Keywords

1 Introduction

1.1 Cloud Computing

Cloud computing is new IT delivery model, which enables user to store and access data according to their need irrespective of time and place. The idea behind cloud computing is reducing the workload from user’s computer to cloud making use of simple Internet connection. Cloud computing and its characteristics are represented by Fig. 1. It allows IT industries to focus on doing what they actually want without spending money on infrastructure and wasting time in arranging them. It gives user the facility of pay-per-use which means provides measured services like networks, servers, storage, and applications as per their demand. Due to cloud providing features like elasticity, pay-per-use, flexibility, scalability, it earns the attraction of big organization and company for hosting their services on the cloud. By means of any latest technology trends, cloud computing is not secured from risk and susceptibilities of security.

Fig. 1
figure 1

Cloud computing [5]

Full size image

Sabahi [1] provides the various issues of security and availability in cloud computing and suggests some obtainable solution for them. Lekkas [2] has defined the requirements of threats, and security is present at the different stages of the cloud execution. Cloud is vulnerable to various attacks being malware injection, metadata spoofing, DNS and DDoS attacks, cross-site scripting, SQL injection, and wrapping attack. And, DDoS is the common type of attack among these attacks that has been performed against cloud infrastructure. The impact of DDoS attacks becomes larger and rigid to overlook each year. Though such attacks are rising, various industries have been tried to protect themselves with traditional firewall-based solutions. Alternatively industries had better invested in solutions that provide real protection from unprepared downtime and economic losses.

As with Incapsula Survey, key findings follow [3]:

  • 49% of DDoS attacks likely to end amid 6–24 h. It means that with a projected budget of $40,000 per hour, the usual cost of DDoS can be evaluated at about approximately $500,000.

  • Budgets are not only constrained to the IT group nonetheless they similarly have a huge impact on risk and security management, sales, and customer service.

  • Companies having 500 or more employees are major victim of DDoS attack; experience complex attack costs and involves additional personnel to combat the attack.

Cloud computing is elastic and scalable in nature which allows resources that can be expanded whenever there is demand of more resources. A special kind of DDoS attack is specific to only cloud infrastructure. This is called economic denial of sustainability (EDoS). The main aim of EDoS is to make cloud resources carefully untenable for the victim, whereas DDoS attack focuses on worsen or block cloud services. The time period of DDoS attacks is short while EDoS attacks are more indefinable and performed over a longer time period. EDoS attack takes place just beyond the average movement threshold and beneath the threshold of DDoS attack. Hence, it is tough to be identified by customary systems of intrusion detection and furthermore the procedures practiced to overcome application layer DDoS attacks are not valid to EDoS attack [4]. In this paper, we will evaluate EDoS attacks and several practices to moderate the EDoS attacks.

1.2 Challenges and Issues in Cloud Computing

  1. 1.

    Privacy and Security

The key task to cloud computing is the way it addresses the privacy and security concerns of organizations rational of implementing it. The fact that the crucial enterprise information will exist outside the enterprise firewall increases severe concerns. Hacking and several attacks against cloud infrastructure will probably have an impact on many customers despite the fact that merely one site is subjected to attack.

  1. 2.

    Billing and Service Delivery

Because of the on-demand behavior of the services, it is relatively difficult to measure the costs incurred. Budgeting and valuation of the cost will not be very easy except if the provider proposes comparable and up right benchmarks. The service-level agreements (SLAs) of the supplier are not sufficient to assure the scalability and accessibility. Organizations will be reluctant to shift to cloud without any surety of a high quality of service.

  1. 3.

    Manageability and Interoperability

Organizations must have the control of moving inside and outside of the cloud and swapping providers each time they need, and there should not be any lock-in period. The services of cloud computing should be capable of integrating easily using the on-premise IT.

  1. 4.

    Consistency and Accessibility

Cloud providers still fall short in providing constant service; as a result, there are repeated outages. It is essential to check the service being delivered via internal or third-party tools. It is necessary to have policies to organize usage, service-level agreements, strength performance, and corporate reliance of these services.

  1. 5.

    Bandwidth Cost and Performance

Enterprises can cut back hardware costs but then they need to expend further for the bandwidth. This could be a less cost for the small applications; however, it can be considerably big for the applications that are data-intensive. Appropriate bandwidth is necessary to provide concentrated and composite data across the network. Due to this reason, several organizations are waiting for a lesser cost prior to shifting to the cloud.

1.3 DDoS Attack

Distributed denial of service (DDoS) can be described as an aim to create a machine or network resources unavailable to legitimate users. This attack restrains the availability of resources. It is kind of denial-of-service (DoS) attack where numerous compromise systems usually are contaminated with viruses specially Trojan Horses which are used to aim single system. DDoS attacks are different from that of DoS attacks in such a way that DDoS encompasses multiple systems to attack victim. The widely popular DDoS attacks on Amazon, Yahoo, ebay, and numerous popular Web sites in February 2000 exposed weakness of still fine equipped network and massive Internet users. DDoS has turn out to be a main risk to the entire Internet users. There are various DDoS available tools which can be used with purpose to attack any Internet user. DDoS harms are likely to grow to be more ruthless in future in comparison to other attacks as there may be short of valuable solutions to protect these attacks. Behind major DDoS attacks are botnets and other new emerging DDoS techniques. The botnet makes use of flooding to block the availability of the resources of benign user. Among all prevailing attack weapons, flooding packets are mainly general and efficient DDoS approach. This attack is different from other attacks because it deploys its weapons in “distributed way” across the Internet. The main aim of DDoS is to harm a victim either for individual reasons, for material gain, or to gain popularity. Enormously high-level, “user-friendly” and prevailing DDoS tool kits are accessible to attackers which rise the threat of becoming a sufferer in a DoS or a DDoS attack. The straightforward logic structures and small memory size of DDoS attacking programs make them comparatively simple to employ and hide. There are various detection and mitigation techniques available for preventing DDoS attack. One of the major challenges is the data to be protected from the attacks like DDoS. The data presently is stored in data centers of clouds. Therefore, it is very important to protect data and prevent attacks like DDoS.

DDoS can be categorized into three types [6] and represented by Fig. 2.

Fig. 2
figure 2

DDoS attack types [7]

Full size image
  1. I.

    Attacks targeting network resources

  2. II.

    Attacks targeting server resources

  3. III.

    Attacks targeting application resources.

Attacks targeting network resources: The attacks aim for network resources making a struggle to exploit entire bandwidth of a victim’s network by applying a vast size of illegal traffic to infuse the corporation’s Internet pipe.

Attacks targeting server resources: The attacks aim at server resources making an effort to break down a server’s processing proficiency or recollection, which possibly results in denial-of-service state. The scheme of an attacker is to take advantage of an existing exposure or a fault in a communication protocol in a way which aims the target server to turn out to be busy for executing the illegal requests so that it does not have enough resources anymore that it can handle legal request.

Attacks targeting application resources: The attacks which not only target the Hypertext Transfer Protocol (HTTP), but also other important protocols such as SMTP, HTTPS, FTP, DNS, and VOIP and also the other application protocols which acquire vulnerable weaknesses which can be used for DoS attacks.

Floods: Types of floods are represented by Fig. 3.

Fig. 3
figure 3

Types of flood attack [7]

Full size image

UDP: A User Datagram Protocol (UDP) flood attack is that which simply corrupts the normal behavior of victim at a great sufficient level which causes network congestion for the victim network instead of exploiting a specific vulnerability. Attacker sends a large number of UDP packets to random ports on a target server, and the target server is not capable that it processes each request which leads to utilization of its entire bandwidth by attempt to send ICMP “destination unreachable” as a reaction to each spoofed UDP packets to make sure that there was no listening of application on the objected ports.

ICMP Flood: An Internet Control Message Protocol (ICMP) flood is a non-defenselessness-based attack as it does not depend on some certain susceptibility to attain denial of service. An ICMP flood comprises ICMP message of echo request which is sent to the target server as quick as possible that it becomes affected to process all requests which result in a denial-of-service state.

IGMP Flood: An Internet Group Management Protocol (IGMP) deluge is also non-vulnerability-based attack. This flood attack comprises gigantic sum of IGMP message which is directed to a network or router which noticeably detains and finally blocks legal traffic from being transport over the aimed network.

TCP/IP weaknesses: TCP/IP is connection-based protocol unlike UDP and other which are connectionless protocols which means that there should be a full connection established between the packet sender and the intended recipient for sending the packets. These sorts of attacks misuse the TCP/IP procedure by compelling the use of certain of its design flaws. With the intention to dislocate the standard methods of TCP traffic, attacker misuses the TCP/IP protocol’s six control bits such as URG, SYN, ACK, RST, and PSH. This is represented by Fig. 4.

Fig. 4
figure 4

Types of TCP/IP weakness [7]

Full size image

TCP SYN flood: In this type of attack, the attacker approached the server in a way that server believes that they are requesting to SYN for legal connections with the help of a sequence of TCP requests with TCP flags set which is in fact appearing from spoofed IP addresses. The victim server opens threads and assigns corresponding buffers so that it can arrange for a connection for handling the each of the SYN requests.

TCP RST attack: In this type of attack, the attacker inhibits amid an active TCP joining among two end points by supposing the present-day system number and forging a TCP RST packet to utilize the IP of client’s source which is formerly directed to the server. A botnet is classically utilized to direct thousands of such packets to the server with dissimilar series numbers, which makes it equally tranquil to estimate the exact one. As soon as this happens, the server recognizes the RST packet directed by the attacker, dismissing its association to the client positioned at the forged IP address.

TCP PSH + ACK flood: If a TCP transmitter transmits a packet whose PUSH flag is set to 1, then the outcome pressures the getting server to unoccupied its TCP stack buffer and to refer a byline when this act is comprehensive. The attacker typically uses a botnet to overflow an aimed server with various such requests. This act terminates the TCP stack buffer on the aimed server which causes the server not able to course the legal request or even acknowledge them which eventually roots the denial-of-service condition.

SSL-based attacks: As common services are moving to secure socket layer (SSL) for taming security and address privacy concerns, DDoS events on SSL are also on upswing. SSL is a technique of encryption which is used by many network communication protocols. It is used to offer safeguard to users interconnecting above former protocols by encrypting their interconnections and verifying interconnecting parties. DoS attacks based on SSL can occur in various methods such as harming definite tasks associated to the negotiation process of SSL encryption key, aiming handshake mechanism of the SSL or directing trash data to the SSL server. SSL-based DoS attacks can also be introduced above SSL-encrypted traffic which make it enormously hard to identify. SSL attacks are getting famous because every SSL handshake session utilizes 15 times more server-side resources than the user side. Hence, such attacks are uneven as it takes extensively additional resources of the server to compact with the attack than it does to introduce it.

HTTP flood: An HTTP flood is the DDoS attack which targets the application resources. Attacker exploits the seemingly legal HTTP GET or POST request for attacking the application or Web server. HTTP flood attacks are volumetric attacks and they often use botnet for attack like attack is launched from multiple computers that constantly and repetitively request to download the site pages of the target (HTTP GET flood) which exhaust the resources of application and hence causing a denial-of-service state. They are difficult to detect as it requires less bandwidth to bring down the server than any other attacks.

DNS Flood: The Domain Name System (DNS) floods are symmetrical DDoS attack in which attacker targets one or more than one DNS server. These attacks try to exhaust server-side entity such as memory or CPU with a flood of UDP requests, generated by scripts running on several compromised botnet machines. It is based on the similar impression as former flooding attacks; a DNS flood aims the DNS application procedure by directing a large volume of DNS requests, the DNS server weighed down and incapable to respond to all of its incoming requests, therefore ultimately crashes. The DNS is the procedure utilized to resolve domain names into IP addresses and its fundamental procedure is UDP which takes the benefit of quick request and response intervals without the overhead of having to create connections.

“Low and Slow” attacks: This “low and slow” attack is more related to particularly application resources. These “low and slow” attacks can be launched from a single computer with no other bots as they are not volumetric in nature. They can target specific design flaws or vulnerabilities on a target server with a relatively small amount of malicious traffic, eventually causing it to crash. Additionally, these attacks happen on the layer of application, a TCP handshake is established by this time, effectively making the malevolent traffic appear like regular traffic traveling above a valid connection.

1.4 Economic Denial of Sustainability Attack

The general design of an EDoS attack is to make use of cloud resources without paying for it or to halt the economic drivers of using services of cloud computing. The goal of EDoS attack is to make the cloud cost model unsustainable and therefore making a company no longer capable to affordability use or pay for their cloud-based infrastructure. This is also called cloud-based denial-of-service attacks [8]. The general idea of prevention of EDoS attack is represented by Fig. 5.

Fig. 5
figure 5

Prevention of EDoS attack

Full size image

Cloud computing follows the model of service where clients are charged on the basis of the practice of cloud’s resources. The pricing model has altered the problem of DDoS attack in the cloud to an economic one identified as EDoS attack. The objective of an EDoS attack is to divest the consistent cloud users of their long-term financial capability. An EDoS attack becomes successful when it puts economic liability on the cloud user. For instance, attackers who pretend to be authorized users constantly make requests to a Web site hosting in cloud servers with a motive to consume bandwidth, and the burden of the bill falls on the cloud user who is the owner of the Web site. It appears to the Web server that this traffic does not extent the service denial level, and it is not easy to differentiate between EDoS attack traffic and legitimate traffic.

If client cloud-based service is intended to upgrade mechanically (such as Amazon EC2), now an attacker can cause financial grief by making large number of automatic requests that seem to be valid externally, however are forged in reality. Client charges will increase as you expand, consuming additional and/or bigger servers (mechanically) to respond to those forged requests. Eventually you will get to a point where your charges go beyond your capability to make payment, i.e., a point where your financial sustainability becomes uncertain.

Many organizations choose cloud infrastructure because of the following reasons:

  • Business performance resourcing (compute services)

  • Improve employee and partner productivity (Collaboration, QoS)

  • Self service and on-demand IT service deliver

  • Business Agility (adaptability, simplicity)

  • Reduce/optimize cost

  • Unlimited capacity (storage).

Service-level agreement (SLA) in cloud works among user and source of the service. When customer instigates request to cloud, then SLA delivers the service conferring to the anticipation of user, i.e., offers the guarantees, service duties, and warranties, and likewise lays down the accessibility and enactment of the service. Client can outspread services that he gains, at whatever stage in cloud structure because of the capability of elasticity.

The cloud service provider’s quality and performance can be measured by SLAs in several ways. Certain factors that SLAs could define consist of [9]:

  • Accessibility and uptime—the proportion of the time amenities will be accessible

  • The amount of synchronized customers that can be assisted

  • Specific standards of performance to periodically compare the actual performance

  • Response time of application

  • The program for notification of network changes in advance that could affect clients

  • Response time of help desk for several modules of problems

  • The usage statistics that will be offered.

1.5 Difference between DDoS and EDoS.

The difference between EDoS and DDoS attacks are [4].

  • The objective of an EDoS is to create cost-effective unsustainability in the cloud resources for the object, while the objective of DDoS attack is to damage or block the facilities of cloud.

  • DDoS attacks are capable in a short span of time, and, on the other hand, EDoS attacks are milder and completed in a stretched time span.

  • EDoS attack takes place beyond the usual movement edge and beneath the edge of DDoS attack. Thus, it might not be likely to detect it by the help of customary intrusion detection system. Moreover, the approaches employed against application layer and DDoS attacks are not relevant in case of an EDoS attack.

2 DDoS Mitigation Methodology

See Tables 1 and 2.

Table 1 Security issues in cloud environment [10,11,12,13]
Full size table
Table 2 Comparison of various defense mechanisms of DDoS attack [3, 14, 15]
Full size table

3 EDoS Mitigation Methodology

See Table 3.

Table 3 Summary of EDoS mitigation techniques [16,17,18]
Full size table

4 Conclusion

Cloud computing allows us to scale our servers up and up in order to provision greater amounts of requests for service. This unlocks a new walk of approach for attackers, known as economic denial of sustainability. DDoS is usually easy to spot given vast upsurges in traffic. EDoS attacks are not essentially easy to detect, because the arrangement and business logic are not present in most applications or masses of applications and infrastructure to provide the connection between requests and successful transactions. Current mitigation methodology for DDoS attack and EDoS attack that put forward to address was reviewed in this paper. Machine learning techniques are required for preventing the attack. Therefore, this paper reviews all the aspects of DDoS and EDoS attack [5, 19].