Open access peer-reviewed chapter

Cloud Computing Security Services to Mitigate DDoS Attacks

By Akashdeep Bhardwaj and Sam Goundar

Submitted: May 20th 2019Reviewed: April 28th 2020Published: July 22nd 2020

DOI: 10.5772/intechopen.92683

Downloaded: 74

Abstract

This chapter focuses on the challenges and risks faced in cloud security services in the areas which include identity access management, web security, email security, network security, encryption, information security, intrusion management, and disaster management while implementing a cloud service infrastructure. This chapter endorses the best practices in successfully deploying a secure private cloud infrastructure with security measures and mitigation and proposed a unique three-tier infrastructure design to mitigate distributed denial of service attacks on cloud infrastructures.

Keywords

  • threats/vulnerabilities
  • security policies
  • data protection/security
  • firewall
  • security model
  • monitor traffic
  • authorization

1. Introduction

Cloud computing is vastly increasing in demand for its popularity. Cloud services deliver up to its expectations if properly maintained. Users choose cloud because the cost is affordable, is easy to access, and has a positive uptime. Unfortunately, a high number of cloud users face difficulties when issues arise such as the frightening news about data confidentiality and integrity which gets posted online all the time, and they are in darkness when such situations occur [1]. In this modern age, cloud computing has been progressively popular within the IT organizations, and we notice many institutes are moving most of their IT services towards the cloud services here in Fiji to improve their information communication technology (ICT) service delivery to the clients or stakeholders. It is important for any organization to do an appropriate background research before making decisions of upgrading for which type of cloud services they are acquiring, depending on the organization’s requirements. Many organizations prefer a private cloud infrastructure which has many advantages compared to the public cloud and hybrid cloud services; however, administrators tend to overlook that private cloud infrastructure comes with an exceptional set of challenges and risks. Cloud computing security service categories are identified and illustrated as follows:

  • Identity access management

  • Data loss prevention

  • Web security

  • Email security

  • Network security

  • Encryption

  • Information security

2. Literature review

Cloud computing security keeps on changing as new technologies emerge. Services provided by the three basic cloud service models, which are infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS), give more outbreak to exploit such state-of-the-art models. As the cloud expands, so does its vulnerabilities [2]. It is the hosting providers or administrators duty to ensure that these vulnerabilities are kept on patching up as new threats arise. One must always be on the look for any threats coming their way towards the cloud servers. If such threats enter the cloud, it could be devastating for the cloud hosting providers and even the cloud servers itself. We as human beings need to keep in mind that a person who wants to get the data for their benefit or even for fun purposes [3] creates those threats. There are certain software programmed and integrated to the cloud server to automatically mitigate a certain level of threat, and an example is a web application firewall (Barracuda).

Stated in the research paper regarding a study on security model in cloud computing, we vastly agree to the statements stated such as the security being a real-time obstacle of the everlasting picture and foundation of cloud computing [4]. Furthermore, this research will now move towards focusing on the security aspect and its services shown by cloud computing itself as keeping in mind the increasing need for security in the cloud as we see a new day moving forward in our daily lives.

This paper starts with cloud identity access management as the first level of cloud computing security service that we identified based on various researches conducted. Whenever a user has established the connection to the cloud, the user will need to login and access the cloud resources in order to drive forward the idea of hosting applications, websites or even doing online sales securely through a secure login tunnel. This has to be fully done by successful authentication and authorization to avoid loss of data and identity being manipulated which could lead to unwanted access to the cloud system [5].

The need to have identified information in this case, which related to identity access management itself, first needs to be synchronized so that there are no conflicts when identifying the cloud user [6]. One needs to keep in mind there are many users who have the same name although their username can differentiate the users and their level of access. For user information to be synced properly, the old user data will need to be checked if there are any, which were used previously, and it should not match with the new data. Such scenarios occur when a user cancels their online subscription to a cloud host provider and comes back after a few years wanting to again host their applications on the cloud [7]. This reflects on mostly public clouds. This can also be hinted at a private cloud when the administrator permanently deletes the user’s data, which in this case is the user’s login and registration details to focus on. A hacker can pose as a new user and easily gain access to the cloud system if he/she is able to manipulate the registration and other details. This can happen when the administrator is adding a new identity to the system, and if the administrator is not careful, the system does not identify old data. This will lead to an identity within the cloud system that will gain access to certain module level-based information because the identity has not been synced and verified with real time updates [8]. Another issue could be confidentiality, which focuses only on authorized access to cloud data; an authentication that is related to checking of the received data to be from a legit source and integrity, which relates to only authorized party, should be allowed to modify data in the cloud [9].

Building trust in cloud computing services may help prevent data loss to some extent, but it does not guarantee it. The cloud server needs to be equipped with state-of-the-art hardware and software in order to prevent such issue. This service protects data from being lost based on the rules deployed on cloud servers. Data can be lost in various ways such as the hacker sends a malicious file, which infects the cloud server and deleting the files and folders [10].

Data storage repository must be secured enough to handle such attacks although the level of attacks varies from high to low and each attack is to be considered no matter which level that threat is. Suppose a low level of threat occurs in the cloud server where that data is stored and the administrator does not take any action to fix the issue or just ignores it thinking that it is a small issue, it could multiply and do its job on the storage server leading to data loss [11].

Securing the storage in the cloud is very important where the storage or based in geographical location or not, but at the end of the day, the storage repository is linked to a network and that is enough information for an advanced hacker to easily delete the data by entering into the system from just a small script which will eventually grow to a virus or Trojan to inflict the damage.

If the administrators are not monitoring such scenarios, that virus can do the damage to the storage server. In such cases, it may send a lot of traffic request to the storage server, and this can result in overload. Such case is mostly described as denial of service attacks. With DoS attacks, the server will notice a change in traffic load coming in, and if there are no intelligent applications installed in the server to mitigate, there could be serious implications. These attacks can corrupt data, delete data, and data loss. This is a common issue faced by a lot of users, which ultimately will become the administrator’s responsibility.

We noticed a virus spread across the globe called WannaCry, which is a ransomware virus where it locks down your computer system and asks for money in order to unlock the affected system. This type of attacks can lead to data loss as well. Supposedly, this threat can affect the data stored in the cloud server, which is definitely huge on a threat level. Microsoft had to realize patches for their operating systems in order to prevent such attacks. This results in a lot of distress around the globe and was one of most talked about attacks. It not only inflicts damage to the affected system, but it also has the ability to destroy the data itself, which is stored in any system [9]. One must be very careful of such attacks if not then data loss is inevitable. Such attacks are a wake-up call for cloud system, which does not have any type of data loss prevention techniques implemented, and if such techniques are implemented, then the administration must map out ways to block or to prevent data being lost. Therefore, security rules need to be in place to avoid customers from being frustrated with one of the major issues, which are data loss [4].

Web security plays a vital role as well in clouds. While the servers are hosted in clouds, websites and applications are also hosted in it which combines the functionality to work with cloud resources and deliver as expected to customers. Protection against virus and malware nowadays is very common as new types of such threats emerge almost every day. In cloud, all folders are synchronized at all times as the user updates their data. What could happen is that if a malware enters the cloud and data sync is taking place, the malware gets synched together, spreading around with the configured account, which is the source in which the malware entered into the system [11].

Hosting service providers for cloud-based will need to get a good web application firewall (WAF), which can prevent attacks to web servers and applications. Traffic going in and out of the web server needs to pass through WAF in order to check for malicious responses [12].

As proposed in the paper by Fernandez et al [13], web application scanner and a cloud-based web application firewall can be used to identify vulnerabilities and scan for sensitive data [13]. This type of scanner is very useful in a cloud computing environment. The cloud-based web application firewall will also be integrated with the scanner. The first step will be the scanning process followed by filtering unwanted request, keeping in mind that these unwanted requests are the virus and attacks coming into the system. In their paper, they have also stated that the firewall can control the web application communication via HTTP based on the rules for authorizing and with the main purpose for it to stop SQL injection, XSS, and other types of similar attacks on the cloud servers [12]. What our research has looked into is one of the WAF available for purchase called Barracuda. This application is very useful as it generates a whole lot of data that is not required for processing based on the traffic flow in which the attackers can come in and out of the system. This application has the ability to scan, put cloud applications and websites behind a state-of-the-art firewall system, and monitor traffic to name some of its core functionalities. When we look at a WAF system for cloud, we must have reports generated in order to do research that is more thorough from where the particular attack is coming from and how these attacks can be mitigated. The WAF provides a solution to every attack or vulnerability that is present in the generated report as well. This firewall will be able to stop unwanted traffic into the system, keep the cloud servers safe, and transfer those IP addresses that are suspicious to the suspicious list from the whitelist causing it to be classified as a threat [14]. The users can do online banking securely and other tasks that they would prefer to be done under a secure application layer.

Email security is being implemented in clouds as well. It has major advantages. Any inbound and outbound emails will need to go through email security protocols to ensure that the user sending and receiving the email does not contain any type of malicious data, which can affect the customers’ online activity in any way. This could also lead to having a bad impact on web servers as well if proper security protocols are not in place to filter malicious emails. Cases of security policies need to be implemented in order to run the workflow of emails and filtering unwanted emails [15].

As outlined in the paper published as from Barracuda itself, using such application will not limit the functionalities of email security being deployed in the cloud servers. Some things to notice about the paper is that they have outlined the suit for the cloud services with the following combinations for the advanced package, multilayer security which extends the protection for the email also being integrated with Office 365 which is currently being well-known for its cooperative feature for an organization provided by Microsoft. Multilayer security is one of the core features that the email security giant company looks in depth, for the application itself is being a guard against threats arising from emails, data loss protection through spam emails, data being leaked with encryption, and all the email contents being inspected. Another advanced feature that they explained in their paper was cloud-based archiving. This feature is very important, and emails need to be archived frequently for an organization. Such feature in the cloud will enable users to retrieve any previous email at any time from any device, and this can be from any cloud environment whether it being the hybrid cloud-based environment, Microsoft 365, Microsoft Exchange, and even any other types of email service being used on-premise. They also mentioned retrieving emails such as cloud-based backup and recovery features. This feature will allow the administrators to retrieve any email from the frequent backup storage and send it to the live server so that the user requesting for the email can view and retrieve their contents for that particular email [16].

According to Rawezh Tara and Nashwans’ paper based on private cloud and implementation of software, routing in it identifies the use of virtual private network (VPN), which enables the ability to ensure that the user who is logged into the cloud service can do their online transactions without any issues. The attackers will not be able to judge where or how the data is being transferred to. This creates a secure environment for customers doing online shopping or banking. It is a good practice to provide VPN to users who are already logged into cloud service. Each user will have a VPN client profile. Using this they can establish the VPN connection, and a secure tunnel is enabled, and authentication is being done on the data center firewall end [17].

Only two types of users use VPN tunnel, which will be the employees and the cloud administrator. The VPN tunnel works as the employee will establish a secure connection through a VPN tunnel; the employee will then login to the VPN client profile using username and password. The authentication is verified with the security policies and the data center. Once the connection is successful, the remote client is connected to the cloud and is ready to utilize the resources and services offered by the application itself. The login of the user will fail if the user is not a valid user, which is checked in the system mainly through the active directory [18]. This type of secure login is highly desirable and is present in the Barracuda application, which was also tested while carrying out this research. It not only protects the user’s data, but the users who login into the system through VPN tunnel can be rest assured that they can perform their task without anyone capturing their information.

Encryptions ensure that the data, which are available in the cloud, is secure. Although there are many types of encryption techniques available, attribute-based encryption will provide favorable results. This provides access control with a private key, master key, and ciphers text [19].

Furthermore, as proposed a clear explanation of encryption by Rohit, Rituparna, Nabendu, and Sugata research paper based on security issues in cloud computing, they outline the very important aspect of how the encryption can occur in a cloud-based environment. The argument raised is that that data that is stored in the cloud is secure enough towards any type of security breach. They come up with utilizing homomorphed token, which can help secure data through encrypting by private and public keys, respectively. The trust-based methods for the cloud environment are very valuable towards secure private and public key exchange over a secure seamless synchronized connection. Moving on to further discuss encryption supposedly if data is not encrypted, spoofing attacks can take place. Such attacks can be checked by performing user authentication based on key exchange and even encryption techniques [20]. By enabling encryption sessions with filtering at the entrance of traffic management, such attacks can be avoided. Encryption plays a very important part in securing the cloud services with its unique ability to transform the data into cipher which makes the attackers difficult or almost impossible to alter the data.

Information security relates to gathering the alerts which come about the cloud service monitoring tools. Logs get created for the events. Being a central point, cloud computing is able to handle the information stored and how it gets altered by malicious activity which leads to a crisis situation. If an alert gets ignored, it becomes a golden opportunity for attackers to exploit the cloud services and can access the data of customers. If such a case does happen, the admin must take immediate actions and retrieve data backups. Cloud computing can aid in the seamless transfer of the information to a backup server which will store the information of all the customers. Cloud IaaS is a possible direction of data backup in which data needs to be firmly protected as it should be a specialized cloud-based backup server [21].

Intrusion management looks after the packets coming in and going out of the network. It has got a set of predefined rules which can handle a particular event. A cloud service provider needs to have an intrusion management tool such as anomaly detection. This type of detection system trains itself by observing network behaviors. It identifies the class level for the intrusion whether normal or intrusion, based on the network packets. If an intrusion is found, it should send a warning to the alert or information security system for further action [22]. Hadoop is an open source software, which is becoming popular with cloud administrators. Hadoop is used to distribute processing of big data using MapReduce. MapReduce is a model which can perform analysis very quickly to locate the malicious activity and the area in which the attack occurs [23].

Disaster management in collaboration with disaster recovery relates to cloud data storage in its servers. One must be prepared for it; thus, disaster rescue management can be put in place by the hosting providers in the cloud servers. Attackers can disrupt services by sending malicious requests to the server if there are no strong security policies placed, and they can create downtime of the server as the servers can get overloaded through it. For natural disasters, cloud hosting providers can place their data centers at geographical locations so that if one center gets affected, another will pick up and prevent downtime of services [24].

Looking at an infrastructure point of view, we picked Veeam, a software product developed by Veeam organization itself to replicate, backup, and restore data on virtual machines. It has a lot of capabilities as it pools together one of the leading backup services for a cloud infrastructure. Having the ability to replicate with advanced monitoring, reporting tools, and capacity planning functionality, Veeam is highly desirable to be used for a disaster management tool.

3. Methodology

Based on the research ideas provided, we have used qualitative research method, and the theory we have decided to use is as follows. A local user agent is created by the user to establish a temporary security certificate for safe authentication over a given period of time. This certificate will contain the username, user id, security features, hostname, session times, and other relevant features. Once this is done, the authorization for the user is finalized. As the user will start to use the resources on the cloud, mutual authentication will initiate between the cloud application and user. The application will check if the certificate is valid for the user, a security policy is applied to it. As per the requirements stated by the user, the application will create a list of service resources which will send it to the user. Finally, through an application programming interface (API) security used by the application, the user’s session will be fully initiated and connect to cloud services [4, 13].

Figure 1 describes the method for secure connection with a trusted certificate in a cloud environment and describes its successful implementation as well as usage of cloud resources.

Figure 1.

Model for secure connection with a trusted certificate in a cloud environment.

Some of the research questions we have identified are as follows:

  • Which security protocols you have placed in your cloud architecture to ensure a seamless connection between users does not result in online data theft?

  • In case an attack on the cloud service occurs, how will the server mitigate those attacks?

  • Is there a disaster recovery management tool in place for the cloud servers? If so then what procedures will be followed to ensure that there is little or no downtime?

  • Are the cloud services running behind a trusted firewall? If yes, then how does the firewall report incidents as logs to the administrators and is the firewall artificially intelligent enough to challenge such difficulties?

Our research came up with some cost analysis based on cloud infrastructure. The below details were developed for a cloud-based premise comparing both private and public cloud. Shown below is the cost for Azure sizing based on the requirements; the cost is higher than the private cloud infrastructure with much higher requirements (Figure 2).

Figure 2.

Cost analysis with Azure vs. private cloud infrastructure based on resource requirement.

Shown below is virtual storage area network for a hyper-converged solution which is the most popular infrastructure technology in the current market according to Gartner report. This is very helpful for cloud-based organization to grow as it exceedingly with a lot of resources available for use in the cloud deployment models itself (Figure 3).

Figure 3.

Virtual storage area network for a hyper-converged solution.

The screenshot shown below shows the virtual machine on a cloud premise. When a user wants to purchase a virtual machine, the cost related to the resources requested will be shown on the cloud interface and can be upgraded as well when one wants to deploy a virtual machine in their cloud (Figures 4 and 5).

Figure 4.

Billing and purchase interface when requesting a virtual machine in a cloud-based environment.

Figure 5.

Costing for a cloud infrastructure with a disaster recovery package.

4. Existing cloud security solutions

The focus of this research is on distributed denial of service (DDoS) attacks on the cloud. The authors researched on existing cloud security solutions and also present an implementable solution focusing on DDoS mitigation for IT infrastructure. The authors define the scope and recommend few focus areas:

  • Defending volumetric attacks is a need for cloud components.

  • Blocking application-level attacks without submitting SSL Key.

  • Deploying acceptable network infrastructure as per IT security policy.

DDoS attack mitigation solutions are discussed here based on design perspective:

  1. a. On-premise based: Having a devoted on-premise DDoS attack mitigation answer are first-rate desirable for government entities, financial establishments, and healthcare but not beneficial for all. When the highest stage of safety is mandatory and organizations opt to give as little visibility into their customer facts or approximately their encryption certificate to as few third birthday celebration providers, this could be regarded as a limited scope option. On-premise DDoS devices might store encryption certificates and inspect visitors regionally without any scrubbing, redirection, or inspection. The mitigation device would be required to guard against numerous DDoS vectors like flooding (UDP/ICMP, SYN), SSL based, application layer (HTTP GET/POST), or low and slow attacks. With mitigation structures in house, the proximity to facts center sources is useful, and the systems may be fine-tuned at once by the in-residence IT teams. They have a tendency to have a miles more cognizance to their setup for any adjustments in site visitor flows or from the application servers. Thus, they might have a tendency to have a higher chance of detecting any suspicious traits or visitors requests.

  2. b. Cloud-based security services: In providing anti-DDoS and superior mitigation protection in shape of managed security services, many cloud carrier companies offer protection from community floods with the aid of deploying mitigation system on the ISP network edge stage or with scrubbing centers. This involves traffic diversion from the corporation network to detection or scrubbing center. When a DDoS attack starts, human intervention is needed and takes as a minimum of 15–30 minutes all through which the online services are left unprotected and exposed. The cloud-based totally DDoS mitigation service guarantees quantity blocking off of community flood assaults from accomplishing the corporation edge devices or flooding the WAN circuit which is free of volumetric community flood attack. However, there exist glaring problems with a cloud primarily based on DDoS mitigation offerings.

  • Cannot discover and block application layer attacks and slow attack.

  • Unable to defend stateful infrastructure structures like firewalls or IPS.

  • Unable to deal with attacks like software layer attack, state exhaustion, and multi-vector attacks.

  1. c. Hybrid cloud-based security: Using hybrid cloud functions gives the best-of-breed mitigation option, where the hybrid infrastructure combines the on-premise in-house setup with DDoS mitigation carriers to act as an included mitigation solution. In hybrid solutions, another option is to use a devoted DDoS mitigation provider’s capability in order to detect and block a couple of DDoS vectors. Having public cloud issuer dynamically booms the community pipe bandwidth for the duration of a DDoS attack; takes off a while after being detected, till the time mitigation begins; and saves the on-premise infrastructure from the attack and affecting the provision of its online services. Typical answer is in the course of DDoS attack; the entire site visitors are diverted to a DDoS mitigation issuer’s cloud, where it is scanned, scrubbed with the attack visitors getting diagnosed, and removed before being re-routed lower back to the in-residence information middle of the enterprise. Hybrid solutions permits organizations to gain from the following:

  • Widest security coverage that can simplest be finished by means of combining on-premise and cloud insurance.

  • Shortest reaction time by using an on-premise solution that begins right away and mechanically to mitigate the assault.

  • Single touch point during an attack both for on-premise and cloud mitigation.

  • Scalability—each tier is impartial of the other and can scale horizontally, in case there is a web application attack spike, adding extra WAF devices to ensure enough WAF capability may be done within the application defense tier without affecting the community tier.

  • Performance—on the grounds that requests come in tiers, network utilization is minimized, and load decreased overall.

  • Availability—with hybrid solutions, if the first or second tier is down, at least there is one tier left to serve consumer requests. This satisfies the BCP of the organisation.

  • Vendor independence—community and application protection infrastructure can setup the usage of hardware structures or even specific software program versions.

  • Policy independence—while new policies are implemented at the application defense tier, the opposite tier directs simplest that specific visitors in the direction of the rules until they are established and ready for production use.

5. Proposed DDoS solution

Based on the developing threats and effect of attacks, company firms having their very own cloud services as well as cloud providers put into effect DDoS mitigation using hybrid cloud architecture. When there are multi-vector DDoS attacks targeted at layers 3, 4, and 7, mitigation strategies are essential. These mitigation strategies assist in detecting and preventing volumetric, software, and encrypted assault vectors. By making use of public cloud capabilities to cover for scalability taking on floods and appearing because the first point of defense with community and web application firewalls detecting assault visitors and mitigating the DDoS threats and the SaaS utility, web portals and backend database resides stable in the residence private statistics center. For this research, the experimental environment involved community infrastructure architectures being designed and setup to testing the proposed DDoS solution having the following hardware and software:

  • Cisco 4000 ISR Series Routers and Cisco Nexus 5000 Series Switch for routing and switching

  • Big IP LTM-4200 for high-performance application traffic load management

  • Cisco Firepower FPR-2110, Imperva Web Application Firewall Gateway with Manager Console

  • HP DL-360G8 1U-Rackmount with Intel E5, 128 GB DDR3, 32 TB SSD Servers

  • VMware NSX-T 3.0 virtualization software on bare-metal HP Server

  • SaaS Application running Windows Server 20012 64-bit OS

  • Front End Web Portal with .NET supporting 2-Factor authentication

  • Back End Database running Microsoft SLQ Datacenter license on Windows 2012 OS

  • DDoS Tools for attack simulation: LOIC or Low Orbit Ion Canon, HOIC or High Orbit Ion Canon, Packet Storm (HTTP Unbearable Load King), Are You Dead Yet (R.U.D.Y), Motoma IO’s PyLoris, Slowloris and TOR’s Hammer

The networks were tested by community and alertness layer attacks with the use of ICMP flooding with a thousand echo requests with increasing buffer size from 3700 to 3805 bytes. The use of DDoS attacks such as LOIC, R.U.D.Y, and slowloris that simulated attacks denied valid users to get admission to the web software portal. When performing the simulated DDoS assaults, the real user monitoring records are taken as the standards, and parameters have been amassed for the logs to assist generated graphs for DDoS attacks. These parameters had been chosen due to the fact that they decide what performance problems the real users are experiencing on the site for the time being in actual time during an assault.

  • Average ICMP latency (milliseconds) before and during the course of DDoS attacks on the apps

  • Page load response that refers to time the app pages take to load and figuring out where exactly the time is spent from the time a user logs authenticates and logs in to until the page has loaded completely

  • App response relates to the percentage time for a page load process to complete

  • Status codes are gathered from the HTTP reputation codes the web server makes use of to communicate with the web browser or person agent

6. Performance analysis

6.1 Single-tier network architecture

The first framework was structured and implemented in the form of a single inbound and exit gateway. This mimicked the single-tiered level system including standard system design, directing the interfacing with an online interface containing the front end and back end. This simulated the standard cloud-based condition having a basic standard system configuration actualized in a server farm with hardware devices mentioned in the setup environment above (Figure 6).

Figure 6.

Traditional architecture design (single-tier).

Using the standard design, single-tiered architecture, multi-vector DDoS attacks were executed as network floods and volumetric and application layer 7 attacks. These critically overloaded and degraded the computing systems leading to access issues for legitimate users. Logs and data gathered for each attack are displayed below for reference (Figures 79).

Figure 7.

Single-tier DDoS attack logs.

Figure 8.

Single-tier attack results.

Figure 9.

Single-tier results (with and without network security).

6.2 Three-tier network architecture

The second infrastructure was designed as per the proposed design having three unique tiered designs. Each tier has different IP address schemes and communicates with others via site-to-site VPN. This design simulated public and private cloud integration. The first two tiers focused only on security protection against network and application layer attacks. The third tier only focused on access to the hosted SaaS application with database backend:

  • The first Tier is built around layers 3 and 4 network defense system for IP and TCP defense using hardware firewalls and load balancer. This tier mitigates ICMP (Ping), UDP, or SYN flood attacks.

  • The second Tier provides layer 7 application defense using web application firewalls and customized load balancing rules along with SSL termination. This tier mitigated ARP spoofing, POST Flood, and DNS poisoning and detected malwares from inbound user traffic.

  • Once both network and application attacks are cleaned from the traffic, only legitimate user traffic remained. This traffic is directed to access the private tier cloud (or the third tier), hosting only the SaaS Web portal. After processing and completing the work, user traffic is again reverted to tier 2 for exit instead of tier 1 and following the same traffic route back to the user. This form of asynchronous routing ensures the attackers are not able to execute denial of service attacks that always have the condition of user traffic having the same inbound and outbound gateway and traffic routes (Figure 10).

Figure 10.

Proposed three-tier architecture.

DDoS assaults were performed at first on the single-level system plan and our proposed three-level system structure and assembled result that demonstrate our proposed half-breed cloud configuration having the main level for accepting inbound traffic from clients and aggressors with layers 3 and 4 gadgets and performing system assault alleviation, utilizing a system firewall blocking ICMP floods. The inbound traffic was then permitted to stream to the second level which alleviated application-level assaults utilizing a WAF. Here utilizing F5 and Cisco gadgets intelligently, we had the option to square 80% of the assaults. This was assembled subsequent to contrasting the assault information and single-level system arrangement. The three-level system configuration is executed in a test server farm with Cisco and F5 arrange gadgets for steering, VPN, and exchanging. We utilized VMware and Microsoft operating system servers with a SQL server as backend database to mimic cloud-based SaaS applications. DDoS assault reproductions were performed on the three-level engineering to check the patterns for system and application-level outcomes after the assaults. ICMP flooding was performed with 1000 reverberation demands each with expanding support size (3600–3800 bytes) with each assault. They made the objective server to react and process the ICMP demands, taking cost of CPU assets and at last square substantial solicitations. Application-level assaults were finished utilizing HTTP Flood GET assault with expanding string check and 1200 reverberation demands utilizing “GET/application/?id=479673msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP” and moderate attachment development mimicking moderate HTTP assault utilizing perl with logs taken from Wireshark.

Device logs gathered for each attack are illustrated in Figure 11.

Figure 11.

Three-tier logs (network attack).

6.3 Comparing single- and three-tier architectures

DDoS attacks were performed on single-tier and the proposed three-tier infrastructure architecture and results gathered for real user monitoring parameters during the network attacks (Figure 12).

Figure 12.

Network and web defense trends.

6.4 Single-tier logs and data analysis

The below data and graphs illustrate the network firewall and application layer logs and graphs for the DDoS attack performed on single-tier data center architecture in order to determine the resilience for handling DDoS attacks. In Figure 13 network firewall defense is implemented after attack#2 with ICMP, page load, browser throughput, and application response as the key values.

Figure 13.

Single-tier attack parameters.

Figure 14 illustrates real user monitoring values obtained during an application layer attack on single-tier network infrastructure in which application firewall defense is implemented after attack#2 with ICMP, page load, browser throughput, and application response key values.

Figure 14.

Single-tier application attack logs.

Results of single-tier architecture attacks obtained before and during the DDoS attack are presented in Figure 15. This has the average ICMP, browser throughput, page load response, and application server response.

Figure 15.

Single-tier network attack parameters.

