Mitigando Ataques de Egoísmo e Negação de Serviço em Nuvens via Agrupamento de Aplicações
Resumo
Na computação em nuvem, locatários consomem, sob demanda, recursos de hardware e software oferecidos por um provedor remoto. Entretanto, o compartilhamento da rede interna da nuvem por todos os locatários, aliado à falta de isolamento entre fluxos de dados decorrente do uso dos protocolos TCP e UDP, possibilita a ocorrência de ataques de egoísmo e negação de serviço. Os algoritmos de alocação atuais não impedem que a disponibilidade dos recursos de rede seja afetada por ataques. Este artigo propõe uma estratégia para a alocação de aplicações de locatários que visa mitigar o impacto de ataques de egoísmo e negação de serviço na rede interna da nuvem. A ideia chave, inédita na literatura científica, consiste no agrupamento de aplicações em infraestruturas virtuais considerando níveis de confiança mútua entre os locatários. Resultados de avaliações demonstram que a estratégia proposta é capaz de oferecer proteção contra ataques de egoísmo e negação de serviço com pouco ou nenhum custo extra.Referências
Abts, D. and Felderman, B. (2012). A guided tour of data-center networking. Commun. ACM, 55(6):44–51.
Al-Fares, M., Loukissas, A., and Vahdat, A. (2008). A scalable, commodity data center network architecture. In Proceedings of the ACM SIGCOMM 2008 conference on Data communication, SIGCOMM ’08, pages 63–74, New York, NY, USA. ACM.
Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., and Zaharia, M. (2010). A view of cloud computing. Commun. ACM, 53:50–58.
Ballani, H., Costa, P., Karagiannis, T., and Rowstron, A. (2011). Towards predictable datacenter networks. In Proceedings of the ACM SIGCOMM 2011 conference on SIGCOMM, SIGCOMM ’11, pages 242–253, New York, NY, USA. ACM.
Breitgand, D. and Epstein, A. (2012). Improving Consolidation of Virtual Machines with Risk-aware Bandwidth Oversubscription in Compute Clouds. In Proceedings of the 31th conference on Information communications, INFOCOM’12, Piscataway, NJ, USA. IEEE Press.
Chowdhury, N., Rahman, M., and Boutaba, R. (2009). Virtual network embedding with coordinated node and link mapping. In INFOCOM 2009, IEEE, pages 783–791.
Costa, R. B. and Carmo, L. F. R. C. (2007). Avaliação de Confiança Contextual em Grades Computacionais Multímodo usando Plataformas Seguras. In VII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, SBSeg 2007, pages 173–185.
Goel, A. and Indyk, P. (1999). Stochastic load balancing and related problems. In Foundations of Computer Science, 1999. 40th Annual Symposium on, pages 579–586.
Greenberg, A., Hamilton, J., Maltz, D. A., and Patel, P. (2008). The cost of a cloud: research problems in data center networks. SIGCOMM Comput. Commun. Rev., 39(1):68–73.
Greenberg, A., Hamilton, J. R., Jain, N., Kandula, S., Kim, C., Lahiri, P., Maltz, D. A., Patel, P., and Sengupta, S. (2009). Vl2: a scalable and flexible data center network. In Proceedings of the ACM SIGCOMM 2009 conference on Data communication, SIGCOMM ’09, pages 51–62, New York, NY, USA. ACM.
Grobauer, B., Walloschek, T., and Stocker, E. (2011). Understanding Cloud Computing Vulnerabilities. Security Privacy, IEEE, 9(2):50–57.
Guo, C., Lu, G., Wang, H. J., Yang, S., Kong, C., Sun, P., Wu, W., and Zhang, Y. (2010). Secondnet: a data center network virtualization architecture with bandwidth guarantees. In Proceedings of the 6th International Conference, Co-NEXT ’10, pages 15:1–15:12, New York, NY, USA. ACM.
Jensen, M., Schwenk, J., Gruschka, N., and Iacono, L. L. (2009). On Technical Security Issues in Cloud Computing. In Cloud Computing, 2009. CLOUD ’09. IEEE International Conference on, pages 109–116.
Kitsos, I., Papaioannou, A., Tsikoudis, N., and Magoutis, K. (2012). Adapting data-intensive workloads to generic allocation policies in cloud infrastructures. In Network Operations and Management Symposium (NOMS), 2012 IEEE, pages 25 –33.
Lam, T. and Varghese, G. (2010). NetShare: Virtualizing Bandwidth within the Cloud. Technical report cs2010-0957, University of California.
Liu, H. (2010). A new form of DOS attack in a cloud and its avoidance mechanism. In Proceedings of the 2010 ACM workshop on Cloud computing security workshop, CCSW ’10, pages 65–76, New York, NY, USA. ACM.
Meng, X., Pappas, V., and Zhang, L. (2010). Improving the scalability of data center networks with trafficaware virtual machine placement. In Proceedings of the 29th conference on Information communications, INFOCOM’10, pages 1154–1162, Piscataway, NJ, USA. IEEE Press.
Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. (2009). Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM conference on Computer and communications security, CCS ’09, pages 199–212, New York, NY, USA. ACM.
Shieh, A., Kandula, S., Greenberg, A., Kim, C., and Saha, B. (2011). Sharing the data center network. In Proceedings of the 8th USENIX conference on Networked systems design and implementation, NSDI’11, pages 23–23, Berkeley, CA, USA. USENIX Association.
Wang, M., Meng, X., and Zhang, L. (2011). Consolidating virtual machines with dynamic bandwidth demand in data centers. In INFOCOM, 2011 Proceedings IEEE, pages 71 –75.
Zimmermann, P. R. (1995). The official PGP user’s guide. MIT Press, Cambridge, MA, USA.
Al-Fares, M., Loukissas, A., and Vahdat, A. (2008). A scalable, commodity data center network architecture. In Proceedings of the ACM SIGCOMM 2008 conference on Data communication, SIGCOMM ’08, pages 63–74, New York, NY, USA. ACM.
Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., and Zaharia, M. (2010). A view of cloud computing. Commun. ACM, 53:50–58.
Ballani, H., Costa, P., Karagiannis, T., and Rowstron, A. (2011). Towards predictable datacenter networks. In Proceedings of the ACM SIGCOMM 2011 conference on SIGCOMM, SIGCOMM ’11, pages 242–253, New York, NY, USA. ACM.
Breitgand, D. and Epstein, A. (2012). Improving Consolidation of Virtual Machines with Risk-aware Bandwidth Oversubscription in Compute Clouds. In Proceedings of the 31th conference on Information communications, INFOCOM’12, Piscataway, NJ, USA. IEEE Press.
Chowdhury, N., Rahman, M., and Boutaba, R. (2009). Virtual network embedding with coordinated node and link mapping. In INFOCOM 2009, IEEE, pages 783–791.
Costa, R. B. and Carmo, L. F. R. C. (2007). Avaliação de Confiança Contextual em Grades Computacionais Multímodo usando Plataformas Seguras. In VII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, SBSeg 2007, pages 173–185.
Goel, A. and Indyk, P. (1999). Stochastic load balancing and related problems. In Foundations of Computer Science, 1999. 40th Annual Symposium on, pages 579–586.
Greenberg, A., Hamilton, J., Maltz, D. A., and Patel, P. (2008). The cost of a cloud: research problems in data center networks. SIGCOMM Comput. Commun. Rev., 39(1):68–73.
Greenberg, A., Hamilton, J. R., Jain, N., Kandula, S., Kim, C., Lahiri, P., Maltz, D. A., Patel, P., and Sengupta, S. (2009). Vl2: a scalable and flexible data center network. In Proceedings of the ACM SIGCOMM 2009 conference on Data communication, SIGCOMM ’09, pages 51–62, New York, NY, USA. ACM.
Grobauer, B., Walloschek, T., and Stocker, E. (2011). Understanding Cloud Computing Vulnerabilities. Security Privacy, IEEE, 9(2):50–57.
Guo, C., Lu, G., Wang, H. J., Yang, S., Kong, C., Sun, P., Wu, W., and Zhang, Y. (2010). Secondnet: a data center network virtualization architecture with bandwidth guarantees. In Proceedings of the 6th International Conference, Co-NEXT ’10, pages 15:1–15:12, New York, NY, USA. ACM.
Jensen, M., Schwenk, J., Gruschka, N., and Iacono, L. L. (2009). On Technical Security Issues in Cloud Computing. In Cloud Computing, 2009. CLOUD ’09. IEEE International Conference on, pages 109–116.
Kitsos, I., Papaioannou, A., Tsikoudis, N., and Magoutis, K. (2012). Adapting data-intensive workloads to generic allocation policies in cloud infrastructures. In Network Operations and Management Symposium (NOMS), 2012 IEEE, pages 25 –33.
Lam, T. and Varghese, G. (2010). NetShare: Virtualizing Bandwidth within the Cloud. Technical report cs2010-0957, University of California.
Liu, H. (2010). A new form of DOS attack in a cloud and its avoidance mechanism. In Proceedings of the 2010 ACM workshop on Cloud computing security workshop, CCSW ’10, pages 65–76, New York, NY, USA. ACM.
Meng, X., Pappas, V., and Zhang, L. (2010). Improving the scalability of data center networks with trafficaware virtual machine placement. In Proceedings of the 29th conference on Information communications, INFOCOM’10, pages 1154–1162, Piscataway, NJ, USA. IEEE Press.
Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. (2009). Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM conference on Computer and communications security, CCS ’09, pages 199–212, New York, NY, USA. ACM.
Shieh, A., Kandula, S., Greenberg, A., Kim, C., and Saha, B. (2011). Sharing the data center network. In Proceedings of the 8th USENIX conference on Networked systems design and implementation, NSDI’11, pages 23–23, Berkeley, CA, USA. USENIX Association.
Wang, M., Meng, X., and Zhang, L. (2011). Consolidating virtual machines with dynamic bandwidth demand in data centers. In INFOCOM, 2011 Proceedings IEEE, pages 71 –75.
Zimmermann, P. R. (1995). The official PGP user’s guide. MIT Press, Cambridge, MA, USA.
Publicado
19/11/2012
Como Citar
MARCON, Daniel Stefani; NEVES, Miguel Cardoso; OLIVEIRA, Rodrigo Ruas; BURIOL, Luciana Salete; GASPARY, Luciano Paschoal; BARCELLOS, Marinho Pilla.
Mitigando Ataques de Egoísmo e Negação de Serviço em Nuvens via Agrupamento de Aplicações. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 12. , 2012, Curitiba.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2012
.
p. 154-167.
DOI: https://doi.org/10.5753/sbseg.2012.20543.