow the traffic. On the other hand, if DDoS traffic comes 7 Techniques Strengths Challenges Limitations Contributions Image segmentation, Effective and usable Challenge Overhead of graph- OCR, dictionary and [32][33][34] methods using puzzles Response ics generation and its parsing attacks, and [35][36][37] to differentiate human (P1) storage puzzle accumulation [38][39] and bots attacks Service is being offered to legitimate users while Hidden Redundant servers ports Overhead of additional no direct connection is [37][32][40] Servers/Ports and load balancing security layer and redi- established with the real [41][42] (P2) among them is needed rections server in the first instance Admission control Quality of service con- Not scalable in case or instead of block- cerns and overhead of Restrictive of massive DDoS [43][44][32] ing/dropping responses maintaining number of Access (P3) with spoofing by large [40] are prioritized for connections for delayed number of sources different classes of users period It does not prevent Limiting the economic Determining the re- DDoS and its effects, Resource losses by restricting source limits and except limiting the [45][46][47] Limits (P4) the maximum usable capacity planning of a economic losses due to resources by a VM server cloud billing

Table 2: DDoS Attack Prevention Techniques in Cloud: P2 Other Prevention Methods at a normal rate (equivalent to the rate at which legitimate cus- Text puzzles are known to be cracked using dictionary attacks tomer sends) then their approach is successful in limiting the or parsing attacks. There is a number of limitations which are traffic. posed by [35], like the puzzle accumulation attack where an at- Challenge Response schemes provide an easy way of im- tacker sends a large number of requests for getting puzzles but plementing the attack prevention methods by addressing the does notsolve them. It would result in an extraoverheadof gen- most common automated, bot originated and rate based at- erating the puzzles at the server end. These Turing tests require tacks. A list of good qualities crypto puzzles are described additional overhead to generate graphics and storage space to in [48]. The crypto puzzle should be solvable in a definite time store images. There are multiple works related to CAPTCHA and should not have other possible methods. Additionally, the cracking using image segmentation and optical character recog- server should be able to compute answers and verify them with nition (OCR). ease. Proof-of-work approaches are crypto puzzles but may have ad- 5.2. Hidden Servers/Ports (P2) vanced features to utilize the client computation power and Hidden servers or hidden resources such as ports is an im- based on the correctness of solution and time, the authenti- portant method to remove a direct communication link between cation, and prioritized access is granted [32] [37]. This ap- the client and the server. The objective of hiding the servers, proach has multiple benefits including computation overhead is achieved by keeping an intermediate node/proxy to work as shifting to the client and stopping overwhelming computation- a forwarding authority. The important jobs of this forwarding ally equipped clients. authority may include balancing the load among the servers, Accessibility and conversion rates are two important points, monitoring the incoming traffic for any vulnerability, and fault- which have been discussed recently against challenge-response tolerance and recovery of the servers. protocol implementations specifically, CAPTCHAs [49]. There Various approaches have differently used the features of hid- are many CRPs, which are designed and tested from the per- ing the resources, e.g. hidden proxy server [37], ephemeral spective of their attack persistence, accessibility, overhead, puz- servers [32] and hidden ports [40]. Authors in [37] proposed zle generation, and storage requirements. Many of these are is- a moving target method to defend from DDoS attacks. They sues related to the area of Human Computer Interaction (HCI). proposed the inclusion of many hidden proxy servers which One of the important aspects of “Challenge-Response Proto- may be dynamically assigned and changed to save legitimate cols” is Accessibility, which should be considered while design- clients. This approach has some practical issues like scalabil- ing the question generation module. Designing difficult ques- ity, the inclusion of large no. of proxy servers, shuffling. Even tions so that bots cannot construct their answer is quite an easy different web services may not like to have changing server ad- task, but a normal user should also be able to answer the ques- dresses in between connections. This method uses client puz- tions with adequate comfort. Solutions based on Turing tests zles using PoW (Proof-of-Work) to distinguish between attack- should be examined using a usability and accessibility study. ers and normal traffic. Additionally, some of these approaches 8 nemdaesres iedlyadcmuainoverhead computation and delay time servers, intermediate loa and redirection of servers. purposes among other balancing support also may layer sdtemvn agtbsdmcaimb shu by mechanism based target moving the used di allocate randomly inly uhr aepooe taeiso e Add of strategies strategies. proposed maintaini target have of moving authors the tionally, overhead managing the and ser requires replicas the the solution using achieved This is This replicas. attackers. the confuse to gets ueteata evc.Hde evr a epi stopping tra in massive help can or t servers malicious layer Hidden security service. actual extra the an cure provides Authentication client. a oteehde evr rprsaerdrce yauthentic requests by redirected Therefore, are ports attack. or DDoS tion servers a hidden face these to to service real the beh server is the server service. to fore-front proxy requests benign the a the where forward and solution test a to used proposed have Similar [50] t clients. way, in legitimate this thors serve that to argued continue have could Authors server firewall. nodes” virtual “army a special by ating granted is rate. access threshold blacklist, their in- this of By lists basis black the on method request proposed client The rate coming request a method. is detection which based mechanism detection [42] DDoS in Authors a servers. proposed to requests clients of assignments h ao iiaino hsapoc nld h oto the of cost the include approach this of limitation major The idnsreso ot r rvniemcaim osave to mechanisms preventive are ports or servers Hidden / rx evr hc stefis evrt eecutrdby encountered be to server first the is which servers proxy Resource Restrictive Hidden Servers/ Challenge Solution Limits (P4) Access (P3) Ports (P2) Response (P1) category al :Do takPeeto ehiusi Cloud in Techniques Prevention Attack DDoS 3: Table [51] [45] [46] [47] [40] [32] [44] [43] [50] [42] [41] [40] [32] [37] [38] [37] [36] [35] [34] [33] [32] Contribution DSAaesaigadcpct planning capacity and scaling Aware DDoS alarms and monitoring metric e Cloud attack the limit to caps Resource attack the absorb to Scaling Resource ports hidden and puzzles control Admission access prioritized based reputation Client access and detection (rate) behavior Human response delayed on based control server Admission the to requests benign forwards users Proxy benign to visible only server Hidden shu replica server using targets ports Moving hidden on connections of number Limits authentication with servers ephemeral servers Secure the hide to approach target Moving techniques other with combined tests Turing puzzles puzzles Proof-of-work crypto as well as graphical Both tests Turing Graphical tra benign identify to rate puzzles attack Crypto the on based levels puzzle Crypto tra benign identify to puzzles Crypto contribution the of theme Major ff rn idnsres i ta.[1 have [41] al. et Jia servers. hidden erent ffi oa to c ff c h elsre.Ti extra This server. real the ect ff cieshu ective ff ffl ects ffi ffi n h tar- the ing c c ffl ing y au- ly, ffl se- o have cre- ver ind ing the ng he of a- i- d 9 let.Atracranrqetcount request certain legit to a serve After serv they they times, way, of clients. This no. attacker. to an at equivalent attacker, of the the requests mitigate the to drop and identification tack based have behavior Authors wher human work. page, may given first mechanism prevention this authen- test on or Turing attacks puzzle no shown any b have solving should Authors without website DDoS fetched tication. every a be of for can page targeted and first free is the website Clearly, very the the [44]. of where attack homepage attack based or page page index DDoS first as the it of termed subclass again and novel is attack a it proposed then have and Authors period be- specific blocked. human a typical for per blocked as is behave it not havior, does di user a a followed if have where requi [44] proach which in issues, Authors accessibility responses. timely user of because ronments ntebsso roiywihi acltdbsdo h user the on based calculated is which priority resour of allocates basis server The the key. clien on port of a number using limited ports a algorith hidden to control on service legiti- admission providing by an by done number using is passed by the This time limit is any to at test tries clients the mechanism of proposed Once the users, ports. mate a hidden test client to Turing the of assigned solved number have who limited simultaneously, a served are where algorithm, control mission end. server the pro- at can capability they resource whom actual to per those as only vide to whi access contributions provide some to are There propose time. some for attacker the Th users. of history request The the e from requests. decided the req are dropping the thresholds of thresholds, instead hi certain delayed access reach are web claims responses these past case their In by method requests proposed tory. access The user auto-scaling. the trigger controls oc not to does attack the even prevents and access delayed This delaye them. they to instead, access behavior, did it its on which named based solution request have a any gave [32] drop [43] in in Authors Authors “capabilities”. behavior. t as definite access a web within past puzzles on crypto and calculated of is correctness Reputation the others of [32]. basis the reputation over of preferred basis are the users on some which in mechanism, ..RsrcieAcs (P3) Access Restrictive 5.3. serv the maintaining management. backup of their cost and replicas the A includes nodes. intermediate overhead the ditional at management its and redirection oeo hs taeishv mlmne h rvninby prevention the implemented responses have delaying capac strategies service these the of against Some action preventive take to methods r otysmlr xetta h taeist rvd th di provide are to clients which strategies the to the access” cess that “Selective except and which similar, mostly access” techniques are few “Delayed are on There based c are behaviors. selecting past or “good” clients legitimate with the i prioritizing delay this by contributions, duced the of many In clients. ditional ff nta fqeigaltecins hy[0 rpsda ad- an proposed [40] they clients, the all queuing of Instead etitv cestcnqe r aial diso con admission basically are techniques access Restrictive nsm ae,rptto stebsso h diso contr admission the of basis the is reputation cases, some In cieeso eae epne sqetoal nra env real in questionable is responses delayed of ectiveness / cest h upce takr ree ad- even or attackers suspected the to access ff erent. / hehl,te blocked they threshold, ff rn ap- erent intro- s imate lients ac- e the d uest ime trol un- not cur ces ity. the res m. nd ch d- se er ol s- ts i- e e e e s - behavior. The behavior is basically the web behavior on an e- is already present. On the other hand, attack mitigation meth- commerce site on the basis of multiple parameters. ods are indeed important first-aid solutions to the overall DDoS Most of the admission control methods which implements solution framework we discuss in Section 8.2. restrictive access to stop the DDoS attacks to occur are primar- ily based on delayed access or reputation based access. These 6. Attack Detection (D) methods provide a good way to optimize the server capacity by allowing requests based on the available resources. The “rep- Attack detection is achieved in a situation where attack signs utation” or “capability” is calculated based on the past access are present on the server in terms of its services and monitored pattern or the time to solve the crypto puzzles. performance metrics. These attack signs are initial signs, where On one hand, these input control methods are solely depen- the attack has just started to take the shape, or there may be dent on the server capacity and client capability to compute the a situation, where the attack has already deteriorated the per- puzzle responses. formance. These methods may seem to be similar to “attack At times, this restriction may limit the server to address the prevention” at times, and many of contributions have provided accessibility or usability perspective for fresh clients. As dis- solutions in the same manner. Various performance metrics, cussed in Section 5.1, the problems associated with the puzzle which are monitored and affected due to an attack range from based solutions are also applicable here. Additionally, in case large response times and timeouts to higher memory and CPU of sophisticated or stealthy attacks, the malicious attackers may usage. We further classify this section into five subcategories: try to earn the “reputation” before they show their real mali- 1. Anomaly Detection. cious behavior. 2. Source and Spoof Trace. 3. Count Based Filtering. 5.4. Resource Limits (P4) 4. BotCloud Detection. 5. Resource Usage. As discussed in Section 3 on attack characterization, it was visible that the economic bills generated by a DDoS attack can For a quick view, the overall theme of each set of the classi- be enormous. Resource limits can help in preventing these eco- fied methods, their strengths, challenges, and weaknesses are nomic losses by correct auto-scaling decisions. However, de- listed in Table 4. We also prepare a list of important individual ciding whether the resource surge has come due to the DDoS contributions in Table 5 where we enlist a brief theme of each attack or due to the real genuine traffic, is a very difficult task. solution to show the variety of contributions available in each Another way to prevent these resource losses is to put fixed re- subclass. source services or “capped” resource limits on each service in the cloud. By doing this, we will miss the advantages of impor- 6.1. Anomaly Detection (D1) tant features of cloud computing such as on demand resource Anomalous patterns are usually identified from packet traces, allocation. established connections, web access logs or request headers. There are number of discussions and demands by cloud con- The specific pattern to identify in the log or the trace is decided sumers on providing a track of resource utilization in the form by attack traces and other past historic behaviors. Web behav- of alerts. Additionally, some of the providers, have started pro- ior has been modeled using a large number of characteristics viding the real-time monitoring services [45]. They have also and metrics working upon those characteristics. Mostly, au- started providing resource limits in the form of “Caps” on max- thors have used web behavior of normal web traffic as a bench- imum resources a VM would be able to buy and sustain. There mark pattern. This normal web behavior is collected from the are other solutions such as [51], in authors develop a resource period when the attack is not present. On the other hand, few allocation algorithm where the resources are only increased if contributions prepare attack behavior profile and than filter-out the resource surge is due to the real genuine traffic. the attack traffic by learning based detection. Feature selection, It would not help the cloud consumer to stop the DDoS to dataset preparation and testing or profiling against these learned occur; however, it can surely limit the bills on the cost of service rules are the three important set of operations, involved in these downtime (as the VM would reach the resource limit and would detection strategies. not be able to serve any clients as resource outage will lead to Now, we discuss few important strategies related to DDoS at- DDoS) [46]. tack anomaly detection in cloud computing. Idziorek et al. [52] Resource limits can surely restrict the cost penalty on the worked on web access logs and argued that legitimate web ac- dynamically scaled resourced but they can also limit the usage cess patterns follow “Zipf” distribution and based on the web of on-demand computing feature of cloud computing. access pattern training, they could identify outliers, which do Attack prevention mechanism discussed above present a va- not follow this distribution in pattern [52]. On the other hand, riety of methods available for the preventive security. However, authors in [53], used the baseline profiling of various IP and it is important to note that these prevention mechanisms alone TCP flags which entails the network behavior model. Authors can not help in combating the DDoS attacks in cloud infrastruc- proposed the detection of flooding in the cloud using the train- tures. Another line of support from other mechanisms such as ing of normal and abnormal traffic and used the covariance ma- detection and mitigation mechanisms is needed once the attack trix approachto detect the anomaly. Amongst other approaches, 10 Techniques Strengths Challenges Limitations Contributions Feature identification, Scalability issues and over- [52][53][54] Anomaly De- Machine learning and testing and minimizing head of training, matching [17][55][56] tection (D1) feature based detection false alarms and IP and statistical analysis of [57][58][59] spoofing traffic features [40][60] [61] Source and Identifying the source of Filtering at edge routers Cooperative mechanisms re- [62][63][64] Spoof Trace of web requests to stop and suitability of TTL quire network devices and [65][66][67] (D2) spoofing based methods service support [68][69][70] Requires TTL hop data IP spoofing issues may de- Hop count, number of of real user. Het- feat the (non-TTL) schemes. Only successful in case of Count Based connections or number erogeneous implementa- [38][34][35] two different TTLs for same Filtering (D3) of requests based thresh- tions of hop count. De- [44][42][71] old filtering ciding on count thresh- source IPs are received. old is a challenge False alarms. Probing is also needed. Very difficult to detect all Detecting the attack Identifying the activities kinds of attack flows (in- sources inside the cloud BotCloud De- and their thresholds for cluding zero-day). The de- [72][73][74] by monitoring the fea- tection (D4) various suspicious activ- tection only works at the [75][76] tures of VMs and the ities edge of attack originating network cloud. OS level/hypervisor Interpreting the high uti- Only gives a signal about the Resource us- level detection methods lization whether it is due possibility of attack and re- [51][77][72] age (D5) to monitor abnormal to attack or due to the quires supplementary detec- [78] usage real traffic tion mechanisms

Table 4: DDoS Attack Detection Techniques in Cloud: D1 Pattern Detection

Shamsolmoali et al. [55] proposed statistical filtering based at- decided. Resource access pattern by clients is the main idea to tack detection. Proposed approach calculates divergence be- detect attackers. In [60], authors created normal web profile, tween normal traffic and attacker traffic on the basis of Jensen- which include HTTP and XML header features. The number Shannon Divergence [56]. Initially, they have used the tradi- of elements, content length and depth have been used to create tional TTL based differentiation among the legitimate users and normal user profiles. Outliers are identified, which deviate from spoofed attackers. After IP spoofing filtering, they have applied these profiles. Authors in [61] argued that an attacker would not the Jensen-Shannon Divergence to identify the anomalies in the spend any time on a page but would request them like a flood. traffic to achieve around 97% accuracy. There are few perfor- They have gatheredTSP behavior of users as well as of bots and mance issues with TTL based approach. TTL based filtering is identified that the attackers TSP is mostly negligible or even if not useful unless we have a large database of actual TTL val- it is not near zero, it is constant or periodic. ues of genuine requests using probing [57]. This has not been The most important strength of these attack detection tech- addressed by the work in [55]. In [58], authors derived the web niques lies in the machine learning of the past history of benign behavior using IP and TCP header fields. By this, they could traffic or the attack traffic. With the advent of the paradigms calculate the confidence value in detection strategy. such as big data analytics and software defined networks these detection methods have gained much important in quick attack The major idea of this work was the claim that IP address and detection and monitoring. A detailed survey of detection tech- TTL values are related to multiple past contributions; therefore, niques is presented for traditional infrastructures in [5]. These the same can be extended to other fields in IP and TCP headers techniques are now becoming popular for cloud targeted at- and a score for each incoming packet can be calculated. Jeyan- tacks. thi et al. [59] have proposed an approach, where they proposed The major challenges for detection techniques lie in the be- to detect the DDoS attack on the basis of entropy. This is sup- havior identification in terms of features and their training. The ported by “Helinger” distance which differentiated between the most important evaluation criteria for these methods lie in the attack and genuine traffic distributions. Authors have used traf- false alerts (positive and negatives) they generate during the fic rate, entropy and by predicting arrival rates of incoming traf- testing of the incoming traffic. Other important challenge lies in fic based on history. Authors in [40] have demonstrated an ap- stopping the IP spoofing which can defeat many of the detection plication specific way of differentiating web requests based on strategies. their behavior on an e-commerce site. This work has created two client profiles, one for good clients and another one for 6.2. Source/Spoof Trace (D2) bad clients. Based on user walk-through on pages, purchases, Multiple trace back algorithms have been proposed in the lit- searches these profiles are created and priority of customers is erature, which identify and stop the spoof attack by tracing the 11 source. Source traceback schemes are employed to stop/detect Authors proposed a method to identify the source of the at- the identity spoofing techniques. These techniques are impor- tack by “Service Oriented Architecture (SOA)” based tech- tant as most of the detection/prevention methods model the user nique. They proposed a source trace back method by introduc- behavior or profile based on some identity which is mostly an ing an additional server before real web server. This additional IP address in case of web access. In the attack cases where server is known as SBTA (SOA-Based Trace back Approach), IP spoofing is employed, the detection mechanisms can be de- which marks each packet by cloud trace back tag and also re- feated very easily. constructs the path to know the source. The proposed method uses a database to store and compare each incoming packet, and it requires an additional server to mitigate the attack. Os- anaiye et al. in [66] have proposed an IP spoofing detection method, which is based on matching OS versions of both attackers and real IP owners. Authors have argued that the OS

Solution category Contribution Major theme of the contribution fingerprint of the spoofed attacker can be found out by asking [52] Anomaly traffic detection using Zipf’s law the real OS fingerprint from the owner. Source authentication [53] Co-variance profiling of IP/TCP flags[56] approaches have also been used in [67], where a cryptographic [55] Filtering based on Jensen-Shannon Divergence token can be verified at each router to authenticate the source. [79] Co-relation based attack flow analysis Source checking approach has also been used in [68]. Source [58] IP/TCP flags based confidence filtering traceback approaches are also dealt by hop count or TTL val- [59] “Helinger” distance based multi-stage solution ues which we discuss in Section 6.3. Other important contri- [40] User profiling using walk-through on site pages butions include tracing sources by location [69] and statistical [60] Filtering using SOAP headers filtering [70]. There are major surveys available in this direc- [17] Identification of a genuine web session tion where works related to botnets, their trends, and detection

Anomaly Detection (D1) [61] Profiling based on time spent on the pages methods [64]. [63] Back propagation neural networks tracing The source traceback and spoof identification methods are [65] SOA-Based Trace back to reconstruct the path very important for all the detection methods. However, beinga [66] OS fingerprinting to stop IP spoofing cooperative detection mechanism, these methods require a sup- [68] Multi-stage source checking using text puzzles port from many other network devices such as edge routers, [67] Source authentication using token at each router and services. Additionally, IP address being a “source pro- [69] Source tracing based on location parameters vided address”, it is extremely difficult to design spoof protec- [62] Deterministic packet marking of ingress routers tion against massive spoofing by large scale botnets. [80] Multiple filters to stop spoofing [57] TTL probing to find genuine TTLs 6.3. Count Based Filtering (D3)

Source and Spoof Trace (D2) [70] Statistical filtering based spoof detection This specific classification on “Count Based Filtering” also [38] Hop count and request frequency thresholds fits in few attack prevention mechanisms as well, however, [34] TTL matching to detect IP spoofing many a times thresholds are used to detect the initialization of [44] Request threshold for a human in unit time attack and later can be used to identify the presence of the at- [71] Threshold on number of connections by a source tack. The parameters on which these count thresholds are ap- [57] TTL probing to find genuine TTLs plied are basically network resources such as hop-count, num- [42] Request count threshold by each source ber of connections or number of requests in a unit time from a Count Based Fil- tering (D3) [72] Network/VMM checks to find attack VMs single source. [73] CSP driven attack flow check and source trace Authors in [38] proposed the detection scheme, where apart [74] Bot detection in VMs using NetFlow from other schemes, a hop count filter has been used to iden- [75] Hypervisor led collaborative egress detection tify spoofed packets. Similarly, authors in [34] have used TTL [76] Virtual Machine Introspection (VMI) values alone for the purpose of DDoS prevention cum detec- BotCloud De- tection (D4) [77] VM resource utilization threshold for detection tion. As per this work, TTL values corresponding to various [72] Resource counters and traffic thresholds for VMs IP addresses are stored in white and black lists. If there is a [81] Resource usage anomalies and introspection new request then it is sent to graphical Turing test and on the [51] DDoS Aware auto-scaling to combat EDoS basis of verification, it is added to the white list or black list.

Resource Usage (D5) [78] Resource usage of attack target servers Those who are in white-list but with a different TTL, are also sent to the Turing test and on success their TTL value is up- Table 5: DDoS Attack Detection Techniques based on Pattern Detection dated. Authors in this paper extended their earlier work of the Let us have a look at some techniques related to this subclass EDoS Shield [35] and improved it for the case of IP spoofing. of solutions. In [63] authors have done the same for SOAP re- Their solution is based on hop-count diversity, where attacker quests. Authors have used back propagation neural networks to packets are claimed to have same hop count, and thus they can tackle both the popular variants of the DDoS attack, which are be detected. In this strategy, if a user sends N request in period HTML DoS and XML DoS. Authors in [65] drops all spoofed P, access to this user is only allowed, if his request count is less packets at edge routers using egress filtering. than threshold TH. 12 Authors in [44] used request count on the basis of human be- However, these methodsare not capable of detecting all kinds havior and dropped all subsequent requests from the same IP of attack flows such as zero-day or stealthy flows. On the other for a finite period. Authors in [38] have proposed a method hand this kind of detection methods only work at the edge of to mitigate HTML and XML DDoS attacks by multiple level attack originating cloud. In case, the CSP does not provide filtering on the basis of client puzzles, hop count and packet support for such detections, these attacks may become massive frequency. Various filters at server side incur significant over- utilizing the profound resources of cloud computing. heads and latency for ordinary users. Similarly, authors in [42], used the request count method to identify attackers and blacklist them. DDoS Deflate [71] is a popular open source DDoS 6.5. Resource Usage (D5) detection tool which is dependent upon the threshold of number of connections established by each source. Utilization of various resource of the cloud or a physical The major strength of these solutions lie in their easy de- server by a VM can also provide important information about ployment and support by the available OS level firewalls such the presence of the DDoS attack or an anticipation of the up- as iptables and APF. These methods also give administra- coming DDoS attack. Cloud environments run Infrastructure tors a quick control over the situation. However, these methods as a Service cloud using virtualized servers where hypervisor may not suite the requirements of all the users as the thresh- can monitor the resource usage of each VM on physical server. olds for a whole domain behind the NAT may not be similar to Once these VMs start reaching the decided resource utilization the thresholds required for dependent web-services. Addition- thresholds, the possibility of an attack can be suspected. ally, methods such as TTL/hop-count requires a user database In [77], authors provided solutions on the basis of available which has the actual hop-count/TTLs. Other issues arise due to resources with VMs and their upcoming requirements. Simi- a variety of heterogeneous implementations of hop-countin dif- larly, [72] used performance counters and traffic to identify re- ferent systems. On the other hand, the IP spoofing techniques source usage of VM and devise possible mitigation of the at- may defeat the (non-TTL) schemes. Overall, the false positives tack. Resource utilization possesses a very important and in- or negative are important performance issues related to these direct metric to identify the possibility of an attack. Authors count based filtering approaches. in [78] used resource limits as the sole method of the DDoS detection and then proposed mitigation methods. Authors in 6.4. BotCloud Detection (D4) the [51] implemented a DDoS aware resource allocation strat- Any cloud DDoS attacker may also use cloud infrastructure egy in which the overloadedVMs are not directly flaggedfor re- for its own nefarious purpose. Cloud infrastructure can be used source increase. Instead, authors propose to segregate the traffic for the purpose of installing botnets. These clouds are known and increase the resources only on the basic of the demands of as BotClouds. This subcategory describes the contributions genuine flagged requests. Authors in [81] have modeled the which tries to find or detect the internal attack VMs in the cloud resource usage anomalies of VMs using virtual machine in- network. Most of these BotCloud related solutions are source trospection to detect the possibility of resource surge due the based or Cloud Service Provider (CSP) based approaches. DDoS attack. Authors in [72] have presented a cloud level detection DDoS attacks being resource intensive attacks provide a in- method to identify if there are attacker bots running inside direct relationship for the success of these resource usage based hosted VMs. This has been achieved by network level and profiling and detection methods. Auto-scaling mechanisms are VMM level checks. Another contribution in this direction ap- triggered on the basis of “overload” and “underload” states plies Virtual Machine Introspection (VMI) and data mining of the targeted VMs. This aspect also provide a possible co- techniques to separate the infected VMs from other VMs in relation between the VM resource usage and a DDoS originated multi-tenant VMs [76]. Authors had prepared a list of typ- resource surge. ical actions of malware bots infected VMs and used a clus- The limitation of these set of approachedlies in interpretation tering algorithm to identify the infected VMs based on the of the high resource utilization. It is very difficult to conclude training. There are other BotCloud related solutions available whether the resource surge is due to the attack or due to the in [73] [74] [75]. Authors in [73] provide a solution where the real traffic. As the resource surge only gives a alert about the cloud provider checks the traffic flow and perform the anomaly possible resource surge, we may require other supplementary detection using source traceback techniques at the network. Au- detection mechanisms. thors in[74] provide a solution based on SDN approaches using After discussing the attack detection solution at length, it is Bot detection with the help of NetFlow protocol. Hypervisor clear that the traffic filtering based on the attack patterns is a based checks are used to detect the vulnerabilities in the guest major part of the DDoS attack solutions. Most of the methods VMs in [75] where collaborative egress detection technique is are based on machine learning artifacts and provides a way to employed. Advanced methods such as one in [76] propose a control the input traffic. However, the detection methods alone detection using virtual machine introspection (VMI). may not suffice for the purpose of integral protection from the The major strength of these methods lie in their deployment DDoS attacks. The role of attack prevention solutions for the at the CSP end. By this, CSP has a control to monitor at the first hand protection and the role of attack mitigation solutions network edge for any anomaly in the traffic behavior or other to ensure the resource availability for effective mitigation, can performance counters. not be ignored. 13 Techniques Strengths Challenges Limitations Contributions Provides a quick relief to Correctly deciding False alarms may lead to Resource [16][82][78] resource bottlenecks re- whether and when extra EDoS. Co-hosted VMs may Scaling (M1) [72][51] source bottlenecks resources are required also be affected Migrating the DDoS Migration candidate Migration costs and over- Victim Migra- victim service to other selection and migration heads. Subsequent migra- [77][72][83] tion (M2) servers which helps in tions/swaps in cloud minimizing losses host selection Minimize the resource Quick and dirty checks to ensure the availability of OS Resource contention formed due Better checks needed to contention. It may affect Management to the attack at the vic- ensure the availability of [84][85] the performance of the vic- (ORM) (M3) tim service-end to have contention tim servers due to contain- timely attack mitigation ment Software Abstract and timely view SDN may itself become Mostly useful at network Defined of the network and the [86][87][14] an easy target of the boundaries and ISP level Networking incoming traffic using [88][89][87] DDoS attacks network control (SDN)(M4) controllers Solutions may not cater var- Cloud based hybrid mit- Cost overhead issues. DDoS Mit- ious kinds of applications igation using extra re- Methods are mostly igation and attacks. Local is- [90][91][92] sources or remote traffic similar to the on-premise as a Service sues may not be visual- [46][45] monitoring and preven- solutions but mitigation (DMaaS)(M5) ized by DDoS mitigation-as- tion services expertise is an advantage a-service