6.5 Three-tier logs and data analysis

DDoS attacks are performed on the designed network architectures and network and application attack results obtained before and after attack scenarios. Network attacks like ICMP flood are done with 1000 ICMP echo requests with each increasing the attack buffer size from 3700 to 3805 bytes. Application attack like HTTP Flood attack is done by increasing the thread count by “GET /app/?id = 437793 msg = BOOM%2520HEADSHOT! HTTP/1.1 Host: IP” and slow socket buildup simulating slow web attacks by the use of perl. The logs and Data gathered are gathered from the network firewall; for each attack is displayed in Figure 16.

Figure 16.

Three-tier attack logs.

Results of three-tier architecture attacks obtained before and during the DDoS attack are presented in Figure 17. This has the average ICMP, browser throughput, page load response, and application server response.

Figure 17.

Three-tier architecture attack parameter results.

The graph in Figure 18 presents the results of three-tier architecture attacks obtained before and during DDoS attack for ICMP response.

Figure 18.

Real user monitoring for ICMP (single- and three-tier).

Results of three-tier architecture attacks obtained before and during DDoS attack for page load response is presented in Figure 19.

Figure 19.

Real user monitoring for page load response (single- and three-tier).

Results of three-tier architecture attacks obtained before and during DDoS attack for browser throughput are presented in Figure 20.

Figure 20.

Real user monitoring for browser throughput (single- and three-tier).

Results of three-tier architecture attacks obtained before and during DDoS attack for application server response is presented in Figure 21.

Figure 21.

Real user monitoring for application server responses.

The below graph displays the availability trend metrics obtained after performing the DoS attacks on the two architectures for network and application layer design (Figure 22).

Figure 22.

SaaS availability monitor.

6.6 Result analysis

After analyzing the infrastructure, we now focus on what the cloud infrastructure has to offer for implementation (Figures 2325).

  1. Firewall → Prevent threats entering the network from outside.

  2. Active directory → Authentication, authorization, and group policies for access management.

  3. Web application firewall → Protects web servers and manages the incoming and outgoing requests.

  4. Web Security Gateway → Web proxy filters manage and monitor websites visited by users in network.

  5. Email security → Scans, monitors, and protects emails incoming and outgoing.

Figure 23.

Populated report for file server access activity on cloud-based premises.

Figure 24.

Threats blocked based on the requests coming into the cloud system.

Figure 25.

Logs displaying the threat level with its warning on a cloud-based setup.

Web application firewall (WAF) prevents DDoS attack including SQL injection and XSS attacks to name a few. This is integrated with the implementation as shown in Figure 26.

Figure 26.

Shows how an attack gets categorized in the WAF.

7. Conclusion

According to our findings and our recommendations having a private cloud, setup is best suited for the larger organizations due to the limitations of going on public cloud infrastructure in terms of bandwidth, data confidentiality, cost of Internet, and cost of its recommended with requirements for infrastructure itself on a public cloud. Setting up a private cloud helps organizations to mitigate risk with confidence and keep 100% control changes to the platform. However, not forgetting the security risks associated with a private cloud infrastructure in areas such as web application firewalls, web security gateways, main gateway firewall, end point security protection, etc., it is essential to have these security appliances implemented with the infrastructure to maintain and protect the cloud environment from outside threats.

© 2020 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution 3.0 License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

How to cite and reference

Link to this chapter Copy to clipboard

Cite this chapter Copy to clipboard

Akashdeep Bhardwaj and Sam Goundar (July 22nd 2020). Cloud Computing Security Services to Mitigate DDoS Attacks, Cloud Computing Security - Concepts and Practice, Dinesh G. Harkut, IntechOpen, DOI: 10.5772/intechopen.92683. Available from:

chapter statistics

74total chapter downloads

More statistics for editors and authors

Login to your personal dashboard for more detailed statistics on your publications.

Access personal reporting

Related Content

This Book

Next chapter

A General Systems Approach to Cloud Computing Security Issues

By Svetlana Aristova, Yousef Ibrahim Daradkeh and Petr Korolev

Related Book

First chapter

Introductory Chapter: Cloud Computing

By Dinesh G. Harkut

We are IntechOpen, the world's leading publisher of Open Access books. Built by scientists, for scientists. Our readership spans scientists, professors, researchers, librarians, and students, as well as business professionals. We share our knowledge and peer-reveiwed research papers with libraries, scientific and engineering societies, and also work with corporate R&D departments and government entities.

More About Us