Ragib Hasan - Johns Hopkins University

Download Report

Transcript Ragib Hasan - Johns Hopkins University

Security and Privacy in
Cloud Computing
Ragib Hasan
Johns Hopkins University
en.600.412 Spring 2011
Lecture 11
04/25/2011
Attacking Availability
• Goal: To see how availability of a cloud can be
affected by DoS attacks launched from inside
the cloud.
• Review Assignment #10:
– Han Liu, A New Form of DOS Attack in a Cloud and
Its Avoidance Mechanism, ACM Cloud Computing
Security Workshop 2010
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Announcement
• Next week (5/2), we’ll have our final class,
where we will discuss
– A wrap-up of things we learned
– A high level view of cloud security problem space
• No new papers will be discussed next week
(but you do have to turn in Review
Assignment #10 by 5/2)
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Recap: Anti-virus as a service
• Pros
• Cons
• Ideas
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
DoS attack on cloud
• Network provisioning in data centers:
– Many servers share the same link/router, so
bandwidth is shared.
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Data center networks are typically
grossly under-provisioned
• Typical ratios are 2.5:1 to 8:1
– 8:1 means servers get at most 1/8 of the
bandwidth of their interface
• Bandwidth is limited by the hierarchical
nature of network, routers, and switches
• Multiplexing in routers reduce the amount of
bandwidth each server ultimately gets
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Typical data center network
Communication between H1-H4 and H5-H8 are
routed through R5 and R6.
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Under provisioning is not a problem in
traditional networks
• Network admins can co-locate related servers
in the same subnet
• Network admins can redesign network
topologies to fine tune for worst case
performance
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Under provisioning IS a problem in
clouds
• There are many more servers in a cloud, so
provisioning ratios are much higher (e.g. 45:1)
• Many clients use the same network, and
malicious clients can launch DoS
• Application owner/designer has no control
over network topology
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
DoS attacks on clouds
• DoS attacks on traditional systems (from the
outside) can be prevented via clever tricks
such as moving to a cloud based virtualized
model
• DoS attacks on clouds launched from *inside*
the cloud are much harder to prevent
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
DoS attack on clouds
• Adversary launches attack from inside the
cloud data center network
• After probing the network and reverseengineering the topology, the adversary can
identify bottlenecks
• Then the adversary can send DoS traffic to the
bottleneck link to saturate it
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Example
• To attack Link B,
adversary sends
packets from R1’s
subnet to another
subnet
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Types of attacks
• Untargeted attack: No particular link or host is
targeted
• Targeted attack: Adversary gains critical mass
in a network to target a specific victim
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Topology identification
• Knowledge of topology is important for the
adversary
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
How to identify topology
• Technique #1: Traceroute
– Run traceroute between all pairs of hosts
– Due to ip provisioning schemes, running
traceroute for a few pairs of hosts is enough
– Disadvantages:
• Can’t identify switches (layer 2)
• Can be disabled at router level
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
How to identify topology
• Technique #2: Network probing
– Idea: Use observed traffic rates to infer number of
router between two hosts
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
How many malicious hosts is enough?
• Untargeted attack:
– Easy to get many hosts if VM assignment
algorithm can be reverse engineered (as in “Hey
You!” paper
– Even brute force attack succeeds in getting many
hosts in the same subnet
– (Note: this is different fro co-location attack,
where the goal was to co-locate of physical
hardware rather than network)
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
How many malicious hosts is enough?
• Targeted attack:
– Pick victim, launch brute force attacks
– Tests show it is easy to get VMs in same subnet as
target
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Launching the attack
• Process:
– Send a flood of packets through the link
– UDP used. (Why?)
– For adaptive applications, do not saturate link
completely, rather “almost” saturate it (Why?)
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Mitigation strategy
• Use a user side monitoring agent to monitor
link saturation
• When a link degrades, or server detects
bottleneck and sends help packet, the monitor
initiates app migration
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan
Comments
• Experiments / attacks were run on a real cloud
(without knowledge of data center admin)
4/25/2011
en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan