Cloud computing is poised to revolutionize the prevailing computing paradigm in the very near future. Generally, cloud computing refers to the deployment and use of computer technology over the Internet, wherein computing resources from a larger collection of shared computing resources can be dynamically requisitioned as a service over the Internet. Cloud computing is distinguished from other similar computing paradigms—such as utility computing—in that cloud computing consumers need not have (and are generally precluded from) knowledge of, visibility in, and control over the actual technology infrastructure used to provide the obtained service.
Typically, cloud computing vendors offer clients the ability to access or rent these resources at agreed upon rates. These arrangements can offer significant benefits to clients over traditional enterprise data center network implementations, which typically feature a plethora of computing technology hardware that is privately procured, integrated, secured, and monitored independently. These benefits include providing the ability to provision additional resources on demand, dynamically scale a client's application or system, and limit costs to reflect actual resource usage and consumption. In addition, the advantages inherent to avoiding constructing and maintaining a network architecture—such as eliminating the time required for hardware procurement and assimilation and the notorious difficulties of software integration—are also provided through the utilization of cloud computing.
The majority of current cloud computing infrastructures consist of numerous servers with varying levels of virtualization technologies. Architecturally, cloud computing data center networks can resemble traditional enterprise architectures, albeit on a (generally) much grander scale. For example, the architecture for a typical data center network for any particular cloud computing vendor may be implemented as a hierarchy of routers and concentric subnets connecting a large network of servers, often numbering in the hundreds or thousands. However, like enterprise infrastructures, cloud computing data center networks are typically under-provisioned, often by a significant factor. This under-provisioning can compromise the efficacy of the network and prevent the network from performing at its supposed level of throughput. Several factors may account for under-provisioning, principally the prohibitive cost of building and maintaining even a modest sized network, and the inherent characteristics of hierarchical network architectures.
The problem of under-provisioning can be mitigated in a traditional corporate data center. The standard practice of traditional corporate data centers is to co-locate servers for an application (e.g., web-servers, application servers and database servers for multi-tiered applications) in the same subnet; thereby localizing the bulk of the communication. Since data center managers have full control over the infrastructure, they can perform the optimizations necessary to avoid undesirable communication patterns. In addition, due to the control, data center managers are able to track down offending applications or put in counter-measures if and when the problems with communication patterns occur.
However, under-provisioning in a Cloud infrastructure could become a problem, due to the distinctions between Cloud computing and traditional corporate data centers. First, a cloud infrastructure is much larger than most corporate data centers. As a result, isolated problems may be more difficult to locate within the infrastructure. Conversely, solutions which are wide in scope may be vastly more difficult to deploy on such a grand scale. For example, a solution may not be compatible for all applications running with the Cloud. Moreover, the larger size of a cloud infrastructure also increases the likelihood that the cloud is under-provisioned, as well as the degree of the under-provisioning. Secondly, a Cloud is a shared public infrastructure. Consequently the consumer may be affected by the usage or consumption of other consumers operating in the same subnet within the Cloud. Finally, Cloud computing consumers have little or no control over the underlying infrastructure in a Cloud. In a corporate data center, an application owner typically has at least an indirect access to the underlying server and network, and thus, can perform optimizations or implement counter-measures in the infrastructure if needed. However, the same consumers have no such capability in a Cloud. On the contrary, the consumers have very limited visibility into and control of the underlying infrastructure.
Unfortunately, the gross under-provisioning and the public nature of a Cloud also open a potential avenue for possible exploitation. The limited bandwidth available in a subnet can be saturated, both intentionally and unintentionally, thereby producing a greatly degraded experience for other users within the same subnet. High volume users within the same subnet can unintentionally compromise the service for other users in the same subnet by legitimately consuming a disproportionate amount (e.g., all) of the available bandwidth for a period of time. Malicious users within the same subnet may be able to intentionally compromise the performance of the entire subnet by executing a Denial-Of-Service (DoS) attack on either a specific user or a general subnet.
Traditional DoS attacks attempt to make a computer resource unavailable to its intended users through a massive and sudden consumption of computing resources (e.g., bandwidth, processing time, storage) and/or disruption of routing information. Generally, a DoS attack operates by saturating a target machine (e.g., a server) with multiple external communications over a concentrated period of time to such a degree that the target's natural constraints are met or exceeded, and the target becomes unable to respond to other legitimate traffic, or responds so slowly to legitimate traffic as to be rendered effectively unavailable for the duration of the attack, or possibly indefinitely. Additionally, the networking devices (e.g., routers) communicatively coupling the target machine to a network (including the Internet) are often easily overwhelmed by a DoS attack, thereby subjecting other devices coupled to the network through the same networking device to suffer.
A DoS attack may be instigated from within a cloud's infrastructure and may also be targeted at a specific user by determining the IP address of the application to attack (i.e., the subnet of the target); requisitioning resources within the target subnet; and unilaterally sending data packets (e.g., user datagram or “UDP” packets) at the maximum rate through a target router controlling the target subnet, thereby consuming all or most of the device's transmission capabilities. Due to the effects of under-provisioning, a DoS attack may require requisitioning only a very small amount of resources relative to the number of servers in the subnet. Unfortunately, compromised performance may not be limited to the directly attacked application in a cloud, as other constituents within the same subnet and using the same router in the cloud would also suffer the effect of the DoS attack on a specific user, specifically, by also experiencing drastically reduced service and data transfer rates. Conversely, a DoS attack may be untargeted, wherein a co-located group of resources is requisitioned within the same subnet and is used to clog the entire subnet's bandwidth through a high volume of transmitted data. Naturally, both targeted and untargeted attacks can result in tremendous losses for all affected users of the afflicted subnet.
Traditional DoS attacks, related distributed Denial-of-Service (DDOS) attacks, and their counter-measures are well known. There are sophisticated techniques to counter even the most elaborate (D) DoS attacks. However, those techniques generally assume that the attack is sending packets directly to an application, and that the application can detect that when direct attack is underway. Unfortunately, within a Cloud, applications sharing a subnet with a compromised subnet may be collaterally affected without having been attacked at all. In many instances, an application will never even be aware that a DoS attack is underway on another application in the same subnet.
The same techniques which may be employed to detect and fend off direct DoS attacks may not be available and/or effective when applied by or to an indirectly affected application in the same subnet. This problem may be further aggravated by the structure and lack of visibility within a Cloud. In addition, the same techniques will not be effective to solve the problem of legitimate, high-volume users that simply exhaust the network's capacity. As with a DoS attack originating from within the cloud infrastructure, a legitimate cloud consumer operating on only a relatively small amount of computing resources can occupy a debilitating amount of the subnet's data transmission capability.