International Journal for Information Security Research, Volume 3, Issue 1/2, pp. 400-407, March-June 2013. Formal Analysis of an Authentication Protocol Against External Cloud-Based Denial-of-Service (DoS) Attack Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz Department of Electrical and Computer Engineering University of Western Ontario London, Canada {mdarwis3, aouda, lcapretz}@uwo.ca Abstract applications, such as databases. SaaS provides end users with access to software applications. The Denial-of-service (DoS) attack is considered one of the largest threats to the availability of cloud- computing services. Due to the unique architecture of cloud-computing systems, the methods for detecting and preventing DoS attacks are quite different from those used in traditional network systems. A main target for DoS attackers is the authentication protocol because it is considered a gateway to accessing a cloud’s resources. In this work, we propose a cloud-based authentication protocol—one that securely authenticates the cloud’s user and effectively prevents DoS attack on the cloud- computing system—by involving the user in a high computation process. Then, we analyze the protocol via Syverson and Van Oorschot (SVO) logic to verify Figure 1. Cloud-Computing Layers the authentication process of the protocol in a cloud- computing system. DoS attacks are major security risks in a cloud- computing environment because resources are often shared by many users. A DoS attack targets resources 1. Introduction or services in an attempt to render them unavailable by flooding system resources with heavy amounts of artificial traffic. The objective of DoS attacks is to Cloud computing is the utilization of a consume resources—memory, CPU processing space, combination of hardware and software to provide or network bandwidth—in order to make them services to end users over a network (e.g. the inaccessible to end users by blocking network Internet). It includes a set of virtual machines that communication or denying access to services. simulate physical computers and provide services, Handling DoS attacks at all layers in cloud systems is such as operating systems and applications. However, a major challenge due to the difficulty of configuring virtualization in a cloud-computing distinguishing an attacker’s requests from legitimate environment is critical. A cloud-computing structure user requests. relies on three service layers: Infrastructure as a Detecting a DoS attack in its early stage, in the Service (IaaS), Platform as a Service (PaaS), and upper layer (SaaS), is an ideal approach to avoid the Software as a Service (SaaS) (Fig. 1). IaaS gives destruction caused by DoS attacks on other layers. users access to physical resources, networks, However, all service requests for SaaS need to be bandwidth, and storage. PaaS builds on IaaS and authenticated in order to operate. Verifying users via gives end users access to the operating systems and an authentication protocol is an initial stage in platforms necessary to build and develop accessing these systems. Consequently, the International Journal for Information Security Research, Volume 3, Issue 1/2, pp. 400-407, March-June 2013. authentication protocol is a main target of attackers founder [4]. In the same year, the site of the National implementing a DoS attack, and decreases the Election Commission of South Korea was targeted by availability of cloud services. The use of existing DoS attacks. Furthermore, thousands of infected strong authentication protocols from traditional computers participated in a DoS attack that targeted network systems in cloud-based applications may the Asian E-Commerce Company in 2011 [4]. In lead to DoS attack vulnerability. This is because the 2012, the official website of the Office of the Vice initiation of a massive amount of authentication President of Russia was unavailable for 15 hours due processes could exhaust the cloud’s resources, and to a DoS attack [4]. In the same year, many South make the cloud-based application unreachable. Korean and United States (US) websites were In this paper, we discuss the types of possible targeted by DoS. Godaddy.com websites reported external DoS attacks in a cloud-computing service outages because of such an attack. In 2012, environment. Then, we propose an authentication major US banks and financial institutions became the protocol against DoS attack, and present a formal target of a DoS attack. DoS attacks are evolving analysis of the proposed protocol. Section 2 provides rapidly and are targeting large companies, which an overview of DoS attacks. Section 3 states the need cause huge financial losses to those companies and for authentication protocols. Section 4 describes a websites globally. proposed cloud-based authentication protocol against DoS attacks affect all layers of the cloud system external DoS attacks. Section 5 analyzes the proposed (IaaS, PaaS, and SaaS) and can occur internally or protocol via Syverson and Van Oorschot (SVO) externally. An external cloud-based DoS attack starts logic. Finally, Section 6 presents a brief summary of from outside the cloud environment and targets the paper. cloud-based services. This type of attack affects the availability of services. The most affected layers in the cloud system by an external DoS attack are the 2. DoS Overview SaaS and PaaS layers. The two categories of cloud-based DoS attacks DoS attacks have become more sophisticated in are internal and external cloud-based DoS [5]. recent years. Many websites and large companies are Descriptions of external cloud-based DoS attacks are targeted by these types of attacks. The first DoS presented in the following sections. attack was reported in 1999 [1]. In 2000, large resource companies, including Yahoo, Amazon, 2.1. IP spoofing attack CNN.com and eBay, were targeted by DoS attacks and their services were stopped for hours [2]. Register.com was targeted by a DoS in 2001; this was In the Internet Protocol (IP) spoofing attack, packet transmissions between the end user and the the first DoS attack to use DNS servers as reflectors cloud server are intercepted and their headers [3]. In 2002, service disruption was reported at 9 of modified such that the IP source field in the IP packet 13 DNS root servers due to DNS backbone DoS is forged by either a legitimate IP address, as shown attacks. This attack recurred in 2007 and disrupted in Fig. 2, or by an unreachable IP address. As a result, two DNS root servers. In 2003, Microsoft was the server will either respond to the legitimate user targeted by a DoS called Worm Blaster. One million machine, which affects the legitimate user machine, computers were attacked by MyDoom in 2004. In or the server will be unable to complete the 2007, a DoS attack was carried out by thousands of transaction to the unreachable IP address, which computers, and targeted more than 10,000 online affects the server resources. Tracing such an attack is game servers. In 2008, a DoS attack targeted difficult due to the fake IP address of the IP source Wordpress.com and caused 15 minutes of denial [4]. field in the IP packet. In 2009, a cloud-computing provider named GoGrid was targeted by a large DoS attack, and approximately half of its thousands of customers were affected. In 2009, Register.com was affected again by a DoS attack. In the same year, some social networking sites, including Facebook and Twitter, were targeted by a DoS. Many websites were attacked by DoS in 2010, including the Australian Parliament House website, Optus, Web24, Vocus, and Burma’s main Internet provider. In 2011, Visa, MasterCard, PayPal, and PostFinance were targeted Figure 2. IP spoofing attack by a DoS that aimed to support the WikiLeaks International Journal for Information Security Research, Volume 3, Issue 1/2, pp. 400-407, March-June 2013. 2.2. SYN flooding attack broadcasted addresses. The worst case occurs when the number of hosts who reply to the ICMP echo requests is too large. A Transmission Control Protocol (TCP) connection starts with a three-way handshake, as shown in Fig. 3(a). A typical three-way handshake between a legitimate user and the server begins by a connection request sent from the legitimate user to the server in the form of a synchronization (SYN) message. Then, the server acknowledges the SYN by sending back (SYN-ACK) a request to the legitimate user. Finally, the legitimate user sends an ACK request to the server to establish the connection. SYN flooding occurs when the attacker sends a huge number of packets to the server but does not complete the process of the three-way handshake. As a result, the server waits to complete the process for all of those packets, which makes the server unable to process legitimate requests, as shown in Fig. 3(b). Also, SYN flooding can be accomplished by sending packets with a spoofed IP address. A sniffing attack is also considered a type of SYN flooding attack. In a sniffing attack, the attacker sends a packet with the predicted sequence number of an active TCP connection with a spoofed IP address. Thus, the Figure 4. Smurf attack server is unable to reply to that request, and the resource performance of the cloud system is then affected. 2.4. Ping of death attack In the ping of death attack, the attacker sends an IP packet with a size larger than the limit of the IP protocol (>65,535 bytes). Handling an oversized packet affects the victim’s machine within the cloud system as well as the resources of the cloud system. 3. The Need for Authentication Protocols There are a number of authentication protocols that are strong enough to verify identities and protect traditional networked applications. However, these authentication protocols may introduce DoS risks when adopted in cloud-based applications.