Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.

Published byAnthony Jackson Modified over 9 years ago

Similar presentations

Presentation on theme: "Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing."— Presentation transcript:

1 Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing

2 Attacking Availability Goal: To see how availability of a cloud can be affected by DoS attacks launched from inside the cloud. Review Assignment #10: – Han Liu, A New Form of DOS Attack in a Cloud and Its Avoidance Mechanism, ACM Cloud Computing Security Workshop 2010 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

3 Announcement Next week (5/2), we’ll have our final class, where we will discuss – A wrap-up of things we learned – A high level view of cloud security problem space No new papers will be discussed next week (but you do have to turn in Review Assignment #10 by 5/2) 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

4 Recap: Anti-virus as a service Pros Cons Ideas 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

5 DoS attack on cloud Network provisioning in data centers: – Many servers share the same link/router, so bandwidth is shared. 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

6 Data center networks are typically grossly under-provisioned Typical ratios are 2.5:1 to 8:1 – 8:1 means servers get at most 1/8 of the bandwidth of their interface Bandwidth is limited by the hierarchical nature of network, routers, and switches Multiplexing in routers reduce the amount of bandwidth each server ultimately gets 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

7 Typical data center network Communication between H1-H4 and H5-H8 are routed through R5 and R6. 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

8 Under provisioning is not a problem in traditional networks Network admins can co-locate related servers in the same subnet Network admins can redesign network topologies to fine tune for worst case performance 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

9 Under provisioning IS a problem in clouds There are many more servers in a cloud, so provisioning ratios are much higher (e.g. 45:1) Many clients use the same network, and malicious clients can launch DoS Application owner/designer has no control over network topology 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

10 DoS attacks on clouds DoS attacks on traditional systems (from the outside) can be prevented via clever tricks such as moving to a cloud based virtualized model DoS attacks on clouds launched from *inside* the cloud are much harder to prevent 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

11 DoS attack on clouds Adversary launches attack from inside the cloud data center network After probing the network and reverse- engineering the topology, the adversary can identify bottlenecks Then the adversary can send DoS traffic to the bottleneck link to saturate it 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

12 Example To attack Link B, adversary sends packets from R1’s subnet to another subnet 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

13 Types of attacks Untargeted attack: No particular link or host is targeted Targeted attack: Adversary gains critical mass in a network to target a specific victim 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

14 Topology identification Knowledge of topology is important for the adversary 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

15 How to identify topology Technique #1: Traceroute – Run traceroute between all pairs of hosts – Due to ip provisioning schemes, running traceroute for a few pairs of hosts is enough – Disadvantages: Can’t identify switches (layer 2) Can be disabled at router level 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

16 How to identify topology Technique #2: Network probing – Idea: Use observed traffic rates to infer number of router between two hosts 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

17 How many malicious hosts is enough? Untargeted attack: – Easy to get many hosts if VM assignment algorithm can be reverse engineered (as in “Hey You!” paper – Even brute force attack succeeds in getting many hosts in the same subnet – (Note: this is different fro co-location attack, where the goal was to co-locate of physical hardware rather than network) 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

18 How many malicious hosts is enough? Targeted attack: – Pick victim, launch brute force attacks – Tests show it is easy to get VMs in same subnet as target 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

19 Launching the attack Process: – Send a flood of packets through the link – UDP used. (Why?) – For adaptive applications, do not saturate link completely, rather “almost” saturate it (Why?) 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

20 Mitigation strategy Use a user side monitoring agent to monitor link saturation When a link degrades, or server detects bottleneck and sends help packet, the monitor initiates app migration 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

21 Comments Experiments / attacks were run on a real cloud (without knowledge of data center admin) 4/25/2011en.600.412 Spring 2011 Lecture 11 | JHU | Ragib Hasan

Download ppt "Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing."

Similar presentations

Lecture 4: Cloud Computing Security: a first look Xiaowei Yang (Duke University)

Lecture 4: Cloud Computing Security: a first look Xiaowei Yang (Duke University)
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Network Virtualization COS 597E: Software Defined Networking.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Network Virtualization COS 597E: Software Defined Networking.
Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 8 04/04/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 8 04/04/2011 Security and Privacy in Cloud Computing.
The Case for Enterprise Ready Virtual Private Clouds Timothy Wood, Alexandre Gerber *, K.K. Ramakrishnan *, Jacobus van der Merwe *, and Prashant Shenoy.

The Case for Enterprise Ready Virtual Private Clouds Timothy Wood, Alexandre Gerber *, K.K. Ramakrishnan *, Jacobus van der Merwe *, and Prashant Shenoy.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 8 04/11/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 8 04/11/2011 Security and Privacy in Cloud Computing.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
Data Communications and Computer Networks Chapter 4 CS 3830 Lecture 22 Omar Meqdadi Department of Computer Science and Software Engineering University.

Data Communications and Computer Networks Chapter 4 CS 3830 Lecture 22 Omar Meqdadi Department of Computer Science and Software Engineering University.
Path Optimization in Computer Networks Roman Ciloci.

Path Optimization in Computer Networks Roman Ciloci.
Hey, You, Get Off of My Cloud

Hey, You, Get Off of My Cloud
Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 1 01/31/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 1 01/31/2011 Security and Privacy in Cloud Computing.
Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,

Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,
Internet Traffic Patterns Learning outcomes –Be aware of how information is transmitted on the Internet –Understand the concept of Internet traffic –Identify.

Internet Traffic Patterns Learning outcomes –Be aware of how information is transmitted on the Internet –Understand the concept of Internet traffic –Identify.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March.

The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March.

Similar presentations

Ads by Google