Next Article in Journal
Microwave Pyrolysis of Biomass: The Influence of Surface Area and Structure of a Layer
Next Article in Special Issue
A Novel Multi-Factor Authentication Algorithm Based on Image Recognition and User Established Relations
Previous Article in Journal
Influence of Activation Parameters on the Mechanical and Microstructure Properties of an Alkali-Activated BOF Steel Slag
Previous Article in Special Issue
Applying BERT for Early-Stage Recognition of Persistence in Chat-Based Social Engineering Attacks
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 12
Issue 23
10.3390/app122312441
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Distributed Denial of Service Attacks against Cloud Computing Environment: Survey, Issues, Challenges and Coherent Taxonomy

by
Ziyad R. Alashhab
1,
Mohammed Anbar
1,*,
Manmeet Mahinderjit Singh
2,
Iznan H. Hasbullah
1,
Prateek Jain
3 and
Taief Alaa Al-Amiedy
1
1
National Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia (USM), Penang 11800, Malaysia
2
School of Computer Sciences, Universiti Sains Malaysia (USM), Penang 11800, Malaysia
3
Amity Directorate of Distance & Online Education (ADDOE), IT, Amity University, Noida 201305, Uttar Pradesh, India
*
Author to whom correspondence should be addressed.
Appl. Sci. 2022, 12(23), 12441; https://doi.org/10.3390/app122312441
Submission received: 10 November 2022 / Revised: 29 November 2022 / Accepted: 1 December 2022 / Published: 5 December 2022
(This article belongs to the Special Issue Advanced Technologies in Data and Information Security II)
Browse Figures
Versions Notes

Abstract

:
Cloud computing (CC) plays a significant role in revolutionizing the information and communication technology (ICT) industry, allowing flexible delivery of new services and computing resources at a fraction of the costs for end-users than traditional computing. Unfortunately, many potential cyber threats impact CC-deployed services due to the exploitation of CC’s characteristics, such as resource sharing, elasticity, and multi-tenancy. This survey provides a comprehensive discussion on security issues and challenges facing CC for cloud service providers and their users. Furthermore, this survey proposes a new taxonomy for classifying CC attacks, distributed denial of service (DDoS) attacks, and DDoS attack detection approaches on CC. It also provides a qualitative comparison with the existing surveys. Finally, this survey aims to serve as a guide and reference for other researchers working on new DDoS attack detection approaches within the CC environment.

1. Introduction

Cloud computing (CC) enables the flexible delivery of services and computing resources through the Internet, including data storage, computation, networking, and software resources on demand. The elastic feature of the CC allows the resources to be dynamically allocated whenever needed without a large investment in infrastructure and software licensing for the users [1].
However, the same feature that makes CC flexible is also responsible for exposing it to security threats. One of the most serious threats is distributed denial of service (DDoS) attacks. Unfortunately, the impact of DDoS attacks on CC has not been investigated enough although there is some research that provides an in-depth examination of the above-said issue, shedding light on HTTP flooding DDoS attacks in the CC environment and various DDoS attacks [2].
CC has significant advantages over traditional computing, including lower capital and operational expenditures (CapEx and OpEx) and the ability to deliver dynamic and extensible virtualized computing resources [3,4]. Many recent research and surveys anticipated a dramatic rise in CC adoption based on past trends. For example, in the past three years, 75 percent of business applications allowed direct access to the application programming interface (API) of their most critical applications [5]. In upcoming years, 90 percent of large commercial IT companies will focus on CC. However, researchers believe that the coronavirus (COVID-19) pandemic could increase that percentage further [2,6].
Internet usage has increased by 50% in several European countries and 30% in the United Kingdom, reflecting the growth in the ICT sector spurred by surges in demands for online-based utilities and services. As a result, more issues and threats with CC will surface in due time, such as security and privacy breaches, data storage issues in the CC, and application-layer attacks [7,8]. Nowadays, major attacks on CC are growing, and the effects on its security are becoming more apparent. For example, attacks include malicious attempts by adversaries to deny legitimate users from obtaining services offered by the targeted servers [9].
Cloud service providers (CSP) charge their clients based on the services rendered or resources utilized on a pay-per-use basis. A new form of DDoS attack, called Economic denial of sustainability (EDoS), manipulates the CC charging model to hurt the financial bottom line of the users and the CSPs [10] by targeting the resource utilization at the application layer. EDoS attack is an economic security threat on the CC [10], which differs from a typical DDoS attack. DDoS attacks aim for service availability by debilitating the server’s resources until the server crash or are unresponsive; however, EDoS exploits the resource flexibility provided by the CC to force over-consumption of resources [11,12].
The COVID-19 pandemic has affected everybody since 2020, from individuals to businesses, public services, and educational institutions. At the same time, the pandemic also drives the demand for online services, including CC. So, it is rational to assume that it would also increase DDoS attack incidents and could be even more prominent going forward. Several surveys investigated DDoS attacks on CC and their effects in the effort to find solutions to secure the CC. Unfortunately, the existing surveys fall short of covering all parameters and taxonomies in this field. Therefore, this paper attempts to fill in the missing gaps.
This survey has the following contributions: (i) a qualitative comparison between this survey and the existing surveys in similar areas; (ii) a proposal of an author-defined taxonomy of attacks, DDoS attacks, and DDoS detection approaches on the CC environment; (iii) a comprehensive review of different types of DDoS attacks on CC and the techniques to detect them; and (iv) detailed explanations on the security issues and challenges of CC on the security, technological, and technical aspects.
The rest of the paper is organized as follows: the explanation of CC and DDoS attacks is in Section 2. Section 3 discusses security issues and challenges in CC. Section 4 provides a qualitative comparison between this work and existing surveys. Section 5 provides the proposed taxonomy of the attacks, DDoS attacks, and DDoS attack detection approaches on CC. Section 6 touches on influential factors for choosing a DDoS attack detection strategy on CC. Section 7 analyses critical discussion. Finally, the conclusion and future work are provided in Section 8.

2. Background

Security of CC is a major concern for both CSP and users. Several attacks, such as denial of service (DoS), DDoS, and EDoS, threaten the security of CC. This section introduces CC, DoS, and DDoS attacks.

2.1. Cloud Computing

CC is a realization of a long-held concept known as computing-as-utility, which emerges with enormous potential. The CC as a utility allows online services to be accessible whenever, wherever, and to anybody through the Internet, and most importantly, inexpensive and straightforward deployment. As a result of adopting this technology, the popularity of web applications is expected to experience dramatic growth in the near future. The CC’s fundamental trait is revolutionizing the IT field, and it will be the next great leap of innovation after the Internet. CC consolidates the IT infrastructure, network services, and applications with the resources of a data center (DC) using extensible virtualization technology, resulting in flexible, scalable [10], load-balanced, and instant on-demand services to cloud computing client (CCC), allowing the CSP to charge CCC usage accordingly [13].
The rise of present-day web-based applications with strict requirements demands a continuous improvement to the CC model to deliver services. The CC service models are usually categorized into three fundamental classifications, as shown in Table 1. The three service model categories are: (i) software-as-a-service (SaaS) where the clients use CSP application on the CC infrastructure, (ii) platform-as-a-service (PaaS) where developers develop and deploy applications on the CSP’s development platform, and (iii) infrastructure-as-a-service (IaaS) where the CSPs provide storage units, networks, virtual machines (VM) and other essential computing resources based on pay-per-use [14,15]. Many businesses adopt some forms of CC models to assist users in their business operations to their fullest while reducing cost. Table 2 [14] summarizes the four deployment models of CC service: (i) private, (ii) public, (iii) community and (iv) hybrid.

2.2. Overview of DoS and DDoS Attacks on CC

A DoS attack is a malicious attempt by an adversary using a single attacking host to prevent the targeted victim from accessing the required services or a node providing a service to its consumers. On the other hand, a DDoS attack involves multiple attacking hosts flooding the victim’s network or host with attack packets, resulting in a distributed multi-point attack [16].
There are several types of DoS attacks, and the most popular is the one targeting the client’s network bandwidth or connectivity. Bandwidth attacks significantly impact network performance by depleting all available network bandwidth, delaying or preventing users’ requests from being fulfilled. Meanwhile, connectivity attacks overwhelm the victim’s server with many application-layer requests, exhausting all available resources. As a result, the server stops responding to legitimate user requests.
DoS attacks are classified as follows: (i) flood attack involves an adversary sending a large volume of continuous stream of packets to the victim, depleting the victim’s resources and exhausting the victim’s bandwidth. (ii) vulnerability attack involves an adversary exploiting a vulnerability in the victim’s system and sending crafted messages to cause a DoS. The DDoS attack is frequently carried out by flooding the targeted system or network with a huge volume of traffic from multiple sources [17].

2.2.1. DoS, DDoS Attacks on CC

Adversaries launch DDoS attacks by sending a large volume of seemingly normal packets, making them difficult to detect. It is transmitted to the victim machine for embezzling the applications or protocol execution on the victim [18,19]. DDoS attacks that disrupt users’ connectivity by exhausting the network bandwidth and reducing the router’s processing capacity fall under the network-layer attack category. On the other hand, the attacks that deny legitimate user access to services by exhausting the VM resources (e.g., input/output bandwidth, sockets, central process unit (CPU), disk/database bandwidth, and memory) are application-layer (Level 7) attacks [20]. Application-layer attacks target servers’ applications or services by attempting to fully exhaust their resources by creating as many transactions and processes in the shortest time possible. Application-layer attacks are most challenging to detect and overcome because the generated transactions, such as HTTP requests, are indistinguishable from those by legitimate users. DDoS attacks are executed via a remotely controlled network, distributed and well-organized, so that compromised machines called zombies can be utilized for transmitting a huge volume of simultaneous requests to continuously attack the target system.
The widespread adoption of CC causes the number of attacks to also skyrocketed. The commonality of the CC structure’s features and components makes it more susceptible to attacks, especially DoS and DDoS. Adversaries typically aimed their DoS or DDoS attacks at CSP with many linked devices because its scalability and dependability make the CC accessible anywhere at any time. DDoS attacks typically involve many malicious packets directed to the target to keep it busy. With traditional networks, there are many strategies to defend against DDoS attacks; however, it is more challenging in the CC environment due to unique CC properties making the defense difficult. This study will look into the existing methods for detecting, preventing, and mitigating DDoS attacks in CC environments [21].
Organizations can leverage the CC to obtain on-demand, elastic, and fully managed computer system resources and services. However, any attacks, especially DoS and DDoS, on CC could cause substantial losses for CSPs and users. Successful DDoS attacks have serious consequences, such as poor user experience, service failures, and, in the worst-case scenario, complete shutdown and financial repercussions. DDoS attacks have grown in volume, regularity, and ferocity as the popularity of the internet of things (IoT) and widespread network connectivity have inadvertently fueled their growth [15].
Fast-growing web-based apps are typically developed and deployed within the CC environment. CC significantly reduces the cost of monitoring and maintaining IT infrastructure. The control and management of CC resources are usually reliant on standard networking protocols, allowing administrators to manage and control a distributed IT infrastructure centrally. Unfortunately, using standard networking protocol also will enable adversaries to get unauthorized access if the security is lacking or weak. Attacks like DDoS are among the most common threat in private CCs, resulting in degradation or denial of services [22].
DDoS attacks against application-layer services are not new. The first well-known DDoS attack appears to have occurred in August 1999 against a higher educational institution in the United States. It has since been directed at other sectors, including CNN, eBay, Yahoo, and Amazon [9]. In 2009, a DDoS attack disrupted many popular online services, including Facebook, Live Journal, Twitter, and Amazon [8]. Circa 2014, there were more than 7000 DDoS attacks launched daily [23]. The first quarter of 2013 saw the average attack volume at about 50 Gbps, up 718 percent from the last quarter of 2012 [23,24]. The largest DDoS attack recorded in history occurred at the end of 2016, involving a botnet called Mirai [25] that infected the servers of Dyn, a corporation dealing with a domain name system (DNS). In addition, the attack duration keeps increasing. For example, until the last quarter of 2020, no attack lasted more than 302 h. However, the longest attack in the first quarter of 2021 was 746 h (more than 31 days), then surpassed by a 776-h onslaught (more than 32 days) in the second quarter. One projection for the global market of DDoS protection systems [26] for 2022 predicts the value to expand from $3.3 billion in 2021 to $6.7 billion by 2026.

2.2.2. Impact of HTTP-GET Flooding DDoS Attacks on CC

CC security is crucial for maintaining service availability to end users. Typically, CCCs obtain CC services from CSP via the HTTP protocol, which is susceptible to misconfigurations and vulnerable to attacks if not properly secured. Clients acquiring online services from CSP via HTTP are often subjected to HTTP-GET flooding DDoS attacks. The HTTP-GET flood attack is similar to DDoS attacks, except instead of using data packets, it overloads the server with a large volume of HTTP-GET requests [27]. During an adversary-initiated HTTP flood attack, the attacker may use rented or own servers to bombard HTTP GET/POST requests to the targeted victim’s VM, leading to a significant increase in resource consumption and losses for the victim. Finally, the targeted host is overburdened and swamped by HTTP flood attacks, compromising the entire CC. HTTP flood attack is challenging to detect because it uses valid HTTP requests to the web server [28] to overrun VM resources. Furthermore, HTTP-GET flood attack traffic is difficult to differentiate from real traffic because they use regular uniform resource locator (URL) queries at a normal rate. Because the traffic volume in HTTP-GET flood attacks is often below the thresholds of most rate-based detection approaches, the attack goes undetected [29]. Additionally, attackers use valid HTTP packets without any anomaly in the packet’s structure or flags, whereas the IDS is mostly designed to detect a malformed or anomalous combination of flags. The consequence of this attack is an EDoS attack because the CC’s auto-scaling feature exacerbates the damage by allowing the CSP to provide an excessive pool of resources to CCCs to fulfill the service-level agreements (SLA). The limit set on the CCC’s pay-per-use invoicing system could prevent excessive user charges; however, it could also shut down many CC services with a single attack. Detecting HTTP-GET flood DDoS attacks in the CC environment requires a thorough understanding of the attacks and users’ behaviors.

3. Security Issues and Challenges

As the popularity of CC services increases and becomes more widely used, so will the security issues and challenges. This section discusses the security issues and challenges of the CC.

3.1. Security Issues

CC has several security issues, such as misuse and excessive utilization of resources, malicious insiders, insecure and unreliable APIs, data corruption or leak, account takeover, and shared technology vulnerabilities [30,31]. Other serious risks to the security of CC are DoS and DDoS attacks [9,31], as indicated by an ongoing CSA research [32]. A properly secured CC ensures the security of the website it hosts and vice versa [33]. The demand for CC security is becoming increasingly noticeable and outstanding. Even though the security of CC is at its nascent stage and still developing, an assortment of CC clients is already demanding various security requirements, which can vary for each CSP; even the same client could have different security requirements. The CC clients can be individuals, academic institutions or corporations, and software developers; every one of them might have specific security prerequisites. According to several researchers [34,35], the following are the security issues related to CCC and CSP:
  • Data-related issues: The CSPs must guarantee the security and availability of the data transferred by the CCCs and prevent any conceivable security breaches. The owners of CSPs should utilize solid security approaches to ensure data availability and security. For example, there are various authorization approaches to control data, such as isolating clients’ data in the CC storage unit so that nobody other than the authorized client can access the data or modify its availability.
  • Data integrity: In an independent system, data integrity can be guaranteed by taking into consideration atomicity, consistency, isolation, and durability (ACID) properties. It should be possible through decentralizing approach by utilizing a central manager. However, data integrity on CC is a big challenge. The greatest challenge with web services at the application layer is transaction management since the HTTP protocol cannot provide an ensured and available service. So, the best choice is to leave this on the level of API. In any case, available standards, such as transaction of web services and reliability of web services, are not yet developed. The absence of control at the data level could bring about significant integrity issues.
  • Availability: It is crucial to maintain the availability of CC applications for better user accessibility. Therefore, CSPs must guarantee non-stop service to their CCC, including expansibility to support the business continuity of their users.
  • Privileged user access: It is common for CCC to keep sensitive data in the CC; therefore, users require various levels of privileges to access that information. There must be a control system for accessing information for different users.
  • Data recovery and backup: By providing backup services, CSPs should guarantee clients’ data recoverability caused by disasters or accidental damage. The backup data should be replicated on multiple distributed servers while maintaining integrity and privacy, allowing data to be restored whenever needed.
  • Investigative support: Investigating incidents in the CC environment is difficult if the logging data constantly moves over multi-sites. CCC must obtain contractual obligations from the CSP to investigate every inappropriate or criminal event.
  • Long-term viability: CCC should obtain a guarantee that their data is consistently accessible to them, even after an alteration or changes in the CSP policies and terms.
  • Network security: CSPs are required to ensure data security during transit or network transfers to prevent critical or sensitive information leakage.
  • Web application security: Services on CC must be overseen over the website utilizing the internet browser. Every security imperfection in the service application influences all the CCCs using the same service application. Even though they do not successfully process the security issue, numerous conventional security approaches exist.
  • Virtualization: VMs that do not have a proper disconnection procedure may inadvertently permit a guest client to run codes on the hypervisor. The multi-tenancy property of the VM provides an opportunity for adversaries to breach the enforced security by exploiting the weaknesses in the VM to obtain unauthorized data from another VM on CC.
  • Identity management (ID): ID management allows the system to recognize and manage clients, such as controlling their permission-based access. ID administration should be configurable to comply with the corporation rules [36].
  • PaaS-related issues: PaaS allows CSP to let CCCs create an application through the platform service. The owners of CSP are accountable if there is illicit data move between the applications. The hypervisor is the responsibility of CSP owners. PaaS CSP is more elastic and adaptable than SaaS CSP, but at the expense of security, exposing it to cyber-attacks.
  • IaaS related issues: VM in IaaS service model may encounter security issues. According to the CC service model, the security duties and accountability of CSP and CCC vary enormously.
  • Economics DoS attacks: One of the sundry characteristics of CC is taking care of the scalability issues. The CCC’s service bill increases dramatically without reasonable grounds. Such a covert kind of attack that releases through DDoS attacks towards CC yet with an alternate malignant target is the EDoS attack.
  • Denial of service: One of the most significant security threats confronting CC is DDoS attacks. DDoS attacks render services, such as web applications, unavailable to legitimate users. Adversaries are usually the instigator of such attacks by employing various readily available tools to make the targeted services inaccessible to users. One example of an application layer DDoS attack on CC is an HTTP-GET flood attack.

3.2. Challenges on CC

The CC faces many challenges, which can be summed up as but are not limited to technological and technical challenges and security challenges. Addressing those challenges requires the alignment of CC with business goals to ensure business continuity, user satisfaction, and effectiveness.

3.2.1. Technological and Technical Challenges of the CC

Setting up a CC on the Internet is a challenging endeavor. The awareness of these challenges would provide an understanding of the difficulties in ensuring comprehensive security for CC. The following are the technological and technical challenges that CSP may encounter:
  • The heterogeneity: CC comprises an assortment of hardware manufactured by different manufacturers. For example, network switches, appliances, firewalls, and gateways could utilize proprietary communication protocols or operating systems.
  • The deployment model: The deployment model refers to a specific kind of CC, essentially featured by proprietorship, access, and size, so forth. Public CCs; community CCs; private CCs; and hybrid CCs.
  • The replica/DR: It should be borne in mind that there should be a duplicate of the original of the same CC in another geographical area, such as disaster recovery (DR) in the event of an earthquake or something similar.
  • Communication: Different technologies are utilized by CC devices, for example, wireless or wired communications.
  • The homogenization: For diversified CC devices to connect, team up and exchange data with one another, there ought to be a standardized and foreordained data interchange form.
  • Energy consumption: One of the major challenge of the CC. Any device operating on CC needs to be intended and prepared with the matter.
  • Energy continuity: An uninterruptible power supply (UPS) is an electrical device that supplies backup power when the main power supply source (generator or direct) fails.

3.2.2. The Security Challenges of the CC

Undoubtedly the most challenging aspect for CC is security. Despite deploying different security measures to secure CC, there are still many challenges for CSP to tackle [37], as follows:
  • The threats from inside and outside: Malicious threats from outside the firm are dangerous to CSPs because the attacks are unpredictable and could cause severe damage to CSPs and CCCs. However, insider threats are considered the most dangerous since the adversaries emerge from within the company that provides CC service.
  • The superlative between public CC and on-premises CC (private): The best protection to dramatically reduce attacks is to utilize on-premises CC, which is less complex than public CC. At the same time, they are costly and disregard the principal motivation behind CC.
  • The multi-tenant: In the greater generality of the owners of CSP, a single hypervisor includes numerous VM that belong to multiple CCCs. These are called hosted VM and can be the contender of one another or followed by adversities to attack another VM. It expands the chance of an attack and, subsequently, inserts the challenge of innovating a secured approach.
  • The access from the web: CC is powerless against a wide scope of application-layer attacks, like injection attacks of the structured query language (SQL), and HTTP flood attacks. There ought to be appropriate significant knowledge about safety efforts for software developers. The advancement life cycle of software should incorporate the security control technique into SaaS improvement.
  • The guarantee hypervisor: The hypervisor or virtual machine manager (VMM) oversees and manages various OS running on a single metal server that is participated by the CCCs. The primary mission of VMM is to allot the resources to the OS or VM linked to a CCC. A VMM must protect the VM boundaries. Any security issues or attacks on VMM will compromise the security of the VM hosted on the physical servers.
  • The network scope dynamics and protocols: Services provided by the CC are assorted, complicated, and elastic, which could potentially create numerous security issues. Therefore, security mechanisms, such as IDS and intrusion prevention systems (IPS) for detecting and preventing attacks on CC are required [38].

4. Qualitative Comparison with Existing Surveys on Detection Approaches of DDoS Attacks on CC

Several existing review papers discuss DDoS attack detection techniques. This section provides a qualitative comparison between our survey with the existing ones to highlight its originality. Table 3 lists the metrics used for qualitative comparison, namely: (i) taxonomy of attacks on CC; (ii) taxonomy of DDoS attacks on CC; (iii) taxonomy of DDoS attacks detection approaches, and (iv) parameters for determining DDoS attacks.
We proposed these metrics after thoroughly reviewing many existing DDoS detection techniques. Such a comparison is necessary to comprehend the fundamental aspects surrounding DDoS attacks on CC in order to propose a more efficient detection method. This survey is benchmarked with three existing reviews [13,39,40].
This survey paper accomplishes the basic objective of gathering work from various research papers. It introduces the existing research on CC security broadly and quickly. Since it is challenging and time-consuming to comprehend the entire research area, this survey attempts to assist the effort by introducing a thorough rundown of the state-of-the-art literature in one place.

5. Proposed Taxonomy of the Attacks, DDoS Attacks, and DDoS Detection Approaches on CC

Figure 1 depicts the proposed taxonomies of attacks, DDoS attacks, and DDoS attack detection approaches on CC. Together, they provide a better perspective on DDoS attacks on CC, allowing researchers to utilize them to solve many security issues on CC. For example, researchers can address the threat of HTTP flood DDoS on CC by understanding, separating, and focusing on the crucial elements of attack and detection approaches.

5.1. Taxonomy of the Attacks on CC

The CC is defenseless in the face of several attacks that provide serious security dangers. The threat of an attack is determined by the target of the adversary’s attack. The CC service availability can be disrupted partially or entirely for a short or long period. The attacks of CC can be classified into four categories based on the attack’s target, as shown in Figure 1. The categories are suffocative attacks, protocol attacks [41], and two new categories proposed in this survey paper: EDoS and Permanent Economic Attacks. Table 4 shows the relationship of these attacks and two questions: Q1—What are they doing? and Q2—How does the victim become paralyzed?

5.1.1. Suffocative Attacks

Suffocative attacks are those that are bandwidth-based or involve volumetric attacks. This attack overloads the targeted system with garbage data to consume the bandwidth of the targeted network system, flooding the network and affecting system resources. Its magnitude is measured in bits per second (Bps). Adversaries can launch this attack using UDP, ICMP flooding, or flooding the target with various spoofed packets [42].

5.1.2. Protocol Attacks

Protocol attacks consume real server resources and equipment used for networking communication, like load balancer (LB) devices or protection devices. The protocol attack is measured in packets per second (Pps). It exploits the weaknesses of network protocols to increase the burden on the victim’s resources. Some examples of protocol attacks include a smurf attack, fragmented packet attack, SYN floods, and ping of death [43]. Figure 2 illustrates the topology of a smurf attack.

5.1.3. Economic Denial of Sustainability (EDoS)

A type of DDoS attack on CC that impacts the financial bottom line of victims is called an EDoS attack [44]. It is a malicious attack specific to the CC that focuses on impacting the CSP’s OpEx more than the physical resources. It exploits the CC’s elastic or auto-scaling characteristic by attacking targeted services, especially on the application layer, forcing maximum consumption of CC resources until the services become inaccessible. Avoiding this situation requires the CSP to keep providing additional resources to fulfill the SLA for the CCC accessibility, which increases the cost for the CSP [33,45], resulting in EDoS [2]. Figure 3 illustrates how EDoS attacks on CC resources impact service availability.
Adversaries could trigger DDoS attacks on CC networks or resources using legitimate service requests to generate EDoS attacks [45]. In other words, the basis of this financial damage came from DDoS attacks (the result of EDoS is DDoS attacks usually, and the opposite is also true) that exploited available resources to increase the bill. The bloated cost has to be borne by the CSP or passed along to their clients.

5.1.4. Permanent Denial-of-Service Attacks

Permanent denial-of-service (PDoS) or Plashing is a fast-moving attack designed to disable the victim’s and prohibit it from providing services. This type of cyber attack, a strain of DDoS attacks with more emphasis on the victim’s hardware, started to increase in frequency in 2017 as more occurrences involving this hardware-damaging attack were found [46,47]. Furthermore, PDoS aims to cause perpetual harm to network equipment via programming, especially configurable network hardware, such as routers. Although PDoS attacks are rare, successful attacks are highly damaging to CC resources to the point of requiring the replacement or re-installation of equipment. Unlike DDoS attacks that disable a service temporarily, PDoS causes permanent hardware damage. It exploits the CC’s security flaws or misconfigurations in the remote administration function on the hardware management interface to alter the device’s firmware with a faulty version, damaging the device to the extent that requires fixing or even destroying essential system functions. All CC resources, such as LB, firewalls, VM, physical servers, storage units, and processors, are vulnerable to PDoS attacks [48]. Moreover, since a PDoS attack focuses on the hardware, it requires far fewer resources than a DDoS attack. PDoS is more destructive and has been gaining popularity among adversaries. CSP encountering a PDoS attack will incur business loss since services will be affected, and it could take a very long-time fixing fault. For instance, in 2009, the federal bureau of investigation (FBI) raided DCs in Texas because of fraud against several organizations that worked from out of the DCs [49]. In another case, a significant information loss occurred to a CSP providing storage services in Magnolia after experiencing Omni drive failure, leading to its shutting down without notice in 2008.
A Help Net Security site ran a report [50] on a universal serial bus (USB) device that disables a machine just by putting it into the USB port. According to the report, the most recent PDoS USB attack works by injecting some electrical power through the machine with the help of a voltage transformer to release a flood of negative electricity into the USB port. An example of a PDoS USB device is PhlashDance, built by Rich Smith in his security lab in 2008 to exhibit the inner working of a PDoS attack [51].

5.2. Taxonomy of DDoS Attacks on CC

DDoS attacks on CC have rapidly risen to the top of most cyber security threats lists. Attacks on CC could affect not only the CSP but also CC resources, including VMs and the networks [52]. Nevertheless, whatever the motive of an adversary to carry out DDoS attacks, any deterioration in services offered to CCC decreases its value.
CERT experts (a variety of researchers) say most DDoS attacks against the CERT target the application layer. The vast majority of DDoS attacks use a tremendous amount of requests of a standard communication protocol, making them hard to detect. Furthermore, they typically use well-known patterns to imitate legitimate traffic to throw off detection attempts. Therefore, standard network security strategies are not well suited to detect or prevent such attacks.
The attacks on CC are commonly classified into five categories, as illustrated in Figure 1 and summarized in Table 5.

5.2.1. SYN Floods

An adversary executes SYN flood attacks on CC by sending SYN requests using a spoofed source IP address, forcing the VM to respond and allocate the necessary resources to handle the requests. The VM waits for an acknowledgment from the ‘sender’ that never arrives. Continuous attacker’s requests finally exhaust the VM of all its resources, such as memory and CPU [31]. Consequently, the VM is forced to reject all subsequent user requests, including the legitimate ones, as illustrated in Figure 4.

5.2.2. UDP Floods

In this attack, the network bandwidth of CC is fully exhausted, although no user exists. Adversary injects a huge number of UDP packets into the network [12], as illustrated in Figure 5.

5.2.3. Ping of Death

A ping of death (PoD) attack involves an adversary using unusually large packets to cripple the CC’s VM or resources. The adversary changed the ping instruction by modifying the Fragment Offset field in the IP header to create a packet larger than the maximum permissible value for that field, which is 65,536 bytes. A ping packet with a size larger than the limit set by TCP/IP could overflow the buffer of the destination OS [53], affecting the victim’s computer connected to the CC networks and influencing the CC services linked to those networks. However, nowadays, all modern network equipment and OS ignore 65,535-byte IP packets that may cause a crash or slowdown of the OS, making today’s network and machines less susceptible to this attack. Figure 6 illustrates the PoD attack.

5.2.4. ICMP Flood Attack

ICMP messages are used to locate hosts on a network, map network structure, and determine the OS in use. It can also be used as a vehicle for various DDoS attacks on CC. For example, an adversary could crash the targeted host with ICMP Echo Request (ping) packets by broadcasting them quickly without waiting for replies, similar to the UDP flood attack principle. The targeted VM’s resources would deplete rapidly, affecting the VM’s availability. All Internet protocols permit specific data packets. In this attack, the destination CC resources or VM receives more data packets than the protocol allows, forcing the TCP/IP stack to fragment all data packets on the sender side and assemble them on the receiving side. When large amounts of fragmented data must be reassembled, the destination system’s performance will suffer. In other words, adversaries flooded the victim machine by sending a huge number of ICMP echo requests. When the infected machine tries to respond, the maximum bandwidth used will be near the maximum amount. As a result, legitimate users could not connect to the CC network. When the CCC tries to send the reply, adversaries send an ICMP echo request packet. The bandwidth utilization will reach the maximum, and new users cannot connect to the network during this time [54]. Furthermore, the adversary could leverage a compromised CC device as an intermediary to send ICMP echo requests to flood the local network, resulting in an insider attack. Figure 7 depicts the ICMP flood attack.

5.2.5. HTTP Flood

The application layer is vital for CC since the CSPs deliver many essential services to their users using application layer protocols, such as HTTP. HTTP is the primary application layer protocol used by web servers. Since CC usually hosts many web application servers, a massive number of HTTP requests can easily overwhelm web services. An example of an application layer attack is an HTTP flood. In an HTTP flood, the attackers may send enormous volumes of malicious HTTP requests to the victims to exhaust the resources and services running in the cloud and cause an EDoS attack, which is explained in Section 5.1.
A client, via a web browser or terminal, “talks” to a VM or web application server by sending a POST or GET request. The client uses POST queries to access dynamic resources, while GET requests retrieve static information like images. The two main categories of HTTP flood attacks are HTTP-POST and HTTP-GET. Attackers could overwhelm a targeted site or VM with HTTP-GET requests using valid packets without reflection or spoofing. Because many requests are sent to the web application server, and the VM generates many more responses than the zombie army receives, this attack is achievable by small botnets [19].
In this situation, an attacker sends an HTTP-GET request to the target application to test its availability. If the attacker receives an acknowledgment from the target application, the attacker transmits new HTTP-GET requests successively without waiting for acknowledgments. Since the web application server does not filter HTTP-GET requests to check if they are legitimate or not [55], it will continue accepting and processing the requests. Figure 8 illustrates the HTTP-GET flood attack mechanism.
Table 5 summarizes five different DDoS attacks on CC: SYN flood, UDP flood, ping of death, ICMP flood, and HTTP flood. These attacks mostly impacted layers 3, 4, or 7 of the open systems interconnection (OSI) model, impacting VM’s resource consumption and bandwidth utilization and causing a buffer overflow. Table 6 summarizes various attacks, their target areas, attack tools, and their impact, while Table 7 lists the existing DDoS attack datasets since 1995.

5.3. Taxonomy of DDoS Attack Detection Approaches on CC

Several approaches have been proposed to detect DDoS attacks on CC. In this section, we propose a taxonomy of DDoS attack detection approaches on CC, broadly classified into five approaches, as shown in Figure 1.

5.3.1. Signature-Based Detection

Signature-based, misused-based, or rule-based approaches detect a DDoS attack if the incoming packets or traffic patterns match the predefined signatures or rules in its attack signatures database [105]. The drawback of these approaches is they cannot detect zero-day attacks.
The authors in [106] outlined the design of an offline signature-based network IDS that uses distributed processing and a Naive Bayesian classifier to detect DoS and DDoS attacks against HTTP servers. They or other researchers should do more work to build an inline IDS to identify attacks in real time. Because the current technique can only detect known attacks, more research is needed to detect new ones. The performance of the Naïve Bayesian classifier, having different classification methods, was evaluated on a testbed, achieving 97.82% classification accuracy for slow read attacks and 96.46% detection accuracy for normal behavior.
Anitha and Malliga [107] attempted to solve the problem of HTTP and XML Denial of Service (HX-DoS) attacks using CLASSIE, a rule-based detection system, and the modulo marking approach, which prevents spoofing attacks. For decision and packets dropping on the victim side, the Reconstruct and Drop method is employed. It helps improve the detection and filtering of DDoS attacks while lowering the false-positive rate. These attacks can be quickly detected on the adversary side by utilizing a packet-based marking mechanism. It can be filtered using the discovered packets on the victim side by dropping the marked packets. As a result, the overhead of packet marking and the false-positive rate of DoS attacks are considerably decreased.
Wang et al. [12] presented a dataset shift attack detection system based on a graphic model. The simulation findings suggest that their architecture can deal with the security difficulties posed by the new network paradigm effectively and efficiently. Additionally, the simulation result indicates that their attack detection system can effectively report numerous threats using real-world network traffic.
They proposed a new IPS service that uses signature-based devices, known as service-based intrusion prevention systems in CC (SIPSCC), to prevent SQL injections on CC websites (CCW). They used three VMs to test a model. Their implementation proposes, investigates, and evaluates SIPSCC from three perspectives: vulnerability detection, average time, and false positives. The suggested technique identifies and prevents key vulnerabilities in CCW [108].
Khatri and Khilari [109] proposed an architecture that includes the implementation of Suricata IDS for securing virtualized servers on CC and the validation of the IDS in detecting DDoS attacks against virtualized environments, effectively protecting the CC from vulnerabilities.
Sangeetha et al. [110] proposed combining a multi-threaded network IDS (NIDS) and host IDS (HIDS) to provide an efficient, quick, and secure HIDS. Cloud-IDS now captures packets from the network, analyses them, and sends reports to the CC Administrator based on the analysis. The K-Nearest neighbor and neural network (KNN-NN) hybrid classifier analyze packets. Further, the NSL-KDD dataset is used for training and testing purposes. After receiving the notification from Cloud-IDS, the CSP will alert the user and keep a log list of the malicious IP addresses. This approach effectively manages huge data packets, analyses them, and generates reports while detecting anomalies and misuse.
The E-CARGO model [111] is used to present a collaborative intrusion detection architecture. The components of an IDS are described by the common intrusion detection frame (CIDF). They also create and clearly outline the agent’s behaviors and their relationships. The experiments show that their proposed technique can detect slow-scanning and DDoS attacks, which validates their model. The authors planned to study combining cooperative computing with IDS to deal with real-world problems in future work.
Table 8 and Table 9 summarize the existing DDoS detection approaches on CC using signature-based detection techniques.

5.3.2. Anomaly-Based Detection

Anomaly-based detection is based on a profiling program that will be created for the normal behavior of the network, which the anomaly-based detection system will use as a baseline. Deviation from this baseline will be treated as an anomaly or a possible intrusion [112]. Anomaly-based detection approaches can trigger multiple false alarms due to the changing nature of network behavior or zombies and suspicious requests on the application layer if the detecting algorithm parameters are not properly tuned. Without any tuning to optimization, the classifier will not increase the detecting accuracy. If not, collecting the correct logs in a good way to choose the features well will not contribute to the best detection. The input to detection could be in the form of a vector, object, point, or observation named as single data instances [113] or a combination of data instances. Several anomaly-based approaches are using DL and ML to detect HTTP flooding DDoS attacks.
Alqahtani and Gamble [114] came up with a DDoS attack detection technique for the CC service and developed a four-layer algorithm to resolve the originating service for the attack. The levels are so structured that each level is suitable for detecting the attacks’ symptoms using local data. Their detection techniques achieved O(n2) time in the worst-case scenario. They also reported a link between DDoS attacks and unauthorized messages passed across services.
Abusitta et al. [115] proposed a correlation mechanism by employing hypervisors to determine the predicted resource load of current compromised VMs based on specified metrics. The calculated resource load is then compared to the total resource load. The proposed approach collects system metrics to train the SVM classifier to distinguish between normal and malicious (i.e., DoS attack) VM activities. The results show that when utilizing the model to make resource adjustments, the detection accuracy hits 97.60%. Their findings also demonstrate that the accuracy of the revoking and granting adjustments was reduced by just 1.79 percent and 1.43 percent, respectively, under the effect of resource adjustments, which have minimal impact and may be ignored.
Choi et al. [116] proposed a way to detect HTTP-GET flood DDoS attacks using MapReduce. This method ensures the target system’s availability for precise and reliable detection of HTTP-GET flood attacks. The experimental results show that the proposed approach outperforms Snort detection because its processing time decreases as congestion increases.
Chen et al. [117] proposed a CC-based network monitoring and threat detection mechanism comprising monitoring agents, CC infrastructure, and operation center components. The proposed mechanism used Hadoop, Spark, and MapReduce to speed up data processing using separation and concurrent processing of data streams. Furthermore, they conducted a real-world experiment to evaluate the effectiveness of the developed network monitoring and threat detection and system performance to limit the risk of DoS attacks. The evaluation results reveal that the mechanism successfully detects and mitigates these attacks. Furthermore, the defensive system detects all published vulnerabilities and can identify unknown attacks [118].
Xiao et al. [119] proposed a protocol-free detection (PFD) algorithm to detect ransom denial of service (RDoS) attacks against the CC regardless of the protocol utilized in the attack. PFD calculates the flow correlation coefficient (FCC) between flow pairs and issues a warning once suspicious flows have been identified. The simulation result indicates it is effective in detecting RDoS attacks and can help detect and isolate adversary flows.
Dhanapal and Nithyanadam [55] used the OpenStack CC platform to implement their solution that detects, mitigates, and prevents low-rate HTTP DDoS attacks in the CC environment. The experiments yielded accurate findings in identifying attacks in the early phases.
The authors in [120] studied the existing DDoS attack detection frameworks and their flaws, then proposed a CC testbed framework on top of an OpenStack platform [121] for testing HTTP flood DDoS attack solution. They also looked into numerous attack paths to the web server on the CC, internally and externally.
The authors present a novel approach to protecting mobile-based systems from DDoS attacks. The model is built on anomaly detection to defend the public/private CC against zero-day attacks. By preventing CC DDoS attacks, the availability of CC applications significantly improved, and users will receive high-quality services [122,123]. Evaluations of the proposed model’s efficiency and performance were promising in safeguarding mobile-based CC systems against DDoS attacks. The focus is on detecting and protecting mobile-based systems from DDoS attacks [124]. [125] reported the approach’s complexity analysis, efficacy, and performance assessments, and the improved version is documented in [124].
Hazavehi and Rahmani [33] proposed and developed a mechanism called TPANGND for detecting DDoS attacks based on anomalies. Their mechanism uses flow-based classifier (FBC) to group similar input patterns into several clusters to determine an attack. Unique scenarios exist where FBC cannot distinguish between benign and malicious traffic. The suspect traffic is recognized in this situation by looking at the correlation between the VM instance issued by the CSP at a specific timestamp and the suspicious source list. The experimental results show that the suggested technique has a higher detection rate than existing K-means, fuzzy c-means clustering, bat clustering, and Bartd methods. It can detect unknown threats with fewer false alarms [126,127].
Abbasi et al. [128] proposed a new framework to detect various EDoS attacks by creating a profile that learns from and categorizes normal and abnormal activities. The more demanding resources are only allocated to VMs with a normal state in this framework, preventing the propagation of attacks and resource misuse in the CC.
Singh et al. [129] proposed collaborative IDS (CIDS), a system that combines cascading decision trees (DTs) and SVM to increase detection accuracy. DT speeds up the learning process and divides the dataset into smaller subsets; SVM on each sub-dataset (e.g., KDD99, NSL KDD, and ITOC) reduces SVM learning time, overcomes over-fitting, and reduces the size of the DT, allowing faster detection.
Raja Sree and Mary Saira Bhanu [127] proposed a method that scans log files to extract essential information related to HTTP flooding threats by grouping similar input patterns using fuzzy bat clustering and determining unusual behavior using deviating anomaly scores. They compared the findings with existing methodologies such as k-means clustering, fuzzy c-means clustering, bat clustering, and the Bartd method, showing the proposed method accurately diagnoses anomalies with low false alarms.
Table 10 and Table 11 list some existing CC DDoS detection approach based on anomaly detection techniques.

5.3.3. Hybrid Detection

A hybrid detection approach combines multiple detection approaches, including signature- and anomaly-based approaches. However, it has some drawbacks, such as a conflict between the two approaches, resulting in increased detection time. Therefore, the hybrid approach requires balancing options and complimentary features for each approach to improve discovery and detection rates.
Several researchers have adopted this approach and have presented architecture and methods for performing intrusion detection utilizing hypervisor performance metrics using virtualization technology based on CC. Furthermore, it is demonstrated that suspicious activities can be profiled without detailed knowledge of the OS running within the VMs using VM performance metrics gathered from hypervisors, such as packets transmitted/received, block device read/write requests, and CPU utilization [133].
Patil et al. [134] have designed an efficient security framework called Protocol Specific Multi-threaded Network IDS to detect DDoS attacks in a CC. It works by separating the incoming packets based on the protocol. These packets are sent in a queue for processing therein. The framework thread is responsible for handling each queue which also extracts the relevant features and applies protocol-specific classifiers for each packet in the queue. They used the KDD’99 dataset.
SaiSindhuTheja and Shyam [135] proposed an efficient DoS attack detection system based on the oppositional crow search algorithm (OCSA), which combines the crow search algorithm (CSA) and the opposition-based learning (OBL) technique. The proposed method has two stages: feature selection with OCSA and classification with an RNN classifier. The OCSA method identifies the key features, then feeds into the RNN classifier. The RNN classifier is used to classify incoming data during the testing process. It ensures that standard data (saved in the CC) is isolated from compromised data. The results show that this strategy outperforms other conventional methods by 98.18%, 95.13%, 93.56%, and 94.12% in terms of Precision, Recall, F-Measure, and Accuracy, respectively, using the benchmark data set. In addition, the suggested approach surpasses existing efforts by 3% on average across all metrics.
Many existing ML algorithms, such as neural classifiers, can detect DDoS attacks. The researchers in [136] discussed the findings of a survey on DDoS attacks in the CC environment. DDoS attacks are frequently categorized as bandwidth and resource consumption attacks. SYN Flood and Flash Crowd are prevalent DDoS attacks in a CC context. Nagaraja et al. [136] also tested many ML algorithms to detect DDoS attacks; some are more accurate than others. The use of ML techniques resulted in a higher false-positive detection rate. According to their study, after examining several studies on network attack detection in the CC environment, the most extensively utilized technique to detect DDoS attacks in the CC is ANN, SVM, KNN, J48, feature rank, and feature selection.
Table 12 and Table 13 list some existing DDoS detection approaches on CC using hybrid detection techniques.

5.3.4. Entropy-Based Detection

Entropy is the ratio of arbitrariness in the data. Entropy-based detection approach analyzes random data, the entropy, or the Shannon-Wiener index to evaluate uncertainty associated with the data. Maximum randomness in the data implies a maximum entropy value [137,138]. For example, if the data only has one class, its entropy value will be lower. On the contrary, the data with numerous classes will have a higher entropy value. This way, the tested headers are broken down for port and IP, and their entropy is computed.
Entropy is usually used to calculate the randomness of IP source addresses or port numbers. A high entropy value indicates the traffic originates from various sources, which is the clue to detecting DDoS attacks [139]. A threshold can be put in place to distinguish DDoS attack traffic from normal traffic. The administrator should be alerted of DDoS attacks if the entropy value exceeds the threshold. If the detection of DDoS attacks involves multiple levels, the procedure can be partitioned into three stages:
  • First stage: The client is permitted to go through the switch, and the detection calculation confirms that it is genuine.
  • Second stage: The entropy is calculated based on the data packet size and the client’s authentication.
  • Third stage: The entropy value is compared with the threshold to determine if it is a DDoS attack or not.
Once the location of any abnormality is discovered, an information message is sent to CSP owners to take necessary action. The authors in [140] proposed an approach to detect HTTP flooding DDoS attacks in a CC using information-theoretic entropy (ITE) and ML to improve the false-positive rates. They are planning a real-world deployment of their approach for evaluation using several HTTP DDoS attack tools in the future.
The authors in [141] developed an entropy-based detection technique for DDoS attacks, achieving a 90 percent accuracy without extra packet overhead, resulting in excellent QoS. In addition, they have used CCs to implement the same algorithm. Meanwhile, the authors in [142] used a Gossip-based DDoS attacks detection apparatus for attack detection in a computer network by exchanging a stream of traffic-over-line.
The authors in [143] used an improved entropy to detect the cause of overload and locate the source of the problem, but [144] is similar in its approach to these authors. It appears that a reduction in traffic and improved response time could be feasible with the data simulated.
Girma et al. [145] examined and compared various DDoS attack detection techniques against multiple parameters. After discussing their benefits and drawbacks, they proposed a hybrid statistical model that could significantly mitigate DDoS attacks, providing a better solution to current detection issues. The authors of [83] looked at the standard EPA-HTTP (environmental protection agency-hypertext transfer protocol) dataset. They chose the input parameters for the classifier model to distinguish an attack from a regular profile.
Table 14 and Table 15 list some existing DDoS detection approaches on CC using entropy-based detection techniques.

5.3.5. Filtering Tree-Based Detection

A technique proposed in [147] identifies flood attacks by analyzing network logs and keeping track of the connection states, such as the active IPs of incoming requests. It alters the window size (number of time slots) and measures the sliding window of dynamic entropy, which is dependent on traffic load. In a CC setting, traditional DDoS attacks on servers and network resources could morph into a new breed of attack called EDoS attacks, which target the CCC’s economic resources. The researchers have presented a unique mitigation strategy against EDoS threats, utilizing source checking, counting, and Turing Test. The simulation results suggest that their technology can mitigate CC EDoS attacks.
Researchers in [148] proposed a CC defender system named cloud service queuing defender (CSQD) to detect and remediate XML vulnerabilities in online services. CSQD, a self-learner, employs a traceback solution to determine the source of the attack. Suppose an attack successfully shuts down the server; the CSQD system will detect the malicious requests and store them in its database to prevent similar attacks in the future. The authors presented a game-theoretic model and study that predicted widespread strategy adoption, reducing the risk of DNS amplification attacks. They have demonstrated the ability to implement their concept as a CC-based service to cut costs further and provide additional defenses for DNS servers.
A new solution dubbed an enhanced DDoS-mitigation system (Enhanced DDoS-MS) has been developed to combat EDoS attacks by leveraging firewall capabilities to control a verification process to protect the targeted system. Researchers used a simulated environment to assess their proposed system, showing the firewall successfully mitigates DDoS attacks by increasing users’ services in response time and server load under attack [149,150].
Fontaine et al. [151] proposed a simplified CC security utilizing ML approaches to address the challenge of complex and platform-specific CC security architectures. It leads to a more general design that employs decision trees and neural networks as classifiers, trained using data gathered by CC apps. Iyengar et al. proposed a multilevel thrust filtration (MTF) mechanism as a solution against DDoS attacks in a CC environment. The mechanism authenticates incoming requests and detects various types of DDoS attacks at various levels at the early stage to prevent unnecessary traffic from reaching the DC [152].
Table 16 and Table 17 list some of the existing DDoS attack detection approaches on CC based on the filtering tree technique.

6. Requirements of DDoS Attacks Detection Approaches on CC

Certain requirements must be considered when proposing new DDoS attack detection approaches on CC. The core requirements are listed below:
  • Efficient: The approach should be efficient enough to do its function, which implies reducing the DDoS attack’s effect regardless of how destructive the DDoS attack is. The request-response time is related to the average time for a successful HTTP response from the VM. With the increase in DDoS attacks average, processing capability impacts the request-response.
  • Accurate: The approach should not provide multiple false positives. Several approaches require the traffic to be discarded or dropped, and the approach should not drop the original traffic.
  • Lightweight: The approach should not burden the system to protect against DDoS attacks, not affecting the performance.
  • Easy: The approach is not difficult to implement and easy to understand, i.e., does not require major changes on the existing CC to work, such as configuration, infrastructure design, or devices.
  • Functional: The approach must be practical enough, which means it can reduce the impact of DDoS attacks regardless of the magnitude.

7. Critical Discussion

This section discusses the taxonomy of detection approaches based on signature (Table 9), anomaly (Table 10), hybrid (Table 12), entropy (Table 14), and filtering tree (Table 16).
Table 9 shows that [109] is better than others in detecting CC DDoS attacks due to its comprehensiveness in detecting attacks at multiple OSI model layers (network, transport, and application) as opposed to only at the application layer. Moreover, as shown in Table 8, Khatri and Khilari (2015) also has a high detection rate of intrusion from encrypted traffic, helpful in the detection of insider and known attacks, while others work not [109]. Table 10 and Table 11 show that [115], an SVM learning-based flexible detection framework for DDoS attack techniques, is better than the existing techniques and in accurate detection of DDoS attacks under changing environments. Further, it helps hypervisors identify compromised VMs that may try to claim and consume more resources. Most importantly, this approach does not have any major limitations.
Table 12 and Table 13 show that [111] is suitable for detecting only slow scanning attacks. In contrast, the technique of [134] is slightly superior to others in detecting known and unknown attacks in the CC, with high detection rates and low false negatives.
Table 14 shows that the entropy technique used by [146], i.e., the detection algorithm and confirmation algorithm, has the best attack detection at all OSI layers compared to others. Table 15 shows that the entropy rate is lesser when the class distribution is pure in [146] with a minor drawback that the third party handles it, so there might be a few minor security concerns. Alternatively, the technique by [144] performs well with a 99.3% accuracy rate.
Table 16 and Table 17 show that the multilevel thrust filtration (MTF) mechanism in [152] can detect attacks occurring at OSI layer 3 and 7, which are undetectable by others. Furthermore, Table 17 shows that the technique in [152] can be deployed at an attack-prone DC for resource protection and can simultaneously detect four types of attacks.

8. Conclusions and Future Work

This research attempts to break through the obscurity and build the body of knowledge related to CC security. The security issues of CC discussed include service misuse, insider attacks, insecure and unreliable applications, data corruption or leak, and shared technology vulnerabilities. Meanwhile, the challenges of CC discussed cover the technological, technical, and security aspects.
This research reviewed the latest trends in optimal DDoS attack detection techniques from 2013 to 2021 and has also brought up some crucial aspects of multiple-layer attacks. This research proposed a new taxonomy of attacks, DDoS attacks, and DDoS attack detection approaches on CC. More precisely, we discussed various attacks on CC, such as suffocating, protocol, economic, and permanent economic attacks. Also covered are DDoS attacks on CC utilizing SYN floods, UDP floods, ping of death, ICMP floods, and HTTP floods. We discussed the different approaches of DDoS attack detection methods based on the signature, anomaly, hybrid, entropy, and filtering tree. In addition, we also discuss the various factors, such as efficiency, accuracy, and lightweight, that must be considered when choosing an effective DDoS attack detection strategy.
Our observation of the proposed taxonomies reveals that anomaly-based detection approaches produced the best result due to their ability to identify anomalous events, allowing the creation of rules to reduce the false alarm rate for known and unknown attacks. However, further research on anomaly-based approaches using ML and DL is worth pursuing as they are not yet widely employed to detect HTTP-GET flood attacks on CC. Furthermore, the proposed taxonomy can serve as a roadmap for new researchers to easily explore the existing DDoS attack detection techniques on CC.
Finally, it is worth mentioning that the proposed taxonomy has to be regularly updated to include emerging attacks.

Author Contributions

Writing—original draft preparation, Z.R.A. and M.A.; writing—review and editing, Z.R.A., M.A., P.J., I.H.H., T.A.A.-A.; project administration, Z.R.A.; resources, Z.R.A. and M.A.; supervision, M.A. and M.M.S. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported by Universiti Sains Malaysia under an external grant (Grant Number 304/PNAV/650958/U154).

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Acknowledgments

We would like to express our gratitude to Universiti Sains Malaysia (USM) for all the support and facilities that enable the completion of this research.

Conflicts of Interest

The authors declare that they have no conflict of interest to report regarding the present study.

References

  1. Bahashwan, A.A.; Anbar, M.; Abdullah, N. New architecture design of cloud computing using software defined networking and network function virtualization technology. In Advances in Intelligent Systems and Computing; Springer: Cham, Switzerland, 2020; Volume 1073, pp. 705–713. [Google Scholar] [CrossRef]
  2. Alashhab, Z.R.; Anbar, M.; Singh, M.M.; Leau, Y.B.; Al-Sai, Z.A.; Abu Alhayja’a, S. Impact of coronavirus pandemic crisis on technologies and cloud computing applications. J. Electron. Sci. Technol. 2021, 19, 100059. [Google Scholar] [CrossRef]
  3. Song, S.m.; Yoon, Y.i. NIST Cloud Computing Program Overview. Available online: https://www.nist.gov/programs-projects/nist-cloud-computing-program-nccp (accessed on 30 November 2022).
  4. Ficco, M.; Palmieri, F. Introducing fraudulent energy consumption in cloud infrastructures: A new generation of denial-of-service attacks. IEEE Syst. J. 2017, 11, 460–470. [Google Scholar] [CrossRef]
  5. Newmark, E.; Brien, A.O.; Arend, C.; Morris, H.D.; Nebuloni, G.; Versace, M.; Futurescape, F.D.E.I.D.C. IDC FutureScape IDC FutureScape: “Worldwide Cloud 2018 Predictions”. Available online: https://www.sapvirtualagency.com/FileExplorer/Partners/SAPCloudPlatform/esCO/ManageYourBusiness/US42014717_esCO_Final_deliverable.pdf (accessed on 30 November 2022).
  6. Kupreev, O.; Badovskaya, E.; Gutnikov, A. DDoS Attacks in Q1 2020. Available online: https://securelist.com/ddos-attacks-in-q1-2020/96837/ (accessed on 30 November 2022).
  7. Khandelwal, S. 602 Gbps! This May Have Been the Largest DDoS Attack in History. Available online: http://thehackernews.com/2016/01/biggest-ddos-attack.html (accessed on 30 November 2022).
  8. Yevsieieva, O.; Helalat, S.M. Analysis of the impact of the slow HTTP DOS and DDOS attacks on the cloud environment. In Proceedings of the 2017 4th International Scientific-Practical Conference Problems of Infocommunications Science and Technology, (PIC S&T), Kharkov, Ukraine, 10–13 October 2017; pp. 519–523. [Google Scholar] [CrossRef]
  9. Al Ashhab, Z.R.; Anbar, M.; Singh, M.M.; Alieyan, K.; Ghazaleh, W.I. Detection of http flooding ddos attack using hadoop with mapreduce: A survey. Int. J. Adv. Trends Comput. Sci. Eng. 2019, 8, 71–77. [Google Scholar] [CrossRef]
  10. Singh, P.; Manickam, S.; Ul Rehman, S. A survey of mitigation techniques against Economic Denial of Sustainability (EDoS) attack on cloud computing architecture. In Proceedings of the 3rd International Conference on Reliability, Infocom Technologies and Optimization: Trends and Future Directions, Noida, India, 8–10 October 2014; pp. 1–4. [Google Scholar] [CrossRef]
  11. Swami, R.; Dave, M.; Ranga, V. Software-defined Networking-based DDoS Defense Mechanisms. ACM Comput. Surv. 2019, 52, 1–36. [Google Scholar] [CrossRef]
  12. Wang, B.; Zheng, Y.; Lou, W.; Hou, Y.T. DDoS attack protection in the era of cloud computing and Software-Defined Networking. Comput. Netw. 2015, 81, 308–319. [Google Scholar] [CrossRef]
  13. Bhardwaj, A.; Subrahmanyam, G.V.; Avasthi, V.; Sastry, H.; Goundar, S. DDoS attacks, new DDoS taxonomy and mitigation solutions—A survey. In Proceedings of the International Conference on Signal Processing, Communication, Power and Embedded System, SCOPES, Paralakhemundi, India, 3–5 October 2016; pp. 793–798. [Google Scholar] [CrossRef]
  14. John, J.; Norman, J. Major Vulnerabilities and Their Prevention Methods in Cloud Computing. In Advances in Intelligent Systems and Computing; Springer: Singapore, 2019; Volume 750, pp. 11–26. [Google Scholar] [CrossRef]
  15. Izzat, W.; Ghazaleh, A.; Ahmad, W. A Technical Feasibility for Adoption of Cloud Computing in King Abdulaziz University, Saudi Arabia. Int. J. Sci. Res. 2016, 6, 2319–7064. [Google Scholar]
  16. Waller, A.; Sandy, I.; Power, E.; Aivaloglou, E.; Skianis, C.; Muñoz, A.; Maña, A. Policy based management for security in cloud computing. In Communications in Computer and Information Science; Lee, C., Seigneur, J.M., Park, J.J., Wagner, R.R., Eds.; Springer: Berlin/Heidelberg, Germany, 2011; Volume 187, pp. 130–137. [Google Scholar] [CrossRef]
  17. Ghaben, A.; Anbar, M.; Hasbullah, I.H.; Karuppayah, S. Mathematical Approach as Qualitative Metrics of Distributed Denial of Service Attack Detection Mechanisms. IEEE Access 2021, 9, 123012–123028. [Google Scholar] [CrossRef]
  18. Jaber, A.N.; Anwar, S.; Khidzir, N.Z.B.; Anbar, M. The Importance of IDS and IPS in Cloud Computing Environment: Intensive Review and Future Directions. In Communications in Computer and Information Science; Springer: Singapore, 2021; Volume 1347, pp. 479–491. [Google Scholar] [CrossRef]
  19. Alieyan, K.; Kadhum, M.M.; Anbar, M.; Rehman, S.U.; Alajmi, N.K. An overview of DDoS attacks based on DNS. In Proceedings of the 2016 International Conference on Information and Communication Technology Convergence (ICTC), Jeju, Republic of Korea, 19–21 October 2016; pp. 276–280. [Google Scholar] [CrossRef]
  20. Jaber, A.N.; Anwar, S.; Khidzir, N.Z.B.; Anbar, M. A Detailed Analysis on Intrusion Identification Mechanism in Cloud Computing and Datasets. In Communications in Computer and Information Science; Springer: Singapore, 2021; Volume 1347, pp. 550–573. [Google Scholar] [CrossRef]
  21. Abusaimeh, H. Distributed Denial of Service Attacks in Cloud Computing. Int. J. Adv. Comput. Sci. Appl. 2020, 11, 163–168. [Google Scholar] [CrossRef]
  22. Virupakshar, K.B.; Asundi, M.; Channal, K.; Shettar, P.; Patil, S.; Narayan, D.G. Distributed Denial of Service (DDoS) Attacks Detection System for OpenStack-based Private Cloud. Procedia Comput. Sci. 2020, 167, 2297–2307. [Google Scholar] [CrossRef]
  23. Mousavi, S.M.S.; St-Hilaire, M. Early Detection of DDoS Attacks in Software Defined Networks Controller. Ph.D. Thesis, Carleton University, Ottawa, ON, Canada, 2014. [Google Scholar]
  24. Chaudhari, R.S.; Talmale, G.R. A review on detection approaches for distributed denial of service attacks. In Proceedings of the International Conference on Intelligent Sustainable Systems, (ICISS), Palladam, India, 21–22 February 2019; Volume 5, pp. 323–327. [Google Scholar] [CrossRef]
  25. Wolf, N. DDoS Attack that Disrupted Internet was Largest of Its Kind in History, Experts Say. Available online: https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet (accessed on 30 November 2022).
  26. SoftActivity Team. 32 Remarkable DDoS Statistics for 2022|SoftActivity. Available online: https://www.softactivity.com/ideas/ddos-statistics/ (accessed on 30 November 2022).
  27. Alanazi, S.T.; Anbar, M.; Karuppayah, S.; Al-Ani, A.K.; Sanjalawe, Y.K. Detection techniques for DDoS attacks in cloud environment: Review paper. In Lecture Notes in Networks and Systems; Springer: Singapore, 2019; Volume 67, pp. 337–354. [Google Scholar] [CrossRef]
  28. Beitollahi, H.; Sharif, D.M.; Fazeli, M. Application Layer DDoS Attack Detection Using Cuckoo Search Algorithm-Trained Radial Basis Function. IEEE Access 2022, 10, 63844–63854. [Google Scholar] [CrossRef]
  29. Gupta, M.; Sommers, J.; Barford, P. Fast, accurate simulation for SDN prototyping. In Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking—HotSDN ’13, Hong Kong, China, 16 August 2013; ACM Press: New York, NY, USA, 2013; pp. 31–36. [Google Scholar] [CrossRef] [Green Version]
  30. Alzahrani, S.; Hong, L. Detection of distributed denial of service (ddos) attacks using artificial intelligence on cloud. In Proceedings of the 2018 IEEE World Congress on Services (SERVICES), San Francisco, CA, USA, 2–7 July 2018; pp. 37–38. [Google Scholar] [CrossRef]
  31. Maghrabi, L.A. The threats of data security over the Cloud as perceived by experts and university students. In Proceedings of the 2014 World Symposium on Computer Applications and Research (WSCAR), Sousse, Tunisia, 18–20 January 2014; Volume 18–20, pp. 1–6. [Google Scholar] [CrossRef]
  32. Ren, W. Uleepp: An ultra-lightweight energy-efficient and privacy-protected scheme for pervasive and mobile WBSN-cloud communications. Ad Hoc Sens. Wirel. Netw. 2015, 27, 173–195. [Google Scholar]
  33. Mahdavi-Hezavehi, S.; Alimardani, Y.; Rahmani, R. An Efficient Framework for a Third Party Auditor in Cloud Computing Environments. Itnow 2020, 62, 66. [Google Scholar] [CrossRef]
  34. Kumar, M.N.; Sujatha, P.; Kalva, V.; Nagori, R.; Katukojwala, A.K.; Kumar, M. Mitigating economic denial of sustainability (EDoS) in cloud computing using in-cloud scrubber service. In Proceedings of the 4th International Conference on Computational Intelligence and Communication Networks, CICN 2012, Mathura, India, 3–5 November 2012; pp. 535–539. [Google Scholar] [CrossRef]
  35. Somani, G.; Johri, A.; Taneja, M.; Pyne, U.; Gaur, M.S.; Sanghi, D. Darac: DDoS mitigation using DDoS aware resource allocation in cloud. In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Springer: Cham, Switzerland, 2015; Volume 9478, pp. 263–282. [Google Scholar] [CrossRef]
  36. Lopez, J.; Rubio, J.E. Access control for cyber-physical systems interconnected to the cloud. Comput. Netw. 2018, 134, 46–54. [Google Scholar] [CrossRef]
  37. Gupta, B.B.; Badve, O.P. Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a Cloud computing environment. Neural Comput. Appl. 2017, 28, 3655–3682. [Google Scholar] [CrossRef]
  38. Salah, K.; Alcaraz Calero, J.M.; Zeadally, S.; Al-Mulla, S.; Alzaabi, M. Using cloud computing to implement a security overlay network. IEEE Secur. Priv. 2013, 11, 44–53. [Google Scholar] [CrossRef]
  39. Darwish, M.; Ouda, A.; Capretz, L.F. Cloud-based DDoS attacks and defenses. In Proceedings of the International Conference on Information Society, i-Society 2013, Toronto, ON, Canada, 24–26 June 2013; pp. 67–71. [Google Scholar]
  40. Sri, K.S.; Lakshmi, P. DDoS Attacks, Detection Parameters and Mitigation in Cloud Environment. In Proceedings of the National Conference on Recent Advances in Computer Science & Engineering (NCRACSE-2017), Guntur, India, 11–12 February 2017; Volume 3, pp. 1–4. [Google Scholar]
  41. Radware. DoS Attack: What Is a Denial-of-Service Attack?|DDoSPedia. Available online: https://security.radware.com/ddos-knowledge-center/ddospedia/dos-attack/ (accessed on 30 November 2022).
  42. Osanaiye, O.; Choo, K.K.R.; Dlodlo, M. Distributed denial of service (DDoS) resilience in cloud: Review and conceptual cloud DDoS mitigation framework. J. Netw. Comput. Appl. 2016, 67, 147–165. [Google Scholar] [CrossRef]
  43. Sanjalawe, Y.; Anbar, M.; Al-E’mari, S.; Abdullah, R.; Hasbullah1, I.; Aladaileh, M. Cloud Data Center Selection Using a Modified Differential Evolution. Comput. Mater. Contin. 2021, 69, 3179–3204. [Google Scholar] [CrossRef]
  44. Wang, H.; Xi, Z.; Li, F.; Chen, S. Abusing public third-party services for EDoS attacks. In Proceedings of the 10th USENIX Workshop on Offensive Technologies, WOOT 2016, Austin, TX, USA, 8–9 August 2016. [Google Scholar]
  45. Baig, Z.A.; Sait, S.M.; Binbeshr, F. Controlled access to cloud resources for mitigating Economic Denial of Sustainability (EDoS) attacks. Comput. Netw. 2016, 97, 31–47. [Google Scholar] [CrossRef] [Green Version]
  46. Radware. BrickerBot: Back with a Vengeance. Available online: https://www.radware.com/security/ddos-threats-attacks/brickerbot-pdos-back-with-vengeance/ (accessed on 30 November 2022).
  47. Rao Varre, D.N.M.; Bayana, J. A Secured Botnet Prevention Mechanism for HTTP Flooding Based DDoS Attack. In Proceedings of the 2022 3rd International Conference for Emerging Technology, INCET 2022, Belgaum, India, 27–29 May 2022; pp. 1–5. [Google Scholar] [CrossRef]
  48. Kumar, S.N.; Vajpayee, A. A survey on secure cloud: Security and privacy in cloud computing. Am. J. Syst. Softw. 2016, 4, 14–26. [Google Scholar]
  49. Wired; Zetterl, K. FBI Defends Disruptive Raids on Texas Data Centers|WIRED. Available online: https://www.wired.com/2009/04/data-centers-ra/ (accessed on 30 November 2022).
  50. Helpnetsecurity. USB Killer 2.0: A Harmless-Looking USB Stick that Destroys Computers—Help Net Security. Available online: https://www.helpnetsecurity.com/2015/10/15/usb-killer-20-a-harmless-looking-usb-stick-that-destroys-computers/ (accessed on 30 November 2022).
  51. Sue, P. Types of DDoS Attacks. Available online: https://www.globaldots.com/blog/types-ddos-attacks (accessed on 22 January 2022).
  52. Meng, B.; Andi, W.; Jian, X.; Fucai, Z. DDOS Attack Detection System Based on Analysis of Users’ Behaviors for Application Layer. In Proceedings of the 2017 IEEE International Conference on Computational Science and Engineering and IEEE/IFIP International Conference on Embedded and Ubiquitous Computing, CSE and EUC 2017, Guangzhou, China, 21–24 July 2017; Volume 1, pp. 596–599. [Google Scholar] [CrossRef]
  53. Neupane, R.L.; Neely, T.; Calyam, P.; Chettri, N.; Vassell, M.; Durairajan, R. Intelligent defense using pretense against targeted attacks in cloud platforms. Future Gener. Comput. Syst. 2019, 93, 609–626. [Google Scholar] [CrossRef]
  54. Paraszczuk, M. “Software Reviews, Opinions, and Tips—DNSstuff.” Software Reviews, Opinions, and Tips—DNSstuff. Available online: https://www.dnsstuff.com/network-throughput-bandwidth (accessed on 30 November 2022).
  55. Dhanapal, A.; Nithyanandam, P. The slow http ddos attacks: Detection, mitigation and prevention in the cloud environment. Scalable Comput. 2019, 20, 669–685. [Google Scholar] [CrossRef] [Green Version]
  56. Low Orbit Ion Cannon (LOIC).SourceForge. Available online: https://sourceforge.net/projects/loic/ (accessed on 16 September 2022).
  57. blackMORE Ops. Free DoS Attack Tools—blackMORE Ops. Available online: https://www.blackmoreops.com/2015/10/21/free-dos-attack-tools/ (accessed on 22 October 2022).
  58. Packetstormsecurity. stachel.tgz ≈ Packet Storm. Available online: https://packetstormsecurity.com/distributed/stachel.tgz (accessed on 30 November 2022).
  59. Packetstormsecurity. Stacheldraht ≈ Packet Storm. Available online: https://packetstormsecurity.com/distributed/page3/ (accessed on 30 November 2022).
  60. Packetstormsecurity. mstream.txt ≈ Packet Storm. Available online: https://packetstormsecurity.com/files/17748/mstream.txt.html (accessed on 30 November 2022).
  61. Hypr. Blackenergy. Available online: https://www.hypr.com/security-encyclopedia/blackenergy (accessed on 23 January 2022).
  62. Softwaretestinghelp. 8 Best DDoS Attack Tools (Free DDoS Tool of the Year 2020). Available online: https://www.softwaretestinghelp.com/ddos-attack-tools/ (accessed on 30 November 2022).
  63. Sourceforge. DDOSIM—Layer 7 DDoS Simulator Download|SourceForge.net. Available online: https://sourceforge.net/projects/ddosim/ (accessed on 30 November 2022).
  64. Sourceforge. PyLoris Download|SourceForge.net. Available online: https://sourceforge.net/projects/pyloris/ (accessed on 30 November 2022).
  65. Netscout. ASERT|NETSCOUT. Available online: https://www.netscout.com/asert (accessed on 30 November 2022).
  66. Mcafee. kaiten. Available online: https://www.mcafee.com/enterprise/en-us/threat-center.html (accessed on 30 November 2022).
  67. Packetstormsecurity. knight.c ≈ Packet Storm. Available online: https://packetstormsecurity.com/files/23939/knight.c.html (accessed on 30 November 2022).
  68. Packetstormsecurity. Trinoo.Tgz ≈ Packet Storm. Available online: https://packetstormsecurity.com/files/11215/trinoo.tgz.html (accessed on 4 October 2022).
  69. Thebuddyforum. Trinity—Download Here—V1.6.3.4|The Buddy Forum. Available online: https://www.thebuddyforum.com/threads/trinity-download-here-v1-6-3-4.70841/ (accessed on 30 November 2022).
  70. Packetstormsecurity. R-U-Dead-Yet Denial Of Service Tool ≈ Packet Storm. Available online: https://packetstormsecurity.com/files/95882/R-U-Dead-Yet-Denial-Of-Service-Tool.html (accessed on 30 November 2022).
  71. Packetstormsecurity. HOIC, HULK ≈ Packet Storm. Available online: https://packetstormsecurity.com/distributed (accessed on 30 November 2022).
  72. MR.Thg. GitHub—XCHADXFAQ77X/XERXES: XerXes—Most powerful dos tool bY mR.Thg. Available online: https://github.com/XCHADXFAQ77X/XERXES (accessed on 30 September 2022).
  73. Entropy. Tor’s Hammer—Slow POST Denial of Service Testing Tool (2011). Available online: https://packetstormsecurity.com/files/98831/Tors-Hammer-Slow-POST-Denial-Of-Service-Testing-Tool.html (accessed on 30 September 2022).
  74. Packetstormsecurity. DAVOSET 1.2.5 ≈ Packet Storm. Available online: https://packetstormsecurity.com/files/132515/DAVOSET-1.2.5.html (accessed on 30 November 2022).
  75. Arbornetworks. Attack of the Shuriken: Many Hands, Many Weapons|NETSCOUT. Available online: https://asert.arbornetworks.com/ddos-tools/ (accessed on 30 November 2022).
  76. UFONET. UFONet—Denial of Service Toolkit. Available online: https://ufonet.03c8.net/ (accessed on 30 November 2022).
  77. Sourceforge. NEMESIS—Not Stresfull DDoS Tool Download|SourceForge.net. Available online: https://sourceforge.net/projects/nemesisddos/ (accessed on 30 November 2022).
  78. Bottomley, L. Sask-HTTP. Available online: http://ita.ee.lbl.gov/html/contrib/Sask-HTTP.html (accessed on 22 August 2022).
  79. Bottomley, L. NASA-HTTP. Available online: http://ita.ee.lbl.gov/html/contrib/NASA-HTTP.html (accessed on 20 August 2022).
  80. Bottomley, L. ClarkNet-HTTP. Available online: http://ita.ee.lbl.gov/html/contrib/ClarkNet-HTTP.html (accessed on 22 August 2022).
  81. Bottomley, L. Calgary-HTTP. Available online: http://ita.ee.lbl.gov/html/contrib/Calgary-HTTP.html (accessed on 22 August 2022).
  82. Bottomley, L. SDSC-HTTP. Available online: http://ita.ee.lbl.gov/html/contrib/SDSC-HTTP.html (accessed on 22 July 2022).
  83. Singh, K.J.; Thongam, K.; De, T. Entropy-based application layer DDoS attack detection using artificial neural networks. Entropy 2016, 18, 350. [Google Scholar] [CrossRef]
  84. Arlitt, M.; Jin, T. A workload characterization study of the 1998 world cup web site. IEEE Netw. 2000, 14, 30–37. [Google Scholar] [CrossRef] [Green Version]
  85. MIT. MIT Lincoln Laboratory: DARPA Intrusion Detection Evaluation. Available online: https://archive.ll.mit.edu/ideval/data/2000/LLS_DDOS_1.0.html (accessed on 30 November 2022).
  86. KDD; UCI. KDD Cup 1999 Data. Available online: https://archive.ics.uci.edu/ml/datasets/kdd+cup+1999+data (accessed on 30 July 2022).
  87. UCLA. California. Available online: https://lasr.cs.ucla.edu/ddos/traces/ (accessed on 30 October 2022).
  88. Padmanabhan, V.N.; Wang, H.J.; Chou, P.A.; Sripanidkulchai, K. Distributing streaming media content using Cooperative Networking. In Proceedings of the International Workshop on Network and Operating System Support for Digital Audio and Video, Miami, FL, USA, 12–14 May 2002; pp. 177–186. [Google Scholar] [CrossRef]
  89. Jung, J.; Krishnamurthy, B.; Rabinovich, M. Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites. In Proceedings of the 11th International Conference on World Wide Web, WWW ’02, Honolulu, HI, USA, 7–11 May 2002; pp. 293–304. [Google Scholar] [CrossRef]
  90. Caida. CAIDA: Passive Dataset. Available online: https://www.caida.org/catalog/datasets/passive_dataset_download/ (accessed on 30 November 2022).
  91. Net. WAND Group|WAND. Available online: https://wand.net.nz/wits/ (accessed on 22 January 2022).
  92. MIT. DARPA. Available online: https://www.ll.mit.edu/r-d/datasets/1999-darpa-intrusion-detection-evaluation-dataset (accessed on 20 August 2022).
  93. Kokkonen, T.; Hämäläinen, T.; Silokunnas, M.; Siltanen, J.; Zolotukhin, M.; Neijonen, M.I. Analysis of approaches to internet traffic generation for cyber security research and exercise. In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Springer: Cham, Switzerland, 2015; Volume 9247, pp. 254–267. [Google Scholar] [CrossRef]
  94. Fing. Projects ·GSI/Web-Application-Attacks-Datasets ·GitLab. Available online: https://gitlab.fing.edu.uy/gsi/web-application-attacks-datasets (accessed on 30 November 2022).
  95. UCI. UCI Machine Learning Repository. Available online: http://archive.ics.uci.edu/ml/index.php (accessed on 30 November 2022).
  96. ANT. The ANT Lab: Analysis of Network Traffic. Available online: https://ant.isi.edu/ (accessed on 30 November 2022).
  97. De Vries, W.B.; Heidemann, J.; De Schmidt, O.R.; De Boer, P.T.; Hardaker, W.; Pras, A. Broad and load-aware anycast mapping with Verfploeter. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC, London, UK, 1–3 November 2017; pp. 477–488. [Google Scholar] [CrossRef]
  98. Github. Booter-black-List/Crawler at Master ·jjsantanna/Booter-black-List ·GitHub. Available online: https://github.com/jjsantanna/Booter-black-List/tree/master/Crawler (accessed on 30 November 2022).
  99. Moustafa, N.; Slay, J. The evaluation of Network Anomaly Detection Systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Inf. Secur. J. 2016, 25, 18–31. [Google Scholar] [CrossRef]
  100. Ring, M.; Wunderlich, S.; Grüdl, D.; Landes, D.; Hotho, A. Flow-based benchmark data sets for intrusion detection. Eur. Conf. Inf. Warf. Secur. ECCWS 2017, 16, 361–369. [Google Scholar]
  101. Sharafaldin, I.; Lashkai, A.H.; Ghorbani, A.A. IDS 2017|Datasets|Research|Canadian Institute for Cybersecurity|UNB. Available online: https://www.unb.ca/cic/datasets/ids-2017.html (accessed on 30 November 2022).
  102. IDS 2018 | Datasets | Research | Canadian Institute for Cybersecurity | UNB. Available online: https://www.unb.ca/cic/datasets/ids-2018.html (accessed on 22 January 2022).
  103. Sharafaldin, I.; Lashkari, A.H.; Hakak, S.; Ghorbani, A.A. Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy. In Proceedings of the International Carnahan Conference on Security Technology, Chennai, India, 1–3 October 2019; pp. 1–8. [Google Scholar] [CrossRef]
  104. Landauer, M.; Skopik, F.; Wurzenberger, M.; Hotwagner, W.; Rauber, A. Have it your way: Generating customized log datasets with a model-driven simulation testbed. IEEE Trans. Reliab. 2020, 70, 402–415. [Google Scholar] [CrossRef]
  105. Al-mashhadi, S.; Anbar, M.; Hasbullah, I.; Alamiedy, T.A. Hybrid rule-based botnet detection approach using machine learning for analysing DNS traffic. PeerJ Comput. Sci. 2021, 7, e640. [Google Scholar] [CrossRef]
  106. Katkar, V.; Zinjade, A.; Dalvi, S.; Bafna, T.; Mahajan, R. Detection of DoS/DDoS attack against HTTP servers using naive Bayesian. In Proceedings of the 1st International Conference on Computing, Communication, Control and Automation, ICCUBEA 2015, Pune, India, 26–27 February 2015; pp. 280–285. [Google Scholar] [CrossRef]
  107. Anitha, E.; Malliga, S. A packet marking approach to protect cloud environment against DDoS attacks. In Proceedings of the 2013 International Conference on Information Communication and Embedded Systems, ICICES 2013, Chennai, India, 21–22 February 2013; pp. 367–370. [Google Scholar] [CrossRef]
  108. Alqahtani, S.M.; Al Balushi, M.; John, R. An intelligent intrusion prevention system for cloud computing (SIPSCC). In Proceedings of the 2014 International Conference on Computational Science and Computational Intelligence, CSCI 2014, Las Vegas, NV, USA, 10–13 March 2014; Volume 2, pp. 152–158. [Google Scholar] [CrossRef]
  109. Khatri, J.K.; Khilari, G. Advancement in virtualization based intrusion detection system in cloud environment. Int. J. Sci. Eng. Technol. Res. (IJSETR) 2015, 4, 1510–1514. [Google Scholar]
  110. Sangeetha, S.; Gayathri Devi, B.; Ramya, R.; Dharani, M.K.; Sathya, P. Signature based semantic intrusion detection system on cloud. In Advances in Intelligent Systems and Computing; Springer: New Delhi, India, 2015; Volume 339, pp. 657–666. [Google Scholar] [CrossRef]
  111. Teng, S.; Zheng, C.; Zhu, H.; Liu, D.; Zhang, W. A cooperative intrusion detection model for cloud computing networks. Int. J. Secur. Its Appl. 2014, 8, 107–118. [Google Scholar] [CrossRef] [Green Version]
  112. Xiang, Y.; Li, K.; Zhou, W. Low-rate DDoS attacks detection and traceback by using new information metrics. IEEE Trans. Inf. Forensics Secur. 2011, 6, 426–437. [Google Scholar] [CrossRef]
  113. Alzubi, Q.M.; Anbar, M.; Sanjalawe, Y.; Al-Betar, M.A.; Abdullah, R. Intrusion detection system based on hybridizing a modified binary grey wolf optimization and particle swarm optimization. Expert Syst. Appl. 2022, 204, 117597. [Google Scholar] [CrossRef]
  114. Alqahtani, S.; Gamble, R.F. DDoS attacks in service clouds. In Proceedings of the Annual Hawaii International Conference on System Sciences, Kauai, HI, USA, 5–8 January 2015; pp. 5331–5340. [Google Scholar] [CrossRef]
  115. Abusitta, A.; Bellaiche, M.; Dagenais, M. An SVM-based framework for detecting DoS attacks in virtualized clouds under changing environment. J. Cloud Comput. 2018, 7, 9. [Google Scholar] [CrossRef] [Green Version]
  116. Choi, J.; Choi, C.; Ko, B.; Kim, P. A method of DDoS attack detection using HTTP packet pattern and rule engine in cloud computing environment. Soft Comput. 2014, 18, 1697–1703. [Google Scholar] [CrossRef]
  117. Chen, Z.; Xu, G.; Mahalingam, V.; Ge, L.; Nguyen, J.; Yu, W.; Lu, C. A Cloud Computing Based Network Monitoring and Threat Detection System for Critical Infrastructures. Big Data Res. 2016, 3, 10–23. [Google Scholar] [CrossRef]
  118. Vissers, T.; Somasundaram, T.S.; Pieters, L.; Govindarajan, K.; Hellinckx, P. DDoS defense system for web services in a cloud environment. Future Gener. Comput. Syst. 2014, 37, 37–45. [Google Scholar] [CrossRef]
  119. Xiao, L.; Wei, W.; Yang, W.; Shen, Y.; Wu, X. A protocol-free detection against cloud oriented reflection DoS attacks. Soft Comput. 2017, 21, 3713–3721. [Google Scholar] [CrossRef]
  120. Dhanapal, A.; Nithyanandam, P. An OpenStack based cloud testbed framework for evaluating HTTP flooding attacks. Wirel. Netw. 2021, 27, 5491–5501. [Google Scholar] [CrossRef]
  121. Albaroodi, H.; Manickam, S.; Anbar, M. A proposed framework for outsourcing and secure encrypted data on OpenStack object storage (Swift). J. Comput. Sci. 2015, 11, 590. [Google Scholar] [CrossRef] [Green Version]
  122. Osanaiye, O.; Choo, K.K.R.; Dlodlo, M. Change-point cloud DDoS detection using packet inter-arrival time. In Proceedings of the 2016 8th Computer Science and Electronic Engineering Conference, CEEC 2016, Colchester, UK, 28–30 September 2016; pp. 204–209. [Google Scholar] [CrossRef]
  123. Kiruthika Devi, B.S.; Subbulakshmi, T. A comparative analysis of security methods for ddos attacks in the cloud computing environment. Indian J. Sci. Technol. 2016, 9, 1–7. [Google Scholar] [CrossRef]
  124. El-Sofany, H.F. Proposed a Novel Mechanism to Detect and Prevent XML and HTTP-Based Denial-of-Service Attacks for Cloud Computing. In Proceedings of the 2018 International Conference on Network Technology (ICNT 2018), and 7th International Conference on Software and Information Engineering (ICSIE 2018), Cairo, Egypt, 2–4 May 2018; pp. 4–6. [Google Scholar]
  125. El-Sofany, H.F.; Abou El-Seoud, S. Performance Analysis of an Effective Approach to Protect Cloud Systems against Application Layer Based Attacks. Int. J. Online Biomed. Eng. (iJOE) 2019, 15, 82. [Google Scholar] [CrossRef]
  126. Muthukrishnan, R.K.; Hoy, J.R.; Iyer, S.R.; Kapadia, K.K.; Nagaratnam, N. User state tracking and anomaly detection in software-as-a-service environments. US Patent 10,200,387, 2019. [Google Scholar]
  127. Raja Sree, T.; Mary Saira Bhanu, S. Detection of HTTP flooding attacks in cloud using fuzzy bat clustering. Neural Comput. Appl. 2020, 32, 9603–9619. [Google Scholar] [CrossRef]
  128. Abbasi, H.; Ezzati-Jivan, N.; Bellaiche, M.; Talhi, C.; Dagenais, M.R. Machine Learning-Based EDoS Attack Detection Technique Using Execution Trace Analysis. J. Hardw. Syst. Secur. 2019, 3, 164–176. [Google Scholar] [CrossRef]
  129. Singh, D.; Patel, D.; Borisaniya, B.; Modi, C. Collaborative IDS framework for cloud. Int. J. Netw. Secur. 2016, 18, 699–709. [Google Scholar]
  130. Bhatia, S.; Schmidt, D.; Mohay, G.; Tickle, A. A framework for generating realistic traffic for Distributed Denial-of-Service attacks and Flash Events. Comput. Secur. 2014, 40, 95–107. [Google Scholar] [CrossRef]
  131. Ali, M.; Khan, S.U.; Vasilakos, A.V. Security in cloud computing: Opportunities and challenges. Inf. Sci. 2015, 305, 357–383. [Google Scholar] [CrossRef]
  132. Amjad, A.; Alyas, T.; Farooq, U.; Tariq, M.A. Detection and Mitigation of DDoS Attack in Cloud Computing Using Machine Learning Algorithm. EAI Endorsed Trans. Scalable Inf. Syst. 2019, 6, e7. [Google Scholar] [CrossRef] [Green Version]
  133. Nikolai, J.; Wang, Y. Hypervisor-based cloud intrusion detection system. In Proceedings of the 2014 International Conference on Computing, Networking and Communications, ICNC 2014, Honolulu, HI, USA, 3–6 February 2014; pp. 989–993. [Google Scholar] [CrossRef]
  134. Patil, R.; Dudeja, H.; Gawade, S.; Modi, C. Protocol Specific Multi-Threaded Network Intrusion Detection System (PM-NIDS) for DoS/DDoS Attack Detection in Cloud. In Proceedings of the 2018 9th International Conference on Computing, Communication and Networking Technologies, ICCCNT 2018, Bengaluru, India, 10–12 July 2018; pp. 1–7. [Google Scholar] [CrossRef]
  135. SaiSindhuTheja, R.; Shyam, G.K. An efficient metaheuristic algorithm based feature selection and recurrent neural network for DoS attack detection in cloud computing environment. Appl. Soft Comput. 2021, 100, 106997. [Google Scholar] [CrossRef]
  136. Nagaraja, A.; Boregowda, U.; Vangipuram, R. Study of Detection of DDoS attacks in cloud environment Using Regression Analysis. In Proceedings of the International Conference on Data Science, E-Learning and Information Systems 2021, Ma’an, Jordan, 5–7 April 2021; ACM: New York, NY, USA, 2021; pp. 166–172. [Google Scholar] [CrossRef]
  137. Aladaileh, M.A.; Anbar, M.; Hintaw, A.J.; Hasbullah, I.H.; Bahashwan, A.A.; Al-Sarawi, S. Renyi Joint Entropy-Based Dynamic Threshold Approach to Detect DDoS Attacks against SDN Controller with Various Traffic Rates. Appl. Sci. 2022, 12, 6127. [Google Scholar] [CrossRef]
  138. Aladaileh, M.A.; Anbar, M.; Hasbullah, I.H.; Chong, Y.W.; Sanjalawe, Y.K. Detection Techniques of Distributed Denial of Service Attacks on Software-Defined Networking Controller—A Review. IEEE Access 2020, 8, 143985–143995. [Google Scholar] [CrossRef]
  139. Shah, S.B.I.; Anbar, M.; Al-Ani, A.; Al-Ani, A.K. Hybridizing entropy based mechanism with adaptive threshold algorithm to detect RA flooding attack in IPv6 networks. In Lecture Notes in Electrical Engineering; Alfred, R., Lim, Y., Ibrahim, A.A.A., Anthony, P., Eds.; Springer: Singapore, 2019; Volume 481, pp. 315–323. [Google Scholar] [CrossRef]
  140. Idhammad, M.; Afdel, K.; Belouch, M. Detection System of HTTP DDoS Attacks in a Cloud Environment Based on Information Theoretic Entropy and Random Forest. Secur. Commun. Netw. 2018, 2018. [Google Scholar] [CrossRef] [Green Version]
  141. Zakarya, M. DDoS verification and attack packet dropping algorithm in cloud computing. World Appl. Sci. J. 2013, 23, 1418–1424. [Google Scholar] [CrossRef]
  142. Zakarya, M.; Jan, Z.; Ullah, I.; Dilawar, N. DDoS Confirmation & Attack Packet Dropping Algorithm in On-Demand Grid Computing Platform. Bahria Univ. J. Inf. Commun. Technol. 2012, 5, 64–68. [Google Scholar]
  143. Jeyanthi, N.; Iyengar, N.C.S.; Kumar, P.C.; Kannammal, A. An enhanced entropy approach to detect and prevent DDOS in cloud environment. Int. J. Commun. Networks Inf. Secur. 2013, 5, 110–119. [Google Scholar]
  144. Agrawal, N.; Tapaswi, S. A Lightweight Approach to Detect the Low/High Rate IP Spoofed Cloud DDoS Attacks. In Proceedings of the 2017 IEEE 7th International Symposium on Cloud and Service Computing, SC2 2017, Kanazawa, Japan, 22–25 November 2017; pp. 118–123. [Google Scholar] [CrossRef]
  145. Girma, A.; Garuba, M.; Li, J.; Liu, C. Analysis of DDoS Attacks and an Introduction of a Hybrid Statistical Model to Detect DDoS Attacks on Cloud Computing Environment. In Proceedings of the 12th International Conference on Information Technology: New Generations, ITNG 2015, Las Vegas, NV, USA, 13–15 April 2015; pp. 212–217. [Google Scholar] [CrossRef]
  146. Navaz, A.S.; Sangeetha, V.; Prabhadevi, C. Entropy based Anomaly Detection System to Prevent DDoS Attacks in Cloud. Int. J. Comput. Appl. 2013, 62, 42–47. [Google Scholar] [CrossRef]
  147. Shameli-Sendi, A.; Pourzandi, M.; Fekih-Ahmed, M.; Cheriet, M. Taxonomy of Distributed Denial of Service mitigation approaches for cloud computing. J. Netw. Comput. Appl. 2015, 58, 165–179. [Google Scholar] [CrossRef]
  148. ManouchehriSarhadi, R.; Ghafori, V. New Approach to Mitigate XML-DOS and HTTP-DOS Attacks for Cloud Computing. Int. J. Comput. Appl. 2013, 72, 27–31. [Google Scholar] [CrossRef] [Green Version]
  149. Bakshi, A.; Yogesh, B. Securing cloud from DDOS attacks using intrusion detection system in virtual machine. In Proceedings of the 2nd International Conference on Communication Software and Networks, ICCSN 2010, Singapore, 26–28 February 2010; pp. 260–264. [Google Scholar] [CrossRef]
  150. Alosaimi, W.; Alshamrani, M.; Al-Begain, K. Simulation-Based Study of Distributed Denial of Service Attacks Prevention in the Cloud. In Proceedings of the NGMAST 2015: The 9th International Conference on Next Generation Mobile Applications, Services and Technologies, Cambridge, UK, 9–11 September 2015; pp. 60–65. [Google Scholar] [CrossRef]
  151. Fontaine, J.; Kappler, C.; Shahid, A.; Poorter, E.D. Log-Based Intrusion Detection for Cloud Web Applications Using Machine Learning. In Lecture Notes in Networks and Systems; Springer: Cham, Switzerland, 2020; Volume 96, pp. 197–210. [Google Scholar] [CrossRef]
  152. Iyengar, N.C.S.N.; Ganapathy, G.; Kumar, P.C.; Abraham, A. A multilevel thrust filtration defending mechanism against DDoS attacks in cloud computing environment. Int. J. Grid Util. Comput. 2014, 5, 236–248. [Google Scholar] [CrossRef] [Green Version]
  153. Karnwal, T.; Thandapanii, S.; Gnanasekaran, A. A filter tree approach to protect cloud computing against XML DDoS and HTTP DDoS attack. In Advances in Intelligent Systems and Computing; Springer: Berlin/Heidelberg, Germany, 2013; Volume 182, pp. 459–469. [Google Scholar] [CrossRef]
  154. Ramana, V.; Seenivasan, S.; Durai, M.; Priyadharsini, M. Secure Cloud Computing Environment against DDos and EDos Attacks. Int. J. Eng. Res. Technol. (IJERT) 2014, 3, 3453–3459. [Google Scholar]
  155. Masood, M.; Anwar, Z.; Raza, S.A.; Hur, M.A. EDoS Armor: A cost effective economic denial of sustainability attack mitigation framework for e-commerce applications in cloud environments. In Proceedings of the 2013 16th International Multi Topic Conference, INMIC 2013, Lahore, Pakistan, 19–20 December 2013; pp. 37–42. [Google Scholar] [CrossRef]
  156. Herzberg, A.; Shulman, H. DNS authentication as a service: Preventing amplification attacks. In Proceedings of the 30th Annual Computer Security Applications Conference 2014, New Orleans, LA, USA, 8–12 December 2014; pp. 356–365. [Google Scholar] [CrossRef]
Applsci 12 12441 g001 550
Figure 1. Proposed taxonomy of attacks, DDoS attacks, and DDoS attack detection approaches on CC.
Figure 1. Proposed taxonomy of attacks, DDoS attacks, and DDoS attack detection approaches on CC.
Applsci 12 12441 g001
Applsci 12 12441 g002 550
Figure 2. The topology of smurf attack.
Figure 2. The topology of smurf attack.
Applsci 12 12441 g002
Applsci 12 12441 g003 550
Figure 3. Economic denial of sustainability attack.
Figure 3. Economic denial of sustainability attack.
Applsci 12 12441 g003
Applsci 12 12441 g004 550
Figure 4. SYN flood attack.
Figure 4. SYN flood attack.
Applsci 12 12441 g004
Applsci 12 12441 g005 550
Figure 5. UDP flood attack.
Figure 5. UDP flood attack.
Applsci 12 12441 g005
Applsci 12 12441 g006 550
Figure 6. Ping of death attack.
Figure 6. Ping of death attack.
Applsci 12 12441 g006
Applsci 12 12441 g007 550
Figure 7. ICMP flood attack.
Figure 7. ICMP flood attack.
Applsci 12 12441 g007
Applsci 12 12441 g008 550
Figure 8. HTTP-GET flood attack.
Figure 8. HTTP-GET flood attack.
Applsci 12 12441 g008
Table
Table 1. Summary of CC service models.
Table 1. Summary of CC service models.
Service ModelsOwnership LevelControl LevelExample
SaaSEnd ClientsCan use the app but cannot control it or the server, storage, operating system (OS), network interface card (NIC), antivirus, etc.Google and Microsoft applications
PaaSSoftware DeveloperCan create and control own app but cannot control the OS, NIC, antivirus, etc.GAE, Microsoft’s Azure
IaaSInfrastructure ArchitectsCan create and control own app, OS, NIC, antivirus, etc.GoGrid, Flexiscale, Layered Technologies, and Rackspace
Table
Table 2. Summary of CC deployment models.
Table 2. Summary of CC deployment models.
Deployment ModelsOwnershipServices
PrivateOwned by Single CompanyServe Internal Clients
PublicOwned by Single CompanyServe General Public
CommunityOwned by Specific CommunityServe to Specific Community
HybridOwned by a private company or/and owner of CSPServe to the general public and internal clients
Table
Table 3. Qualitative comparison between this work and existing surveys.
Table 3. Qualitative comparison between this work and existing surveys.
Scope of WorkThis WorkOther Survey Works
(A Brief Discussion Only)
[13][39][40]
Taxonomy of Attacks on CC
Suffocative
Protocol
Application Layer
Economically
Permanent Economic
Taxonomy of DDoS Attacks on CC
SYN Floods
UDP Floods
Ping of Death
ICMP Flood
HTTP Flood
Taxonomy of DDoS Attacks Detection Approaches
Signature Based (Used for Recognizing the Network Attacks)
Anomaly-based (Used for Recognizing the Network Attacks)
Hybrid-based (Used for Recognizing the Network Attacks)
Entropy-based (Deployed in Application Layer)
Filtering Tree (Deployed in Application Layer)
Parameters for Determining DDoS Attacks Solution
The real-time Response Detection mechanism
Over-Under Mitigate
Reporting
Performance Degradation
Ability to Auto-scale
Throughput
Request Response Time
Zero-Day Attack Detection Ability
Efficient
Accurate
Lightweight
Easy
Functional
Table
Table 4. Attacks on CC based on two questions.
Table 4. Attacks on CC based on two questions.
Attacks on CCWhat Are They Doing?How Does the Victim Become Paralyzed?
Suffocative AttacksThey utilize tremendous traffic to saturate the target’s infrastructure-level bandwidth.The attack generates huge traffic to deny access to the resource (e.g., Web service). The attack volume is generally calculated in packets/sec or bit/sec. Example: TCP flood, user datagram protocol (UDP) Flood/Storm, DNS amplification, network time protocol (NTP) amplification, and Internet Control Message Protocol (ICMP) flood or Ping flood [42].
Protocol AttacksAttacks that make a target inaccessible by exploiting the vulnerabilities of the infrastructure-level bandwidth of the victim (in the network layer and transport layer protocol stack).An attack on the protocol takes up all processing power in the targeted device or resource, like a firewall. Example: Synchronize Flood (Neptune), Smurf DDoS attacks, Ping of Death [9,42]
Economic Denial of Sustainability (EDoS)Attacks that exploit CC’s resource utilization, aiming to impact the CSP or CCC’s financial bottom line (e.g., to increase the bill), but not its physical network or server resources. It forces CSP to keep increasing its resource utilization to fulfill the SLA of its clients to the point it is economically non-viable or unable to sustain further demand for services.These economical attacks target CCCs’ resource utility costs to increase.
Permanent Economic AttacksIt can also be found locally on CC devices or other devices, vulnerable or misconfigured firmware, and binaries. It targets the firmware, deletes all files, and re-configures network settings. If a system has not been sufficiently patched and upgraded, the probability of failure increases. Firmware is deliberately changed to corrupt the machine as a whole.It attempts to destroy or modify hardware or component. For example, one-shot attacks exploit applications’ firmware upgrade mechanisms to inflict harm remotely via various means, such as phishing.
Table
Table 5. DDoS attacks on CC.
Table 5. DDoS attacks on CC.
DDoS AttackAttack AimSource IP AddressAttack MethodOSI LayerImpacts of Attack
SYN FloodProtocol exploiting resource depletionSpoofedNot using malformed packets. Exploits TCP’s three-way handshakingL4Attack consumes VM’s resources, leading to EDoS attacks
UDP FloodProtocol exploited bandwidth depletion attackSpoofedNot using malformed packets. Sends an oversize stream of UDP packets to a specific or random port of a targetL4Attacks consume network bandwidth, leading to EDoS attacks
Ping of DeathResource depletion using malformed packetsSpoofedUsing malformed packets. Sends data packet that exceeds maximum packet sizeL3Attacks cause a buffer overflow and system crash, leading to EDoS attacks
ICMP FloodsProtocol exploited bandwidth depletion attackSpoofedNot using malformed packets. Exploits ICMP’s ECHO REQUEST packetL3Attacks saturate network bandwidth, leading to EDoS attacks
HTTP FloodProtocol exploiting resource depletionReal (Not Spoofed)Not using malformed packets. Exploits HTTP GET and POST requestL7Attacks consume all VM’s resources, leading to EDoS attacks
Table
Table 6. Summary of attacks: their location, tools, and impacts.
Table 6. Summary of attacks: their location, tools, and impacts.
Attack SortBBALPrEcoHFAttack ToolsImpacts
ICMP FloodLOIC [56], XOIC [57]Resource Depletion
ICMP FloodStacheldraht [58], TFN [59], Shaft [60], Black Energy [61], Hgod [62]Bandwidth, Resource Depletion
ICMP FloodMstream [60]Bandwidth Depletion
SYN FloodTFN, LOIC, DDOSIM [63], Py-loris [64], XOIC, Aldi Botnet [65]Resource Depletion
SYN FloodShaft, Kaiten [66], Knight [67], Black Energy, HgodBandwidth, Resource Depletion
SYN FloodMstream, Trinoo [68]Bandwidth Depletion
UDP FloodLOIC, DDOSIM, Pyloris, XOICResource Depletion
UDP FloodStacheldraht, Trinity [69], TFN, Shaft, Kaiten, Knight, Black Energy, HgodBandwidth, Resource Depletion
UDP FloodMstream, TrinooBandwidth Depletion
HTTP FloodLOIC, DDOSIM, Pyloris, Aldi Botnet, R-U DEAD-YET (R.U.D.Y) [70], HOIC, HULK [71], XERXES [72]Resource Depletion
HTTP FloodBlack Energy, TOR’s Hammer [73]Bandwidth, Resource Depletion
HTTP FloodTrinooBandwidth Depletion
HTTP FloodDAVOSET [74], Silent-Ddoser [75], UFONET [76]Bandwidth, Resource Depletion
SlowlorisPlylorisBandwidth, Resource Depletion
SmurfNemesis [77]Bandwidth, Resource Depletion
Zero-dayAny toolBandwidth, Resource Depletion
EDoSAll of the above and others contribute toBandwidth, Resource Depletion
PDoSPhlashDance [51]Permanent damage to the hardware
Bandwidth Based: BB, Application Layer: AL, Protocol: Pr, Economically: Eco, Hardware Function: HF.
Table
Table 7. DDoS attack Datasets.
Table 7. DDoS attack Datasets.
Refs/YearDataset NameSort of TrafficOSI L3OSI L4OSI L7
[78]/1995University of Saskatchewan’s weblogsHTTP
[79]/1995NASA Kennedy Space Center Florida web server logsHTTP
[80]/1995ClarkNet Internet Service Provide Web server logsHTTP
[81]/1995University of Calgary’s Computer Science Department weblogsHTTP
[82]/1995San Diego Supercomputer Center (SDSC)HTTP
[83]/1995Environmental protection agency-hypertext transfer protocol (EPA/EPA-HTTP)HTTP
[84]/1998FIFA World CupHTTP (flash crowd)
[85]/98-2000MIT LincolnTCP
[86]/1999KDD CupTCP
[87]/2001UCLAUDP
[88]/2001ATADSHTTP (flash crowd)
[89]/2001Chilean presidential electionHTTP (flash crowd)
[90]/2007CAIDAICMP
[91]/2009WaikatoUDP
[92]/2009DARPAHTTP, SMTP, DNS, TCP
[93]/2009Realistic Global Cyber Environment (RGCE)HTTP, TCP
[94]/2010HTTP DATASET CSIC 2010HTTP
[95]/2012TUIDSICMP, TCP, UDP
[96]/2013FRGP NTP Flow DataNTP
[97]/2013CC Availability- 20130311ICMP, HTTP
[98]/2014BooterDNS
[96]/2014FRGPS SDPSSTP, UDP, ICMP
[99]/2015UNSW-NB15 Coburg Intrusion Detection DatasetTCP
[100]/2017CIDDS-001 CIDDS-002ICMP, TCP, UDP, HTTP
[101]/2017CICIDS2017HTTP/S, SMTP, POP3, IMAP, SSH, FTP
[97]/2018DITLBRoot – 20180410DNS
[102]/2018CSE-CIC-IDS2018 on AWSHTTP/s, SMTP, POP3, IMAP, SSH, FTP
[103]/2019CICDDoS2019DNS, TFTP, WebDDoS, etc.
[104]/2020AIT Log Data SetWebServer, WebMail, smtp, etc.
Table
Table 8. Advantages and disadvantages of signature-based detection approach.
Table 8. Advantages and disadvantages of signature-based detection approach.
RefsApproach UsedAdvantagesDisadvantagesNote
[106]Naïve Bayesian ClassifierSimple and Easy to implement
  • It does not require much training data
  • It handles both continuous and discrete data
  • Fast and applicable for real-time predictions
The assumption of independent predictor features is the fundamental drawback of Naive Bayes. Suppose a categorical variable in the test dataset has a category not present in the training dataset. In that case, the model will assign a probability of zero and not generate a predictionIt slow read attacks with 97.82% accuracy, and normal behavior was detected with 96.46% accuracy
[107]CLASSIE and modulo marking methods are used to avoid spoofing attacksIt allows us to improve the detection and filtering of DDoS attacks while lowering the false-positive rateApplicable at the source siteThe packet marking overhead and the false-positive rate of DoS attacks are greatly reduced. Reconstruct and Drop method is used to make decisions and drop the packets on the victim side
[109]Implementation of the Suricata IDS based on virtualizationHelpful in detecting network intrusion in a virtual network and detecting intrusion from encrypted traffic. Helpful in the detection of insider attacks and known attacksIf an attack occurs within a virtual network inside the hypervisor, it is not usefulThe architecture includes the implementation of the Suricata IDS for securing virtualized servers on CC and the validation of the IDS in detecting DDoS attacks against virtualized environments and effectively protecting the CC from vulnerabilities
[110]E-CARGO modelEfficient, fast, and secureDecrease memory space and timeA multi-threaded Network IDS (NIDS) and Host-based IDS (HIDS) are presented in collaboration to provide an efficient, quick, and secure HIDS
Table
Table 9. Detection approaches based on signature.
Table 9. Detection approaches based on signature.
RefsDetecting OSI LayerFeature Selection ToolFeatures UsedDataset UsedParallel ProcessingAlgorithm Used
[106]L7UnknownSrc bytes, Srv error rate, Diff srv rate, Terror rate, Srv diff host rate, Dst bytes, Service, Protocol type, Duration, Flag, Terror rate, Srv error rate, Same srv rate, Count, Srv countNew testbed containing: DARPA, KDD Cup and create new for testingNaive Bayesian classifier
[107]L7UnknownPackets, physical address, incoming messagesUnknownDecision tree classification system called CLASSIE
[108]L7Unknownthe system shutdown initiation, logging off the user, disabling of connections, and the process of halting the systemUnknownUnknown
[109]L3,4,7UnknownPacket header, IPUnknownUnknown
[110]L7UnknownVersion, URI, and Request method, followed by a MIME-like message containing request modifiers, possible body content and client informationUnknownUnknown
Table
Table 10. Anomaly-based Detection approaches.
Table 10. Anomaly-based Detection approaches.
RefsOSI LayerFeature Selection ToolFeatures UsedDataset UsedParallel ProcessingAlgorithm Used
[114]L7UnknownEnd-time, start-time, status, request-response pair, SessionIDRandom dataset (unknown)NA
[115]L7UnknownUses the same features as [130,131] source IPs, packet size, No. of sources, packet rate, Linux kernel features, Number of requests. HTTP-GET requests. Packets containing 200, 206, and 400 HTTP status codes, Linux kernel features, network bandwidth, system memory, and CPU time.CAIDA “DDoS Attack 2007”, 1998 FIFA World CupSVM classifier
[116]L7UnknownLoad, protocol distribution for the classification distribution of the network service, information distribution of the packet header, packet size, the maximum value, flow monitoring utilizing a spoofing address, Request URL, IP address of the remote host, CPU usage, minimum value of traffic, The time of the requestUnknownMapReduce
[117]L7UnknownPacket length, source and destination ports, source and destination IP addresses, and packet timestampreal-world network traffic data from Chicago Equinix DCMapReduce, Spark, k-mean clustering
[118]L7UnknownUnknownUnknownNA
[119]L7UnknownUnknownUnknownPFD
[132]L7UnknownTime, source IP, destination IP, protocol, length.Generated a new prediction-based data setnaıve Bayes
[55]L7UnknownTCP Window size, the time interval between requests, size of data, response time, URL, number of connections per second, length in secondsUnknownNA
[120]L7UnknownIP address, multiple HTTP requests, time intervalFIFA World Cup 1998 real-timeNA
[123]L7UnknownMemory usage, CPU usage, Latency, Packet loss, Throughput and Link utilization, time, duration, pro- tool and rateUnknownNA
[124]L7UnknownSource and destination IP addressesUnknowncorrelation algorithm
[125]L7Mahalanobis distance (MD)Source and destination IP addresses, No. of packets, time intervalsUnknowngraph path traversal
[127]L7Grouping of similar input patterns using fuzzy bat clusteringRemote host, request strings similarity, GRPS, VM status, inter-arrival time between requests, periodic repeatability and port number, request time, group consists of user ID, VM ID, and time stamp of the VM instanceUnknowngrouping of similar input patterns using fuzzy bat clustering
[33]L7UnknownRT, Svc, Calc, CPU, a mixture of CC resources, Request, Req, Calculate, and Rspns are the Service abbreviations, Response time, memory, bandwidth, and ResponseUnknownTPANGND
[128]L7UnknownTSP, IOWo, IODi, IODo, CPUW, CPUD, MemW, R(SYN), NBWph, IOWi, NBWpd, NBWpw, NBWpm, R(ACK), NPi R(SYN+ACK), NPo, NHOPUnknownSVM and neural network
Table
Table 11. Advantages and disadvantages of anomaly-based detection approach.
Table 11. Advantages and disadvantages of anomaly-based detection approach.
RefsApproach UsedAdvantagesDisadvantagesNote
[114]DDoS attacks Prevention approach for floodingReduce resource consumption and delayIdentified the sudden surge in incoming requests to a target, thereby rendering it overloaded and congesting the communication channel leading to itA distributed detection of flooding-based DDoS attacks is presented and has also identified the attacking services within a service CC
[115]SVM Learning-based flexible detection framework for DDoS attacks technique
  • This approach can enhance the detection accuracy under changing environments
  • It helps the hypervisor identifies compromised VMs that may try to claim and consume more resources
No major drawbacksThere is a future scope to enhance the attack detection approach.
[116]Snort detection based on HTTPLower processing time than regular Snort. More accurate and reliable detection mechanismIncrease congestionThere is a need to study the various pattern recognition approaches for detecting DDoS attacks in a CC context
[117]A CC-based network monitoring and threat detection systemMonitors network activities efficiently. Detects abnormal behavior and network threatHigh overheadThere is a plan to enhance the attack detection accuracy in the future
[118]XML and HTTP application layer attacks prevention mechanismIntelligent, fast, and adaptive. Can detect spoofing and regular flood attacksHigh overhead, low efficiencyThere is a future scope to enhance the attack detection approach
[119]Flow correlation coefficient (FCC)-based protocol-free detection (PFD) algorithmIt detects attacking flows efficiently and effectively. Protocol agnosticLow efficiencyIt is an effective approach for detecting RDoS attacks
[132]ML-based algorithm, Naïve Bayes, and Random forestNaïve Bayes is stronger than random forest. Naïve Bayes detects the attack more efficiently than random forestHigh overheadThere is a future scope to enhance the attack detection approach
[55]OpenStack, slowHTTPTest open-source toolHigh accuracy in attack detection in the early stageHigh overhead, low efficiencyThere is a future scope to enhance the attack detection approach
[120]HTTP flood DDoS attacksIt uses the OpenStack Platform and real-time datasets for performance evaluationHTTP Errors, Higher Response timeThe suggested framework will be improved in the future to identify and mitigate HTTP flood attacks in the CC
[123]Anomaly DetectionReduce resource consumptionLow Detection Rate and Detection Time
[124]Architecture for mobile CC securityAccuracy, sensitivity, and specificity ratesNo major drawbacksThe proposed approach has a performance average of (97.03%), with an average accuracy (98.05%), average sensitivity (93.34%), and average specificity (93.34%)
[125]Correlation analysis modelHigh accuracyHigh overheadNA
[127]Fuzzy bat clusteringDetermines anomalies accurately with very few false alarms. High detection rateMisidentified benign or malicious traffic in a few casesHybrid optimization strategies may be applied in the future to improve detection efficiency
[33]Anomaly-based frameworkHigh DDoS attack detectionHigh overhead
[128]Execution Trace AnalysisHigh accuracy in attack detectionLow efficiencyThere is a future scope to enhance the attack detection approach
Table
Table 12. Hybrid-based DDoS detection approaches on CC.
Table 12. Hybrid-based DDoS detection approaches on CC.
RefsDetecting OSI LayerFeature Selection ToolFeatures UsedDataset UsedParallel ProcessingAlgorithm Used
[133]L3,7UnknownBlock Device Write Request (Block Device Write Req), Block Device Read Requests (Block Device Read Req), Packets Transmitted (Packets TX), Packets Received (Packets RX), and CPU Utilization (CPU Util)UnknownNA
[111]L3,4,7UnknownIP, MAC address, port, data content, Size, Protocol, Time, TTLUnknownE-CARGO, Advanced Research Projects Agency (DARPA), Common Intrusion Detection Frame (CIDF)
[134]L3,4,7Unknownprotocol, port numbers, traffic, HTTP, telnet, flag, source bytes, destination bytesKDD’99ID3 decision tree, Random Forest, OneR
[129]L3,7UnknownFailed login attempts number, flag, src byte, DST byte, land, root access number, protocol, service, ag error, TCP/IP connection. Duration, protocol type, service used, urgent, num failed logins, logged in, root shell, num root, count, syn error rate, rejection error rateKDD99Decision Tree, SVM
Table
Table 13. Advantages and disadvantages of hybrid-based DDoS detection approach.
Table 13. Advantages and disadvantages of hybrid-based DDoS detection approach.
RefsApproach UsedAdvantagesDisadvantagesNote
[133]Hypervisor-based cloud IDS
  • Can profile suspicious activities without knowing the OS running within the VM
  • Does not require additional software installed in VM
High overhead, Low efficiencyThere is a future scope to enhance the attack detection approach
[111]Collaborative intrusion detection architectureIt can detect slow scanning and DDoS attacksLow efficiencyThere is a future avenue to enhance the attack detection approach
[134]Protocol specific multi-threaded network IDS
  • Can detect known and unknown attacks in the CC
  • It has a high detection rate
  • It has low false negatives
Unable to detect other attacksIn the future, this system can be extended to detect other types of attacks
[129]Collaborative IDS (CIDS) Framework, Snort with signature matching
  • Improved detection accuracy and system performance
  • The learning process has become faster
No major drawbacksThere is a future scope to enhance the attack detection approach
Table
Table 14. Entropy-based DDoS detection approaches.
Table 14. Entropy-based DDoS detection approaches.
RefsOSI LayerFeature Selection ToolFeatures UsedDataset UsedParallel ProcessingAlgorithm Used
[140]L7UnknownSource/destination ports, source/destination IPCIDDS-001ITE ML, RFEL
[141]L3, 7UnknownTraffic distribution like IP address, Port, number of packetsUnknownAttack Packet dropping
[145]L3, 7UnknownThe huge distance between the data and baseline entropyUnknownNA
[83]L7UnknownEntropy, HTTP-GET request count, and difference for every connection, IP addressEPA-HTTPMLP, GA, Artificial Neural Networks (ANN)
[146]L3, 4, 6, 7UnknownIP address, port, flow sizeUnknownDetection algorithm, Confirmation algorithm
Table
Table 15. Advantages and disadvantages of entropy detecting.
Table 15. Advantages and disadvantages of entropy detecting.
RefsApproach UsedAdvantagesDisadvantagesNote
[140]Information-Theoretic Entropy and Random Foresthigh HTTP DDoS attacks detection performancesNot yet deployed in the real worldThey planned to perform real-world deployment of this approach and evaluation w.r.t several HTTP DDoS attacks tools as a future scope
[141]Attack Packet Dropping AlgorithmEasy to adapt, More trustworthy High accuracy, No extra packet overhead, Good QoSLow efficiencyThe proposed architecture and recommendation may be applied on a CC platform to accurately identify DDoS attacks. The concept can be expanded to include a recovery mechanism for DDoS attacks
[145]Hybrid Statistical ModelIt helps in attack mitigationMore overheadThe proposed scheme with two checkpoints will be a superior alternative solution in reducing risk and providing a better outcome
[83]Artificial Neural NetworksHigh accuracySuitable only for application-layer DDoS attacks detectionThis approach can be extended for developing an efficient detection for attacks
[146]EntropyThe rate of entropy is lesser when the class distribution is pureSecurity issues can be there as the third-party vendor handles themThis algorithm works in 2 phases. First, users are permitted to travel through the router on the network site. While in the second, the traffic passes through a cloud-based router that uses a confirmation algorithm and checks for a threshold value
Table
Table 16. DDoS attack detection approaches based on filtering tree.
Table 16. DDoS attack detection approaches based on filtering tree.
RefsDetecting OSI LayerFeature Selection ToolFeatures UsedDataset UsedParallel ProcessingAlgorithm Used
[153]L7UnknownIP, SOAP header, URIUnknownHop count filter
[154]L7Unknownthreshold logic unit (TLU), IP address, HTTP Request, IP headerGenerate new real-time dataDPM, neural network (NN)
[155]L7UnknownIP, Session such as Session ID, Port, CPU Processing Time such as Average Processing Time for accessing the resource, Processing Time for requestKDD Cup 2000 data set (KDD Cup Competition, 2000)decision tree algorithm J48
[148]L7UnknownIP, ID, date Time-consuming, URL, Request List, content, requested URLUnknownCSQD
[156]L7UnknownIP, cookie, Time to Live (TTL), number of requestsCIDR notationFilter, game-theoretic model
[150]L7UnknownIP address, TTL value, HTTP requests, response time, average load levelUnknowngraphical Turing Test (CAPTCHA)
[151]L7UnknownUnknownCollect access logs from multiple web applicationsJ48 decision trees, neural networks
[152]L3,7UnknownIP, ID client, ID request, password, session, type of incoming request, MAC address, request size, timestampUnknownMTF
Table
Table 17. Advantages and disadvantages of filtering tree-based detection technique.
Table 17. Advantages and disadvantages of filtering tree-based detection technique.
RefsApproach UsedAdvantagesDisadvantagesNote
[153]Dynamic Entropy MethodIt can detect HTTP flood attacks with a high probability Capable of reducing false alarms. Performance enhancementMore overhead, Low efficiencyStatistical analysis can be used in the future to ban harmful IPs and record questionable IPs
[154]DDoS attacks and EDoSShieldit can detect the attack messages within a very short periodLow efficiencyThe scope will be to set up CC Protector for real-time data collection and testing in the future
[155]novel mitigation system against DDoS attacksEfficient in mitigating the EDOS attack, reduces response time and computing power utilizationMore overhead, Low efficiencyThere is a future scope to enhance the attack detection module and integrate it with the proposed mitigation techniques
[148](Cloud Service Queuing Defender)effective and efficient in detecting and mitigating most DoS attack Self-learnerMore overhead, Low efficiencythe CSQD system detects the malicious request and stores it in its database to prevent similar attacks in the future
[156]Game-theoretic model and analysisIt is very beneficial for a range of Internet clients and servicesIt generates a list of ’good’ DNS resolvers and platforms and a list of potentially hacked (suspicious) hostsThe model has its own merits and can be used to assess defenses against various sorts of DoS attacks
[150]Traditional network securityBetter response time and server loadIt is dependent on firewall securityIn the future, more complicated scenarios of the Enhanced DDoS-MS framework will be implemented in the same simulation environment
[151]Log-Based Intrusion Detection, ML techniquesIt is simple while training for the detection models and has high accuracy in attack detection. Very fast methodMore overheadWeb CC security logs identical to traditional on-premise security logs are presented as contributions
[152]Multilevel Thrust Filtration (MTF) mechanismIt can be deployed at an attack-prone DC for resource protectionLow efficiencyA hybrid approach to detecting 4 types of attacks simultaneously
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Alashhab, Z.R.; Anbar, M.; Singh, M.M.; Hasbullah, I.H.; Jain, P.; Al-Amiedy, T.A. Distributed Denial of Service Attacks against Cloud Computing Environment: Survey, Issues, Challenges and Coherent Taxonomy. Appl. Sci. 2022, 12, 12441. https://doi.org/10.3390/app122312441

AMA Style

Alashhab ZR, Anbar M, Singh MM, Hasbullah IH, Jain P, Al-Amiedy TA. Distributed Denial of Service Attacks against Cloud Computing Environment: Survey, Issues, Challenges and Coherent Taxonomy. Applied Sciences. 2022; 12(23):12441. https://doi.org/10.3390/app122312441

Chicago/Turabian Style

Alashhab, Ziyad R., Mohammed Anbar, Manmeet Mahinderjit Singh, Iznan H. Hasbullah, Prateek Jain, and Taief Alaa Al-Amiedy. 2022. "Distributed Denial of Service Attacks against Cloud Computing Environment: Survey, Issues, Challenges and Coherent Taxonomy" Applied Sciences 12, no. 23: 12441. https://doi.org/10.3390/app122312441

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop