Virtualization Security Effects on Cloud Computing

Abstract

In this thesis, we introduce Hypervisor Ingress Filtering (HIF): a new technique for mitigating Domain Name Servers (DNS) reflection amplification DDoS attacks originated from clouds. Domain Name Servers (DNS) reflection amplification is widely used technique in generating DDoS attacks. DDoS attack is one of the virtualization threats that can affect the availability of cloud computing badly. Our technique is based on Best Current Practice (BCP38), which tries to defeat IP spoofing. The technique depends on the fact that hypervisors are fully aware of all the details of the virtual machines (VMs) hosted by them, and that all the virtualization traffic passes through them. Hypervisors are used to prevent all the spoofed traffic originating from their VMs and targeting Domain Name Servers (DNS) producing large responses. Implementing HIF will highly limit the percentage of DDoS reflection amplification attacks especially if it is modified to include the mitigation of other DDoS reflection amplification attacks like Network Time protocol (NTP)

Keywords: Cloud Computing, Virtualization, Hypervisor, DNS, DDoS, DNS Reflection Amplification DDoS Attack, Ingress/Egress Filtering, IP Spoofing