Security and Privacy in Cloud Computing Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 11 04/25/2011 Attacking Availability • Goal: To see how availability of a cloud can be affected by DoS attacks launched from inside the cloud. • Review Assignment #10: – Han Liu, A New Form of DOS Attack in a Cloud and Its Avoidance Mechanism, ACM Cloud Computing Security Workshop 2010 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan Announcement • Next week (5/2), we’ll have our final class, where we will discuss – A wrap-up of things we learned – A high level view of cloud security problem space • No new papers will be discussed next week (but you do have to turn in Review Assignment #10 by 5/2) 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan Recap: Anti-virus as a service • Pros • Cons • Ideas 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan DoS attack on cloud • Network provisioning in data centers: – Many servers share the same link/router, so bandwidth is shared. 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan Data center networks are typically grossly under-provisioned • Typical ratios are 2.5:1 to 8:1 – 8:1 means servers get at most 1/8 of the bandwidth of their interface • Bandwidth is limited by the hierarchical nature of network, routers, and switches • Multiplexing in routers reduce the amount of bandwidth each server ultimately gets 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan Typical data center network Communication between H1-H4 and H5-H8 are routed through R5 and R6. 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan Under provisioning is not a problem in traditional networks • Network admins can co-locate related servers in the same subnet • Network admins can redesign network topologies to fine tune for worst case performance 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan Under provisioning IS a problem in clouds • There are many more servers in a cloud, so provisioning ratios are much higher (e.g. 45:1) • Many clients use the same network, and malicious clients can launch DoS • Application owner/designer has no control over network topology 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan DoS attacks on clouds • DoS attacks on traditional systems (from the outside) can be prevented via clever tricks such as moving to a cloud based virtualized model • DoS attacks on clouds launched from *inside* the cloud are much harder to prevent 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan DoS attack on clouds • Adversary launches attack from inside the cloud data center network • After probing the network and reverseengineering the topology, the adversary can identify bottlenecks • Then the adversary can send DoS traffic to the bottleneck link to saturate it 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan Example • To attack Link B, adversary sends packets from R1’s subnet to another subnet 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan Types of attacks • Untargeted attack: No particular link or host is targeted • Targeted attack: Adversary gains critical mass in a network to target a specific victim 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan Topology identification • Knowledge of topology is important for the adversary 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan How to identify topology • Technique #1: Traceroute – Run traceroute between all pairs of hosts – Due to ip provisioning schemes, running traceroute for a few pairs of hosts is enough – Disadvantages: • Can’t identify switches (layer 2) • Can be disabled at router level 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan How to identify topology • Technique #2: Network probing – Idea: Use observed traffic rates to infer number of router between two hosts 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan How many malicious hosts is enough? • Untargeted attack: – Easy to get many hosts if VM assignment algorithm can be reverse engineered (as in “Hey You!” paper – Even brute force attack succeeds in getting many hosts in the same subnet – (Note: this is different fro co-location attack, where the goal was to co-locate of physical hardware rather than network) 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan How many malicious hosts is enough? • Targeted attack: – Pick victim, launch brute force attacks – Tests show it is easy to get VMs in same subnet as target 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan Launching the attack • Process: – Send a flood of packets through the link – UDP used. (Why?) – For adaptive applications, do not saturate link completely, rather “almost” saturate it (Why?) 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan Mitigation strategy • Use a user side monitoring agent to monitor link saturation • When a link degrades, or server detects bottleneck and sends help packet, the monitor initiates app migration 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan Comments • Experiments / attacks were run on a real cloud (without knowledge of data center admin) 4/25/2011 en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan