Quick service during DDoS attacks in the container-based cloud environment

Anmol Kumar; Mayank Agarwal

doi:10.1016/j.jnca.2024.103946

Quick service during DDoS attacks in the container-based cloud environment

Anmol Kumar, Mayank Agarwal

Research output: Contribution to journal › Article › peer-review

4 Scopus citations

Abstract

Distributed Denial of Service (DDoS) attacks are one of the biggest internet security risks. As DDoS attacks directly target the availability of the victim's services, defending against them is one of the most challenging tasks for the victim organization's cyber security personnel. Service disruptions, resource conflicts, reputation harm, and financial losses are just a few of the many direct and indirect effects of DDoS attacks. There are several DDoS attack solutions, however, victim organization(s) cyber security personnel still struggle to mitigate it. Among the several ways of mitigating DDoS attacks, it was observed that the most effective approaches include bandwidth limiting and resource reservations. Individually, these solutions have a drawback of increasing the average response time during a DDoS attack for both the malicious and the benign users. We propose a two-line defense system that combines both of these strategies in addition to containerization to minimize DDoS attack effects. First line defense system separates incoming requests based upon the number of connections made for target web-service at any particular instant and sends them to second line defense system. At second line defense system, we limit the bandwidth of intermediate machines that transmit requests to the destination web-service(s). Additionally, the load balancer at the second line defense system routes incoming requests to different containers on the target computers based on line defense system decisions. By segregating incoming requests, we are able to serve benign users requests which send lesser number of requests than threshold value even in the presence of DDoS attacks. The proposed technique shows that benign users’ average response time under DDoS attack is nearly equivalent to that obtained under normal network conditions. The proposed technique is able to preserve the service availability to ∼98% of benign requests even in the presence of massive DDoS attack.

Original language	English
Article number	103946
Journal	Journal of Network and Computer Applications
Volume	229
DOIs	https://doi.org/10.1016/j.jnca.2024.103946
State	Published - 1 Sep 2024
Externally published	Yes

Keywords

Bandwidth limitation
Cloud security
Containerization
Network security
Resource management
Virtualization

ASJC Scopus subject areas

Hardware and Architecture
Computer Science Applications
Computer Networks and Communications

Access to Document

10.1016/j.jnca.2024.103946

Cite this

@article{74fc31761c294f0a816c68d716f748b2,

title = "Quick service during DDoS attacks in the container-based cloud environment",

abstract = "Distributed Denial of Service (DDoS) attacks are one of the biggest internet security risks. As DDoS attacks directly target the availability of the victim's services, defending against them is one of the most challenging tasks for the victim organization's cyber security personnel. Service disruptions, resource conflicts, reputation harm, and financial losses are just a few of the many direct and indirect effects of DDoS attacks. There are several DDoS attack solutions, however, victim organization(s) cyber security personnel still struggle to mitigate it. Among the several ways of mitigating DDoS attacks, it was observed that the most effective approaches include bandwidth limiting and resource reservations. Individually, these solutions have a drawback of increasing the average response time during a DDoS attack for both the malicious and the benign users. We propose a two-line defense system that combines both of these strategies in addition to containerization to minimize DDoS attack effects. First line defense system separates incoming requests based upon the number of connections made for target web-service at any particular instant and sends them to second line defense system. At second line defense system, we limit the bandwidth of intermediate machines that transmit requests to the destination web-service(s). Additionally, the load balancer at the second line defense system routes incoming requests to different containers on the target computers based on line defense system decisions. By segregating incoming requests, we are able to serve benign users requests which send lesser number of requests than threshold value even in the presence of DDoS attacks. The proposed technique shows that benign users{\textquoteright} average response time under DDoS attack is nearly equivalent to that obtained under normal network conditions. The proposed technique is able to preserve the service availability to ∼98% of benign requests even in the presence of massive DDoS attack.",

keywords = "Bandwidth limitation, Cloud security, Containerization, Network security, Resource management, Virtualization",

author = "Anmol Kumar and Mayank Agarwal",

note = "Publisher Copyright: {\textcopyright} 2024 Elsevier Ltd",

year = "2024",

month = sep,

day = "1",

doi = "10.1016/j.jnca.2024.103946",

language = "English",

volume = "229",

journal = "Journal of Network and Computer Applications",

issn = "1084-8045",

publisher = "Academic Press",

}

TY - JOUR

T1 - Quick service during DDoS attacks in the container-based cloud environment

AU - Kumar, Anmol

AU - Agarwal, Mayank

PY - 2024/9/1

Y1 - 2024/9/1

N2 - Distributed Denial of Service (DDoS) attacks are one of the biggest internet security risks. As DDoS attacks directly target the availability of the victim's services, defending against them is one of the most challenging tasks for the victim organization's cyber security personnel. Service disruptions, resource conflicts, reputation harm, and financial losses are just a few of the many direct and indirect effects of DDoS attacks. There are several DDoS attack solutions, however, victim organization(s) cyber security personnel still struggle to mitigate it. Among the several ways of mitigating DDoS attacks, it was observed that the most effective approaches include bandwidth limiting and resource reservations. Individually, these solutions have a drawback of increasing the average response time during a DDoS attack for both the malicious and the benign users. We propose a two-line defense system that combines both of these strategies in addition to containerization to minimize DDoS attack effects. First line defense system separates incoming requests based upon the number of connections made for target web-service at any particular instant and sends them to second line defense system. At second line defense system, we limit the bandwidth of intermediate machines that transmit requests to the destination web-service(s). Additionally, the load balancer at the second line defense system routes incoming requests to different containers on the target computers based on line defense system decisions. By segregating incoming requests, we are able to serve benign users requests which send lesser number of requests than threshold value even in the presence of DDoS attacks. The proposed technique shows that benign users’ average response time under DDoS attack is nearly equivalent to that obtained under normal network conditions. The proposed technique is able to preserve the service availability to ∼98% of benign requests even in the presence of massive DDoS attack.

AB - Distributed Denial of Service (DDoS) attacks are one of the biggest internet security risks. As DDoS attacks directly target the availability of the victim's services, defending against them is one of the most challenging tasks for the victim organization's cyber security personnel. Service disruptions, resource conflicts, reputation harm, and financial losses are just a few of the many direct and indirect effects of DDoS attacks. There are several DDoS attack solutions, however, victim organization(s) cyber security personnel still struggle to mitigate it. Among the several ways of mitigating DDoS attacks, it was observed that the most effective approaches include bandwidth limiting and resource reservations. Individually, these solutions have a drawback of increasing the average response time during a DDoS attack for both the malicious and the benign users. We propose a two-line defense system that combines both of these strategies in addition to containerization to minimize DDoS attack effects. First line defense system separates incoming requests based upon the number of connections made for target web-service at any particular instant and sends them to second line defense system. At second line defense system, we limit the bandwidth of intermediate machines that transmit requests to the destination web-service(s). Additionally, the load balancer at the second line defense system routes incoming requests to different containers on the target computers based on line defense system decisions. By segregating incoming requests, we are able to serve benign users requests which send lesser number of requests than threshold value even in the presence of DDoS attacks. The proposed technique shows that benign users’ average response time under DDoS attack is nearly equivalent to that obtained under normal network conditions. The proposed technique is able to preserve the service availability to ∼98% of benign requests even in the presence of massive DDoS attack.

KW - Bandwidth limitation

KW - Cloud security

KW - Containerization

KW - Network security

KW - Resource management

KW - Virtualization

UR - http://www.scopus.com/inward/record.url?scp=85197484107&partnerID=8YFLogxK

U2 - 10.1016/j.jnca.2024.103946

DO - 10.1016/j.jnca.2024.103946

M3 - Article

AN - SCOPUS:85197484107

SN - 1084-8045

VL - 229

JO - Journal of Network and Computer Applications

JF - Journal of Network and Computer Applications

M1 - 103946

ER -

Quick service during DDoS attacks in the container-based cloud environment

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this