Table 6: DDoS Attack Mitigation (M) Techniques in Cloud 7. Attack Mitigation (M) methods to counter DDoS attack allowing server availability or continuity with scaled resources. Auto scaling can be done In this section, we have grouped all methods which would horizontally, where new instances may be started on the same help a victim server to continue serving requests in the pres- or different physical server to serve incoming requests till the ence of an attack. Downtime is a major business parameter for victim server is facing the attack. In vertical scaling, resources websites and an organization may lose a significant number of like CPU, memory and disk can be scaled in the same VM or prospective customers [10]. In this section, we have grouped the same logical unit. These extra resources can help the victim methods, which would allow victim server to keep serving re- machine to survive the attack and keep running. One of the quests in the presence of an attack. Mitigation and recovery are major disadvantages of this strategy is that it can become an complementary to each other to keep the server alive, which is advantage for the attacker to increase the attack strength to even under the attack. These methods are used temporarily and once deplete added resources and generating a requirement of more the attack subside, the server may be brought back to the actual resources shaping the attack into an EDoS [16]. situation. We now discuss few important contributions related to at- Most of mitigation and recovery methods, which are proposed tack mitigation and recovery using resource scaling. Authors here are purely related to infrastructure clouds and their solu- in [82] proposed a multi-level DDoS detection system for web tions are in the direction of mitigating EDoS attacks. We further services. VM owner level (Tenant level), service Level, appli- classify this section into five subcategories: cation level and cloud level detection are placed to have a col- 1. Resource Scaling. laborative DDoS detection system. It is one of those solutions 2. Victim Migration. which are utilizing the information from all the stakeholders in 3. OS Resource Management (ORM). mitigating the DDoS attacks. However, there might be large 4. Software Defined Networking (SDN). overhead and other security concerns due to information flow 5. DDoS Mitigation as a Service (DMaaS). among multiple levels. For a quick view, the overall theme of each set of the classi- One of the first and most important contributions in this area, fied methods, their strengths, challenges, and weaknesses are which touches cloud-specific issues is by Shui Yu et al. [78]. listed in Table 6. We also prepare a list of important individual Authors in this paper considered the dynamic resource alloca- contributions in Table 7 where we enlist a brief theme of each tion feature of the cloud to help the victim server to get addi- solution to show the variety of contributions available in each tional resources for DDoS mitigation. In this way, individual subclass. cloud customers are saved from DDoS attacks by dynamic resource allocation. Experiments on real website data sets show 7.1. Resource Scaling (M1) that their queuing theory based scheme work to mitigate DDoS Dynamic auto-scaling of resources is one of the most popular attack. Authors in [72] presented three different scenarios to features of the clouds. It is also treated as one of best mitigation stop the DDoS attack in the cloud. These three scenarios in- 14 ontsaetersucso DSgnrtdrsuc surges resource generated DDoS on resources the w au strategy scale hand, allocation not other resource do a the provided On have and [51] [72]. up in day back thors rainy keeps a which flexibility for the resources of reserved one resourc an is idle It is and drawback. additional a kept?” of be cost The should att question. resources in important reserved server the much support “How to Re [78] times. environment. in kept cloud are federated resources a served u in recovered migrations get and and Au attack scaling the servers. detect external to to strategies provided attacks internal attac and internal servers servers, ternal internal to attacks external clude ORM Migration Resource Scaling Solution DMaaS (M5) SDN (M4) (M3) (M2) (M1) category al :Do takMtgto ehiusi Cloud in Techniques Mitigation Attack DDoS 7: Table [94] [72] [93] [77] [83] [51] [47] [72] [78] [82] [45] [46] [92] [91] [90] [95] [88] [87] [86] [85] [84] Contribution lu ercmntrn n alarms and monitoring metric e Cloud attack the limit to caps Resource firewall) Cloud plus firewall (On-premise Hybrid servers ephemeral and scheme Proof-of-work service network cloud-based Victim inspection packet deep based SDN control and monitoring network Re-configurable control access and authentication Strict tra of monitoring ISP-level contention resource the reduce to contention Containment resource the reduce to resizing Service DDoS using migrations VM servers Exploiting physical other to migration VM Victim overlay at points entry proxy servers Migrating physical other to migration VM clouds Victim CDN untrusted cost low over Scaling planning capacity on based Scaling attack the absorb to Scaling clouds federated in scaling Resource detection quick for scaling resource Dynamic cloud) and application service, (VM, Multi-level contribution the of theme Major ffi n routing and c ff ects st in- to ks thors sis es hich sing ack . - - 15 ..Vci irto (M2) Migration Victim 7.2. co mitigation the and scaling [96]. resource in of role detaile the A on resou multi-fold. cussion costs the attack than the increase undetected, may remains scaling cas and In stealthy hosting. are cloud attacks the using cost-savings of idea overall instances. VM expanding by or recover resources while to VM attacker mitigation for scalin useful resource attack is which The quick process availability. in service useful the also maintaining is which puting scal resource absorption. quick attack for Industry quick advocate for also [83]. [47] mechanism as source such the open solutions support an to is Demand” developed On platform “CDN attacks DDoS low- frugally. of uses services presence which the scale in mechanism servers a cloud untrusted provided cost have [83] in Authors iia prah uhr n[7 aepooe remedial a a proposed server have the us [77] for also in method [72] Authors in Authors approach. similar high. a be rep or will Addi- duration considerations longer cost method. for the mitigation continues a attack impor the as if very chosen tionally, is is which migration issue while Down- one tant is ceases. customers attack legitimate when to back time it thos bring to and victim the resources migrate served they a detected, proposed is ser attack [77] a the on in While resources reserved Authors some keeping attack. by strategy DDoS similar the mitigate to be tion again can server place. the actual the mitigated, to on and back and shifted detected attack the is from DDoS isolated di the a is to which server server, victim the physical do shift ent to noticeable used without be can server Migration physical time. another to shifted is sn irtn rx nr onsa vra ewrsa th at networks overlay at server-end. points victim di entry a proxy show migrating [93] using as such serv physical solutions other Other to collat server the physical one spread at from even DDoS damages may eral the which migrations that to characterization lead their may tacks in shown Author have [94]. [21] attacks DDoS in using the migrations shows VM which of characterizations ploitation are iso- place. there the real hand, over, its other gets to the back attack VM the the Once shifts again shif environment attack. lated DDoS is the “victim” of the case where in backup, s for reserving of resources help additional the with created is server. environment physical isolated t same application the the on environment well isolated as separate VM mi- running VMM the signaling, duplicates On or ce grates attack. a DDoS reach a levels flags utilization VMM resource threshold, utiliz the resource Once o monitoring levels. possibility continuously tion the by detecting attack the is DDoS VMM at the count detected filtering. any been packet of instead or has (VMM) based attack Monitor Machine DDoS Virtual of level state. serving or ning oee,tersuc cln a lobcm gis the against become also may scaling resource the However, com- cloud of aspect important an is scaling resource The edsusfwipratcnrbtosuigvci migra- victim using contributions important few discuss We server running entire the way the changed has migration VM ff ce yDo oke ti h run- the in it keep to DDoS by ected ff rn ao migration flavor erent eated, sa is g dis- d the e rtain This re- e ome ff wn- ver. ers. ing ex- the On ted rce a o er- sts ed ce to a- e s - - f - Victim migration to backup resource provides a way to con- 7.4. Software Defined Networking (M4) ff trol the attack e ects and employ the attack mitigation. Also Software Defined Networking (SDN) is an emerging re- it may help in scaling the services using migrating to a large configurable network paradigm which may change the whole / sized candidate host servers where the migratee server can use DDoS mitigation space. SDN in its core separates data and the additional resources to detect and mitigate the attack. control planes of switching to support the network reconfigura- There are few issues related to the sustainability of these bility on the fly. schemes. In particular, wastage of additional resources, which There are few initial and ongoing works related to SDN as- has to be available all the time is a major issue. Detection of the sisted DDoS mitigation mechanisms. Authors in [86] have pro- DDoS just by keeping a watch over resource utilization might posed a SDN-based solution in which ISP-level monitoring of not be a good idea, as there might be higher utilization because traffic and routing of malicious traffic is done to specially de- ffi of real tra c during flash events or heavy computation needs. signed secure switches. In this work, the victim is required to In fact, this behavior might lead to an unnecessary duplication request ISP for DDoS mitigation. ISP having an abstract view to an isolated environment. Even the overhead of duplicating of incoming traffic applies the traffic labeling using OpenFlow the system when the attack is evident might not be a wise step switches. The suspicious traffic is then redirected to security to overcome the security of the server and application. The middle-boxes which apply access policies on the traffic. Au- contribution in [77] has overlooked one very important aspect thors have left the detection and mitigation part on the customer about DDoS attack which is attack duration. If the attack con- side. A similar proposal by authors in [87], suggested a proto- tinues, how would server serve its legitimate consumers who type implementation of SDN-based detection mechanism. The are trying to access the service at that point in time? If it does major idea of this work lies in the strict access control policies not serve them then “for how long, the service will be down?” for the incoming traffic which requires strict authentication for is an important factor. Additionally, if it serves them then there each incoming request. Advanced deep packet inspection based is a large overhead of transferring states and keeping data and approaches using SDN are discussed in [95]. A detailed tutorial sessions up to date. and guideline of SDN-based solutions are given in [14]. SDN as a paradigm has immense possibilities of support for 7.3. OS Level Resource Management (M3) the attack mitigation for massive as well low-rate DDoS attacks due to its reconfigurability and quick networks view and moni- There are few recent contributions in the DDoS attack solu- toring. tion space for cloud computing which deals with resource man- Mitigation Solutions utilizing SDN capabilities are still agement at the level of VM operating systems. These OS level evolving and may become very helpful due to their important resource management methods argues that DDoS attacks being features. However, studies such as [89] show that even the SDN the resource intensive attacks may affect the overall mitigation infrastructure itself can become a victim of DDoS attacks. methods running inside the victim VMs. By minimizing the contention at the level of the operating systems, the mitigation and recovery can be expedited. 7.5. DDoS Mitigation as a Service (DMaaS) (M5) Authors in [84] show a service resizing based methods where There are multiple cloud based service/third party ser- once the attack is detected, the victim service is affined to the vices which are are capable of providing the DDoS protec- minimum processing units (CPUs) using OS level controls. Au- tion [24] [22] [25]. Mostly, DDoS protectionis doneon a server thors have shown that a DDoS attack may become an “extreme or an intermediate node forwarding packets to the server. There DDoS” attack if the resource contention becomes severe. This are solutions which are hosted in the cloud and provide DDoS contention may even delay the overall mitigation process. Au- mitigation as a service [90] [91]. Multiple providers in the mar- thor extend this service resizing using victim resource contain- ket offer this facility. However, all these mitigation methods are ment in [85] where using OS control groups are used to contain threshold/count based or human intervention based. or isolate the victim service. Authors have also shown collat- On the other hand, there are not many specific products avail- eral effects on other critical service co-hosted with the victim able to mitigate DDoS targeting a cloud. Authors in [92] pro- service on the same operating system. posed a DDoS mitigation service. This service is intended These local resource management methods are shown to to help the physical on-premise firewall to do the mitigation minimize the resource contention formed due to the attack at quickly. The proposed solution is termed as a hybrid firewall, the victim service-end to have timely attack mitigation. Au- which uses both physical firewall and virtual firewall (placed thors have shown important metrics related to attack mitigation in the cloud). Amazon has started providing resource limits on in terms of attack detection time, mitigation time and the report- EC2 instances to provide an initial solution. There were multi- ing time with some additional features such as attack cooling ple requests from consumers to cloud providers about keeping down period which they optimize using TCP tuning. cap or limit on maximum allowed resources and subsequently The major limitation of these approaches lies in their quick there were additions from cloud providers related to resource and dirty checks to ensure the availability of resource con- consumption limit alerts to customers [46]. Additionally, Ama- tention. These methods may also affect the performance of the zon has created a service, cloudWatch [45], to providereal-time victim servers due to the resource containment with an addi- information about various metrics towards a service hosted in tional cost of the resources. Amazon cloud so that necessary steps can be taken up. 16 Third party mitigation services or DDoS mitigation as a Ser- 8.1.1. Auto-scaling vice may become very helpful for attack mitigation and recov- Auto-scaling in the cloud is usually triggered by monitored ery using a on-premise tools and/or cloud based solution. The metrics of a VM or an application running inside a VM. These attack mitigation history and expertise in handling various at- are resource usage metrics like CPU, memory and bandwidth tacks may become helpful for enterprises seeking specialized and other counters like response time, query processing time help. Also the cloud based service may also utilize the exten- etc. Triggering the auto-scaling would either result in an in- sive resource support available in the cloud. crease or decrease in allocated resources. Controlling Auto- The major limitation of these DMaaS approaches include re- scaling or false triggering of auto-scaling requires specific mote mitigation which may not fasten the mitigation process. checks which can verify the real usage. These checks can be Additionally, victim service owners may not want to share the conducted at VM level, hypervisor level or even at abstract control with the third parties due to the privacy issues of their cloud level [51]. traffic and the business logic. Other important aspects include • Vertical Scaling: This feature deals with the scaling on a the cost of the solutions and the sustainability requirements of physical server where multiple VMs are running with co- the victim enterprises. In addition to all the above five cat- hosted isolations. Vertical scaling would deal with adding egories of mitigation methods, shutdown is a typical trivial or removing resources on these VMs. Total resources method to stop the DDoS attack on a server. But this method which are available on the physical server are fixed but does not provide any solution to downtime of the service which each VM may have a different amount of resources at dif- is non-negotiable. In some approaches, the victim server is ferent times. This really depends on the resource alloca- started at another place as a new instance and present instance tion policy and the SLA. Any DDoS affected VM would is shut down. This helps in starting a synced clone at another continuously request for more and more resources and place. Though there are high chances that the attacker will also available idle resources (with the Cloud Service Provider) attack the new server. A similar idea has been proposed in [37] should fulfill these requests. This decision is critical as it where attacked proxy servers are shutdown and the traffic is would also decide the health of co-hosted VMs and cost redirected to new proxy servers. considerations of newly added resources [21]. Attack mitigation methods narrated above provide a detailed overview of various attack mitigation and recovery solutions • Horizontal Scaling: This scheme allows adding new in- available in cloud computing space. The mitigation methods stances of the same VM at other physical servers. These are usually a supportive layer of protection for the attack pre- instances are created to share the load and maintain the vention and detection solutions. quality of web services. An ideal composite scaling strat- As discussed above, for the case of cloud computing, the miti- egy would first rely on vertical scaling followed by hori- gation methods play very important role due to their applicabil- zontal scaling. The decision-making process to start more ity to resource management during the attack. instances on more servers should look for a true need and cost considerations. Another important point in horizon- 8. Discussion and Future Directions tal scaling is limiting the maximum number of instances of an application. This can be decided by the cloud con- There is a large volume of work which has been referred sumer but a restriction on it may lead to losing business. while preparing this survey. With this rigorous survey, it is clear that most of the works, which have emerged in this domain are 8.1.2. Multi-tenancy concentrating on the following five aspects: Multi-tenancy leads to proper hardware utilization of high- 1. Characterization or Impact study. capacity servers which would have been underutilized if not 2. Prevention using Turing Tests. implemented as multi-tenant environments. Vertical scaling 3. Threshold or pattern based filtering. would have much flexibility in case few VMs are running on a 4. Support to stop IP spoofing. single machine. On the other hand, cloud providers would have 5. Resource scaling. ROI (Return on Investment) considerations and would want to Most of the solutions proposed so far are using one or a com- host more and more VMs. Other than this, performance isola- bination of the above approaches. There are only a few solution and performanceinterferenceaspects should also be looked tions which are including the auto scaling, multi-tenancy and carefully while designing capacity of these servers. DDoS de- utility model into account. The cloud computing infrastructure fense mechanism and its design should reflect protecting multi- may be used to build effective mitigation solutions which en- tenant environments. sure the quick attack mitigation and timely recovery to ensure effective service availability. 8.1.3. Pay-as-you-go model Pay-as-you-go model is advantageous for both consumers 8.1. Solution Considerations and providers. Literature has mostly counted pay-as-you-go In order to offer an effective solution to DDoS in the cloud, models as an advantage for consumers. But this becomes ad- the following features require special treatment. Here, each fea- vantageous for a cloud provider when VMs it has hosted in ture has been discussed with an intention to provide an aid to its cloud requires more and more resources on a regular ba- the ideal solution. sis. In case, this additional requirement is fulfilled than the 17 consumer needs to pay for additional resources and provider DDoS detection problem. Most of the solutions available in the gets benefited. Almost all solutions should keep the accounting literature try to defend at application level[32][35]. These so- and billing model in the perspective while designing cost-aware lutions include Turing tests, request frequency and hop count DDoS defense solutions. based filtering. For efficiency, the following three design aspects are considered. 8.1.4. Migration • Mitigation Efforts: The effort required to identify and pre- As described in the Section 7, VM migration is a very impor- vent an attacker is usually more than the effort required tant method to minimize effects of the DDoS in a virtualized to serve the attacker as a normal user. Many times the cloud. Migrations incur a cost in terms of downtime, config- complex defense schemes checks for multiple filters and uration changes, and bandwidth usage. If the application does each request has to go through these filters. A lengthy not have the capability to start more instances to share the load, and complex mechanism may incur large computation and migration is the only way to minimize the downtime and denial storage costs. Defense mechanism may get into an “In- of service. As horizontal scaling cannot be done in such cases, direct EDoS” due to heavy filtering efforts and result into the durationfor which DDoS attacks lasts would also play a ma- puzzle accumulation attacks [97]. jor role. Large attack duration may lead to multiple subsequent migrations here and there [21], and thus a large number of side- • Accessibility: Accessibility of a normal user should not effects to the cloud and other VMs. DDoS defense mechanism be compromised. Many times usability of a web service is should be able to minimize the number of migrations during the affected because of special mechanisms of tests and other attack period by closely working with horizontal scaling. defense mechanisms. Usability aspects are very important and surveys have shown that even a delay of 1 second in 8.1.5. Solution Costs page loading time may affect conversion rate [20]. This The most important motivation for the enterprises to shift may lead to higher response times and usability aspects for their service to cloud infrastructure is the cost effectiveness. many users and especially for elderly or differently abled However, we have seen in the detailed attack effects (Figure 2), persons. that the DDoS attack losses may become multi-fold in the • cloud infrastructure as compare to traditional on-premise in- Request rates: Attacks may not always be high rate obvi- frastructure. The major portion of the cloud users include small ous flooding attacks. Low rate but continuous attacks may and medium enterprises which necessitates the sustainability or also affect a server’s economic aspects [17]. In [17], au- budget factor as important aspect while designing the solutions. thors have shown that sending one request per minute for Authors in [96] have detailed the cost considerations for DDoS a month also incurs a cost. attack solutions. Other important metrics and solution requirements for application level defense is already discussed in Section 7. Most of the 8.2. Building an effective solution solutions related to attack detection (Section 6) and attack miti- In this section, we are compiling details related to effective gation (Section 7) solutions are applicable to the VM/OS level, solutions towards DDoS in the cloud. Even though these solu- Hypervisor level and the Cloud level defense. tions only outline the solution space and related issues but they also give a systematic design of an ideal solution. The model 8.2.2. VM/OS level defense shown in Figure 5 illustrates levels of solutions, where the de- VM running on a hypervisor runs a complete operating sys- fense mechanism deployed. We show five defense levels in this tem on top of them. An eye over the resource usage of specific figure where we also show the important services/information processes, their generation and object fetch cycles may provide or monitored metrics provided at each level. The information a clue about the attack monitoring. Many consequences of the flow among these five levels is a tricky part because of the secu- EDoS occur due to the decisions taken at this level. At present, rity questions related to the business logic and access control. there are very few solutions in this direction [82]. In addi- This is a design question and can be solved by allowing only tion to all these features, performance isolation is one of the anonymized monitoring data to be transferred among these five most important assurance which is required at this level [21]. levels. In Figure 5, we have also pointed out specific solution Local resource management at the level of the victim operat- design features and aspects, which can be dealt at each level. ing systems can be very effective in managing the DDoS attacks [84][85]. These solutions advocates of minimizing the 8.2.1. Application level defense resource contention created due to the DDoS attacks which Applications are the front ends where attackers send requests. may help in minimizing the overall downtime (detailed in Sec- These applications are mostly web services which send web tion 7.3). pages on the basis of user’s HTTP requests. TCP SYN and ICMP floods are also sent to applications responding to them. 8.2.3. Hypervisor level defense The defense mechanism should lookout for an unexpected in- A hypervisor is the control and management layer (a bare crease in a numberof requests froma set of sourceIP addresses. metal hypervisor like XenServer) which handles the most im- Identifying these source IP addresses is the root solution to the portant task of “Vertical Scaling”. Scheduling VMs, managing 18 Application Level Application Attack Efforts Accessibility Defense Defense Frequency

VM/ OS Level Scheduling Process Traffic Defense Needs Usage Monitoring VM

System Hypervisor/Physical Resource Profiling Isolation Defense Server Level Defense Usage

Traffic Auto Cloud Level Defense Migrations Monitoring Scaling

External ISP Level Defense Attack Backup Attack Defense Directions Lines Origins

Figure 5: Solution Hierarchy with Three Solution Levels their memory and storage are some of the most important areas Authors argued that the perimeter based mitigation method can where an effective monitoring mechanism could be employed. sustain the defense against attacks even if 40% of the customer Additionally, this level can be controlled by the “Cloud” level networks are “attacker” networks. Another important work in which can send/receive important alerts and take appropriate this direction is proposed by [101]. The major idea of this decisions. There are some mitigation solutions which have par- work is to look for abrupt traffic changes across networks us- tially used this level for defense [82][72]. ing attack-transit routers at ISP networks. These changes are modeled and detected using distributed change-point detection 8.2.4. Cloud level defense mechanism utilizing special constructs known as change ag- Cloud level defense may want to look at the amount of traf- gregation trees (CAT). Authors have also given a trust policy fic coming-in and going-out to have a top level abstract idea among networks to cure these attacks collaboratively. In Fig- of the attack. At this level, any anomaly in the normal behav- ure 5, we show three defense abstractions which are formed ior can be detected. Additionally, decisions regarding “Hori- using the five defense levels discussed above. zontal Scaling” are also taken at this level which take migra- 1. Application Defense which is formed using attack preven- tions and cost into considerations. A solution which involves tion mechanisms. communication between hypervisor and cloud manager would 2. System Defense which is formed by three defense levels be a good design to deal with the defense mechanisms. Few (VM/OS, hypervisor and cloud). novel solutions, which are based on cloud level of defense 3. External Defense which is formed using ISP level and are [41][78][82][72][92]. Network level defense capabilities third party defense. provided by SDN infrastructures can also become very helpful Considering above facts, we provide following major solution at this level to gain the quick control of the network (detailed in designs to DDoS attacks in cloud computing. Section 7.4). 1. Application Defense : This is a design which considers defense at application level only. This level of defense is 8.2.5. ISP level defense the most used and helps in the multi-tenant environment Defense at the ISP level [98] can be of immediate help for where each hosted VM should be isolated because of mul- DDoS attacks originating from specific networks. Projects like tiple virtualization and data security threats. Most solu- Digital Attack Map [99] may be used as a handy reference here. tions in the literature follow this design but it is also clear Even a chokedline bya DDoScan be replacedby an ISP by an- that this design alone is not suitable to take care of aspects other backup line for recovery from the attack. Both cloud and of cloud. ISP level should keep a close watch over the incoming/outgoing 2. Application Defense + System Defense : If this design traffic generated to limit them by some mechanisms. DDoS can be implemented with ease than it can be proven as one target networks, as well as DDoS originating networks, may of the effective solutions as the defense mechanism would be identified by the ISP collaborations. Authors in [100] have take advantage of the information from multiple sub-levels proposed a method which works on filtering at edge routers of in “System Defense”. The information gathered and sup- the network. Authors have proposed three mechanisms to pro- plied by the Level “Application Defense” would be im- vide ISP supported DDoS defense mechanisms. Authors have portant in taking pro-active decisions at level “System De- shown the effectiveness of the mechanism through simulations. fense”. 19 3. System Defense/System Defense + External Defense : this attack at a larger level. As discussed in the survey, multi- Both of these solutions would work at the system level to level solutions specifically designed for cloud and its features defend the DDoS attack. The difference is that the later would surely perform better as compared to traditional DDoS will use the ISP support. “System Defense” alone would solutions. Cost and attack aware resource allocation algorithms be effective, however, identifying the “True positives” and in the cloud would help in mitigating the attack. Finally, the “False Negatives” is the most important concern here. As multi-layer solution guideline based solutions can be tested to without actual verification of attack traffic from “Applica- have their effective evaluation in cloud infrastructure. tion Defense’ level, this defense would lack effectiveness. 4. Application Defense + System Defense + External De- fense : This is a complete design with multi-level support Acknowledgments and information or alert flow. After solving the data secu- Gaurav Somani is supported by a Teacher Fellowship under rity and business logic theft issues among levels, it would Faculty Development Program funded by University Grants be an ideal design solution for an Infrastructure cloud. Commission under XII Plan (2012-2017). This work is also supported by SAFAL (Security Analysis Framework for We have shown various performance and evaluation metrics Android Platform) project funded by Department of Elec- related to the DDoS attack solutions in Table 2. All those met- tronics and Information Technology, Government of India. rics are applicable here and may be used for creating effective Mauro Conti is supported by a Marie Curie Fellowship funded solutions as per design abstractions discussed above. by the European Commission (agreement PCIG11-GA-2012- 321980). This work is also partially supported by the EU 9. Summary and Conclusions TagItSmart! Project (agreement H2020-ICT30-2015-688061), the EU-India REACH Project (agreement ICI+/2014/342- 896), the Italian MIUR-PRIN TENACE Project (agreement This work provides a comprehensive and detailed survey 20103P34XC), and by the Project Tackling Mobile Mal- about the DDoS attacks and defense mechanisms eventually ware with Innovative Machine Learning Techniques funded by available in the cloud computing environment. We have shown the University of Padua. Rajkumar Buyya is supported by through the discussion that EDoS attack is a primary form of Melbourne-Chindia Cloud Computing (MC3) Research Net- DDoS attack in the cloud. DDoS attacks have importantcharac- work and the Australian Research Council via Future Fellow- teristics which play an important role while considering utility ship program. computing models. This paper introduces the cloud computing features which are critical in order to understand the DDoS References attack and its impact. We have also presented attack statistics, its impact, and char- [1] B. R. Kandukuri, V. R. Paturi, A. Rakshit, Cloud Security Issues, in: Services Computing, 2009. SCC ’09. IEEE International Conference on, acterization by various contributors. We propose a novel com- 2009, pp. 517–520. doi:10.1109/SCC.2009.84. prehensive taxonomyof DDoS attack defense solutions in cloud [2] L. M. Kaufman, Can public-cloud security meet its unique challenges?, computing. We believe that this survey would help to provide IEEE Security & Privacy 4 (8) (2010) 55–57. a directional guidance towards requirements of DDoS defense [3] L. M. Kaufman, Data Security in the World of Cloud Computing, IEEE Security & Privacy 7 (4) (2009) 61–64. doi:10.1109/MSP.2009.87. mechanisms and a guideline towards a unified and effective so- [4] D. Zissis, D. Lekkas, Addressing Cloud Computing Security Is- lution. There are a large number of solutions which have tar- sues, Future Generation Computer Systems 28 (3) (2012) 583 – 592. geted the DDoS attack from one of the three solution categories doi:http://dx.doi.org/10.1016/j.future.2010.12.006. of attack prevention, detection, and mitigation. Among these [5] J. Mirkovic, P. Reiher, A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, SIGCOMM Comput. Commun. Rev. 34 (2) (2004) 39–53. solutions, there are few contributions which are targeting at doi:10.1145/997150.997156. cloud-specific features like resource allocation, on-demand re- [6] S. Mansfield-Devine, The growth and evolution of DDoS, Network Se- sources, botcloud detection, and network reconfiguration using curity 2015 (10) (2015) 13–20. SDNs. We also provide a comprehensive list of performance [7] Kaspersky Labs, Global IT Security Risks Survey 2014 - Distributed De- nial of Service (DDoS) Attacks, http://media.kaspersky.com/en/ metrics of these solution classes for their evaluation and com- B2B-International-2014-Survey-DDoS-Summary-Report.pdf parison. We believe that this novel attempt of presenting the (2014). complete set of evaluation metrics for a variety of DDoS solu- [8] P. Nelson, Cybercriminals Moving into Cloud Big Time, Report Says, http://www.networkworld.com/article/2900125/malware- tions may help in orchestrating the benchmarking of upcoming cybercrime/criminals-/moving-into-cloud-big-time- solutions. says-report.html (2015). At the end, we have provided a detailed guideline for effec- [9] Tara Seals, Q1 2015 DDoS Attacks Spike, Targeting Cloud, tive solution design. This effective solution guideline provides a http://www.infosecurity-magazine.com/news/q1-2015- ddos-attacks-spike/ (2015). complete view of solution design space and parameters to help [10] SPAMfighter News, Survey - With DDoS Attacks Companies Lose future defense mechanisms. This survey may play an important around Euro 100k/Hr, http://www.spamfighter.com/News- role in providing the basis for the innovative and effective so- 19554-Survey-With-DDoS-/Attacks-Companies-Lose- lutions to prevent and deter DDoS attacks in cloud computing. around-100kHr.htm (2015). [11] R. Cohen, Cloud Attack: Economic Denial of Sustainability (EDoS), Characterization at the level of a cloud as a whole and mul- http://www.elasticvapor.com/2009/01/cloud-attack- tiple clouds would really help in understanding the impact of economic-denial-of.html (2009). 20 [12] S. Yu, Distributed Denial of Service Attack and Defense, Springer Briefs jwala, M. Kumar, Mitigating Economic Denial of Sustainability in Computer Science, Springer, 2014. (EDoS) in Cloud Computing Using In-cloud Scrubber Service, in: [13] T. Peng, C. Leckie, K. Ramamohanarao, Survey of Network-based De- Proceedings of the 2012 Fourth International Conference on Com- fense Mechanisms Countering the DoS and DDoS Problems, ACM putational Intelligence and Communication Networks, CICN ’12, Comput. Surv. 39 (1). doi:10.1145/1216370.1216373. IEEE Computer Society, Washington, DC, USA, 2012, pp. 535–539. [14] Q. Yan, R. Yu, Q. Gong, J. Li, Software-Defined Networking (SDN) doi:10.1109/CICN.2012.149. and Distributed Denial of Service (DDoS) Attacks in Cloud Com- [34] F. Al-Haidari, M. H. Sqalli, K. Salah, Enhanced EDoS-Shield for Miti- puting Environments: A Survey, Some Research Issues, and Chal- gating EDoS Attacks Originating from Spoofed IP Addresses, in: 2012 lenges, Communications Surveys Tutorials, IEEE PP (99) (2015) 1–1. IEEE 11th International Conference on Trust, Security and Privacy in doi:10.1109/COMST.2015.2487361. Computing and Communications, IEEE, 2012, pp. 1167–1174. [15] O. Osanaiye, K.-K. R. Choo, M. Dlodlo, Distributed denial of service [35] M. H. Sqalli, F. Al-Haidari, K. Salah, EDoS-Shield - A Two-Steps Miti- (DDoS) resilience in cloud: Review and conceptual cloud DDoS mit- gation Technique against EDoS Attacks in Cloud Computing, in: Utility igation framework, Journal of Network and Computer Applications 67 and cloud computing (UCC), 2011 Fourth IEEE International Confer- (2016) 147 – 165. doi:http://dx.doi.org/10.1016/j.jnca.2016.01.001. ence on, IEEE, 2011, pp. 49–56. URL http://www.sciencedirect.com/science/article/pii/ [36] W. Alosaimi, K. Al-Begain, A New Method to Mitigate the Impacts S1084804516000023 of the Economical Denial of Sustainability Attacks Against the Cloud, [16] M. Stillwell, D. Schanzenbach, F. Vivien, H. Casanova, Resource Allo- in: Proceedings of the 14th Annual Post Graduates Symposium on cation Algorithms for Virtualized Service Hosting Platforms, Journal of the convergence of Telecommunication, Networking and Broadcasting Parallel and distributed Computing 70 (9) (2010) 962–974. (PGNet), 2013, pp. 116–121. [17] J. Idziorek, M. Tannian, Exploiting Cloud Utility Models for Profit and [37] H. Wang, Q. Jia, D. Fleck, W. Powell, F. Li, A. Stavrou, A Moving Target Ruin, in: Cloud Computing (CLOUD), 2011 IEEE International Con- DDoS Defense Mechanism, Computer Communications 46 (2014) 10– ference on, IEEE, 2011, pp. 33–40. 21. [18] J. J. Santanna, R. van Rijswijk-Deij, R. Hofstede, A. Sperotto, M. Wier- [38] T. Karnwal, T. Sivakumar, G. Aghila, A Comber Approach to Protect bosch, L. Zambenedetti Granville, A. Pras, Bootersan analysis of ddos- Cloud Computing Against XML DDoS and HTTP DDoS Attack, in: as-a-service attacks, in: Integrated Network Management (IM), 2015 Electrical, Electronics and Computer Science (SCEECS), 2012 IEEE IFIP/IEEE International Symposium on, IEEE, 2015, pp. 243–251. Students’ Conference on, IEEE, 2012, pp. 1–5. [19] A. Beloglazov, R. Buyya, Optimal online deterministic algorithms and [39] T. Anderson, T. Roscoe, D. Wetherall, Preventing Internet Denial-of- adaptive heuristics for energy and performance efficient dynamic con- Service with Capabilities, ACM SIGCOMM Computer Communication solidation of virtual machines in cloud data centers, Concurrency and Review 34 (1) (2004) 39–44. Computation: Practice and Experience 24 (13) (2012) 1397–1420. [40] M. Masood, Z. Anwar, S. A. Raza, M. A. Hur, EDoS Armor: A Cost [20] TagMan, Just One Second Delay In Page-Load Can Cause 7% Effective Economic Denial of Sustainability Attack Mitigation Frame- Loss In Customer Conversions, http://www.tagman.com/mdp- work for E-commerce Applications in Cloud Environments, in: Multi blog/2012/03/just-one-second-delay-in-page-load-can- Topic Conference (INMIC), 2013 16th International, 2013, pp. 37–42. cause-7-loss-in-customer-conversions/ (2013). doi:10.1109/INMIC.2013.6731321. [21] G. Somani, M. S. Gaur, D. Sanghi, M. Conti, DDoS attacks in Cloud [41] Q. Jia, H. Wang, D. Fleck, F. Li, A. Stavrou, W. Powell, Catch Me If Computing: Collateral Damage to Non-targets, Computer Networks You Can: A Cloud-Enabled DDoS Defense, in: Dependable Systems 109 (2) (2016) 157–171. and Networks (DSN), 2014 44th Annual IEEE/IFIP International Con- [22] Akamai Technologies, Akamai’s State of the Internet Q4 2013 Execu- ference on, IEEE, 2014, pp. 264–275. tive Summary, Volume 6, Number 4, http://www.akamai.com/dl/ [42] N. Jeyanthi, P. Mogankumar, A Virtual Firewall Mechanism Using akamai/akamai-soti-q413-exec-summary.pdf (2013). Army Nodes to Protect Cloud Infrastructure from DDoS Attacks, Cy- [23] Neustar News, DDoS Attacks and Impact Report Finds Unpre- bernetics and Information Technologies 14 (3) (2014) 71–85. dictable DDoS Landscape, http://www.neustar.biz/about- [43] Z. A. Baig, F. Binbeshr, Controlled Virtual Resource Access to Miti- us/news-room/press-releases/2014/neustar-2014-ddos- gate Economic Denial of Sustainability (EDoS) Attacks Against Cloud attacks-and-impact-report-finds-unpredictable-ddos- Infrastructures, in: Proceedings of the 2013 International Confer- /landscape#.U33B_nbzdsV (2014). ence on Cloud Computing and Big Data, CLOUDCOM-ASIA ’13, [24] P. Technologies, http://www.prolexic.com/ (2014). IEEE Computer Society, Washington, DC, USA, 2013, pp. 346–353. [25] Arbor Networks, Understanding the nature of DDoS attacks, http: doi:10.1109/CLOUDCOM-ASIA.2013.51. //www.arbornetworks.com/asert/2012/09/understanding- [44] B. Saini, G. Somani, Index Page Based EDoS Attacks in Infrastructure the-nature-of-ddos-attacks/ (2014). Cloud, in: International Conference on Security in Computer Networks [26] L. Munson, Greatfire.org faces daily $30,000 bill from DDoS and Distributed Systems, Springer, 2014, pp. 382–395. attack, https://nakedsecurity.sophos.com/2015/03/20/ [45] Amazon, Amazon CloudWatch, https://aws.amazon.com/ greatfire-org-faces-daily-/30000-bill-from-ddos- cloudwatch/ (2014). attack/ (2015). [46] AWS Discussion Forum, https://forums.aws.amazon.com (2016). [27] Arbor Networks, Worldwide Infrastructure Security Report Volume XI. [47] Amazon Web Services, AWS Best Practices for DDoS Resiliency, (2015). https://d0.awsstatic.com/whitepapers/DDoS_White_Paper_ [28] ReviewMyLife.co.uk, Amazon CloudFront and S3 maximum cost, June2015.pdf (2015). http://www.reviewmylife.co.uk/blog/2011/05/19/amazon- [48] D. Dean, A. Stubblefield, Using Client Puzzles to Protect TLS, in: cloudfront-and-s3-maximum-cost/ (2011). USENIX Security Symposium, Vol. 42, 2001. [29] S. VivinSandar, S. Shenai, Economic Denial of Sustainability (EDoS) in [49] D. Leggett, CAPTCHAs tough on sales common way to test user tol- Cloud Services Using HTTP and XML Based DDoS Attacks, Interna- erance, http://www.uxbooth.com/articles/captchas-tough- tional Journal of Computer Applications 41 (20) (2012) 11–16. on-sales-common-way-to-/test-user-tolerance/ (2009). [30] N. Vlajic, A. Slopek, Web Bugs in the Cloud: Feasibility Study of a New [50] P. Du, A. Nakao, DDoS Defense as a Network Service, in: 2010 IEEE Form of EDoS Attack, in: Globecom Workshops (GC Wkshps), 2014, Network Operations and Management Symposium - NOMS 2010, 2010, IEEE, 2014, pp. 64–69. pp. 894–897. doi:10.1109/NOMS.2010.5488345. [31] G. Somani, M. S. Gaur, D. Sanghi, DDoS Protection and Security Assur- [51] G. Somani, A. Johri, M. Taneja, U. Pyne, M. S. Gaur, D. Sanghi, ance in Cloud, in: Guide to Security Assurance for Cloud Computing, DARAC: DDoS Mitigation using DDoS Aware Resource Allocation in Springer, 2015, pp. 171–191. Cloud, in: 11th International Conference, ICISS, Kolkata, India, De- [32] S. H. Khor, A. Nakao, sPoW: On-demand Cloud-based EDDoS Mitiga- cember 16-20, 2015, Proceedings, 2015, pp. 263–282. tion Mechanism, in: HotDep (Fifth Workshop on Hot Topics in System [52] J. Idziorek, M. Tannian, D. Jacobson, Detecting Fraudulent Use of Cloud Dependability), 2009. Resources, in: Proceedings of the 3rd ACM workshop on Cloud com- [33] M. N. Kumar, P. Sujatha, V. Kalva, R. Nagori, A. K. Katuko- puting security, ACM, 2011, pp. 61–72.

21 [53] M. N. Ismail, A. Aborujilah, S. Musa, A. Shahzad, Detecting Flooding puter and Information Science, Springer Berlin Heidelberg, 2015, pp. Based DoS Attack in Cloud Computing Environment Using Covariance 203–214. Matrix Approach, in: Proc. of the 7th International Conf. Ubiquitous [74] M. Graham, W. Adrian, S.-V. Erika, Botnet Detection Within Cloud Ser- Information Management and Communication, ACM, 2013, p. 36. vice Provider Networks Using Flow Protocols, in: Industrial Informatics [54] L. Feinstein, D. Schnackenberg, R. Balupari, D. Kindred, Statistical Ap- (INDIN), 2015 IEEE 13th International Conference on. IEEE, 2015, pp. proaches to DDoS Attack Detection and Response, in: DARPA Informa- 1614–1619. tion Survivability Conference and Exposition, 2003. Proceedings, Vol. 1, [75] H. Badis, G. Doyen, R. Khatoun, A Collaborative Approach for a Source IEEE, 2003, pp. 303–314. Based Detection of Botclouds, in: Integrated Network Management [55] P. Shamsolmoali, M. Zareapoor, Statistical-based Filtering System (IM), 2015 IFIP/IEEE International Symposium on, IEEE, 2015, pp. Against DDoS Attacks in Cloud Computing, in: Advances in Com- 906–909. puting, Communications and Informatics (ICACCI, 2014 International [76] R. M. Mohammad, C. Mauro, L. Ville, EyeCloud: A BotCloud Detec- Conference on, IEEE, 2014, pp. 1234–1239. tion System, in: In Proceedings of the 5th IEEE International Sympo- [56] J. F. Gómez-Lopera, J. Mart´ınez-Aroza, A. M. Robles-Pérez, R. Román- sium on Trust and Security in Cloud Computing (IEEE TSCloud 2015), Roldán, An Analysis of Edge Detection by using the Jensen-Shannon Helsinki, Finland, IEEE, 2015. Divergence, Journal of Mathematical Imaging and Vision 13 (1) (2000) [77] S. Zhao, K. Chen, W. Zheng, Defend Against Denial of Service At- 35–56. tack with VMM, in: Grid and Cooperative Computing, 2009. GCC’09. [57] S. J. Templeton, K. E. Levitt, Detecting Spoofed Packets, in: DARPA In- Eighth International Conference on, IEEE, 2009, pp. 91–96. formation Survivability Conference and Exposition, 2003. Proceedings, [78] S. Yu, Y. Tian, S. Guo, D. O. Wu, Can We Beat DDoS Attacks in Vol. 1, IEEE, 2003, pp. 164–175. Clouds?, Parallel and Distributed Systems, IEEE Transactions on 25 (9) [58] Q. Chen, W. Lin, W. Dou, S. Yu, CBF: A Packet Filtering Method for (2014) 2245–2254. DDoS Attack Defense in Cloud Environment, in: Dependable, Auto- [79] P. Xiao, W. Qu, H. Qi, Z. Li, Detecting DDoS attacks against data center nomic and Secure Computing (DASC), IEEE Ninth Int. Conf. on, IEEE, with correlation analysis, Computer Communications 67 (2015) 66–74. 2011, pp. 427–434. [80] J. Zhang, Y.-W. Zhang, J.-B. He, O. Jin, A Robust and Efficient De- [59] N. Jeyanthi, N. C. S. Iyengar, P. M. Kumar, A. Kannammal, An En- tection Model of DDoS Attack for Cloud Services, in: Algorithms and hanced Entropy Approach to Detect and Prevent DDoS in Cloud Envi- Architectures for Parallel Processing, Springer International Publishing, ronment, International Journal of Communication Networks and Infor- 2015, pp. 611–624. mation Security (IJCNIS) 5 (2). [81] M. Du, F. Li, Atom: Automated tracking, orchestration and monitoring [60] T. Vissers, T. S. Somasundaram, L. Pieters, K. Govindarajan, of resource usage in infrastructure as a service systems, in: 2015 IEEE P. Hellinckx, DDoS Defense System for Web Services in a Cloud En- International Conference on Big Data (Big Data), 2015, pp. 271–278. vironment, Future Generation Computer Systems 37 (2014) 37–45. doi:10.1109/BigData.2015.7363764. [61] A. Koduru, T. Neelakantam, S. Bhanu, S. Mary, Detection of [82] A. Sarra, G. Rose, DDoS Attacks in Service Clouds, in: 48th Hawaii Economic Denial of Sustainability Using Time Spent on a Web International Conference on System Sciences, IEEE Computer Society, Page in Cloud, in: Cloud Computing in Emerging Markets 2015. (CCEM), 2013 IEEE International Conference on, 2013, pp. 1–4. [83] G. Yossi, H. Amir, S. Michael, G. Michael, CDN-on-Demand: An Af- doi:10.1109/CCEM.2013.6684433. fordable DDoS Defense via Untrusted Clouds, in: Network and Dis- [62] S. Yu, W. Zhou, S. Guo, M. Guo, A Feasible IP Traceback Framework tributed System Security Symposium (NDSS), 2016. Through Dynamic Deterministic Packet Marking, IEEE Transactions on [84] G. Somani, M. S. Gaur, D. Sanghi, M. Conti, R. Buyya, Service Resiz- Computers 65 (5) (2016) 1418–1427. ing for Quick DDoS Mitigation in Cloud Computing Environment, Ann. [63] A. Chonka, Y. Xiang, W. Zhou, A. Bonti, Cloud Security Defence to Telecommun. (2016) 1–16. Protect Cloud Computing Against HTTP-DoS and XML-DoS Attacks, [85] G. Somani, M. S. Gaur, D. Sanghi, M. Conti, M. Rajarajan, DDoS Vic- Journal of Network and Computer Applications 34 (4) (2011) 1097– tim Service Containment to Minimize the Internal Collateral Damages 1107. in Cloud Computing, Computers & Electrical Engineering (2016) –. [64] S. S. Silva, R. M. Silva, R. C. Pinto, R. M. Salles, Botnets: A Survey, [86] R. Sahay, G. Blanc, Z. Zhang, H. Debar, Towards Autonomic DDoS Computer Networks 57 (2) (2013) 378–403. Mitigation using Software Defined Networking, in: SENT 2015: NDSS [65] L. Yang, T. Zhang, J. Song, J. Wang, P. Chen, Defense of DDoS At- Workshop on Security of Emerging Networking Technologies, Internet tack for Cloud Computing, in: Computer Science and Automation Engi- society, 2015. neering (CSAE), 2012 IEEE International Conference on, Vol. 2, IEEE, [87] X. Wang, M. Chen, C. Xing, SDSNM: A Software-Defined Security 2012, pp. 626–629. Networking Mechanism to Defend against DDoS Attacks, in: Frontier [66] O. A. Osanaiye, IP Spoofing Detection for Preventing DDoS Attack in of Computer Science and Technology (FCST), 2015 Ninth International Cloud Computing, in: Intelligence in Next Generation Networks (ICIN), Conference on, IEEE, 2015, pp. 115–121. 18th International Conf on, IEEE, 2015, pp. 139–141. [88] B. Wang, Y. Zheng, W. Lou, Y. T. Hou, DDoS Attack Protection in the [67] J. Mirković, G. Prier, P. Reiher, Attacking DDoS at the source, in: Net- Era of Cloud Computing and Software-defined Networking, Computer work Protocols, 2002. Proceedings. 10th IEEE International Conference Networks 81 (2015) 308–319. on, 2002, pp. 312–321. doi:10.1109/ICNP.2002.1181418. [89] Q. Yan, F. Yu, Distributed denial of service attacks in software-defined [68] V. Huang, R. Huang, M. Chiang, A DDoS Mitigation System with networking with cloud computing, Communications Magazine, IEEE Multi-stage Detection and Text-Based Turing Testing in Cloud Com- 53 (4) (2015) 52–59. puting, in: Advanced Information Networking and Applications Work- [90] P. Du, A. Nakao, DDoS Defense as a Network Service, in: 2010 IEEE shops (WAINA), 2013 27th International Conference on, IEEE, 2013, Network Operations and Management Symposium-NOMS 2010, IEEE, pp. 655–662. 2010, pp. 894–897. [69] H. Luo, Y. Lin, H. Zhang, M. Zukerman, Preventing DDoS Attacks by [91] S. H. Khor, A. Nakao, DaaS: DDoS Mitigation-as-a-Service, in: Appli- Identifier/locator Separation, Network, IEEE 27 (6) (2013) 60–65. cations and the Internet (SAINT), 11th Int. Symp. on, IEEE, 2011, pp. [70] T. K. Law, J. Lui, D. K. Yau, You Can Run, But You Can’t Hide: An Ef- 160–171. fective Statistical Methodology to Trace Back DDoS Attackers, Parallel [92] F. Guenane, M. Nogueira, G. Pujolle, Reducing DDoS Attacks Impact and Distributed Systems, IEEE Transactions on 16 (9) (2005) 799–813. Using a Hybrid Cloud-based Firewalling Architecture, in: Global Infor- [71] DDoS Deflate, https://github.com/jgmdev/ddos-deflate (2016). mation Infrastructure and Networking Symposium (GIIS), 2014, IEEE, [72] J. Latanicki, P. Massonet, S. Naqvi, B. Rochwerger, M. Villari, Scal- 2014, pp. 1–6. able Cloud Defenses for Detection, Analysis and Mitigation of DDoS [93] H. Fujinoki, Dynamic binary user-splits to protect cloud servers Attacks, in: Future Internet Assembly, 2010, pp. 127–137. from ddos attacks, in: Proceedings of the Second International [73] B. Li, W. Niu, K. Xu, C. Zhang, P. Zhang, You Cant Hide: A Novel Conference on Innovative Computing and Cloud Computing, ICCC Methodology to Defend DDoS Attack Based on Botcloud, in: Applica- ’13, ACM, New York, NY, USA, 2013, pp. 125:125–125:130. tions and Techniques in Information Security, Communications in Com- doi:10.1145/2556871.2556900.

22 URL http://doi.acm.org/10.1145/2556871.2556900 [94] Y. Wang, J. Ma, D. Lu, X. Lu, L. Zhang, From high-availability to col- lapse: quantitative analysis of “cloud-droplet-freezing” attack threats to virtual machine migration in cloud computing, Cluster Computing 17 (4) (2014) 1369–1381. doi:10.1007/s10586-014-0388-6. URL http://dx.doi.org/10.1007/s10586-014-0388-6 [95] S.-C. Tsai, I.-H. Liu, C.-T. Lu, C.-H. Chang, J.-S. Li, Defending cloud computing environment against the challenge of ddos attacks based on software deﬁned network, in: Advances in Intelligent Information Hid- ing and Multimedia Signal Processing: Proceeding of the Twelfth Inter- national Conference on Intelligent Information Hiding and Multimedia Signal Processing, Nov., 21-23, 2016, Kaohsiung, Taiwan, Volume 1, Springer, 2017, pp. 285–292. [96] G. Somani, M. S. Gaur, D. Sanghi, M. Conti, M. Rajarajan, R. Buyya, Combating DDoS Attacks in the Cloud: Requirements, Trends, and Fu- ture Directions, IEEE Cloud Computing, 2017. [97] P. Muncaster, DDoS-ers Take Down Mitigation Tools in Q1, http://www.infosecurity-magazine.com/news/ddos-ers- take-down-mitigation/ (2016). [98] B. B. Gupta, M. Misra, R. C. Joshi, An ISP Level Solution to Com- bat DDoS Attacks using Combined Statistical Based Approach, CoRR abs/1203.2400. [99] Digital Attack Map, http://www.digitalattackmap.com (2014). [100] S. Chen, Q. Song, Perimeter-based Defense Against High Bandwidth DDoS Attacks, Parallel and Distributed Systems, IEEE Transactions on 16 (6) (2005) 526–537. [101] Y. Chen, K. Hwang, W.-S. Ku, Collaborative Detection of DDoS At- tacks Over Multiple Network Domains, Parallel and Distributed Sys- tems, IEEE Transactions on 18 (12) (2007) 1649–1662.