Abstract

The ubiquitous growth in the popularity of public cloud computing platforms as seen today entails an inherent risk: the shared nature of data center networks (DCNs) renders co-hosted tenants susceptible to attacks from within the network. In this paper, we discuss the security mechanisms offered by popular cloud service providers at present, and explore the extent to which existing data center networks might be vulnerable to internal denial-of-service attacks. We describe two categories of attacks: the first comprising those that are easy to mount, but are ill-disguised and conform to traditional attack patterns (overt attacks), and the second comprising hard-to-detect covert attacks that involve a greater complexity of deployment, but also show greater impacts. Finally, we discuss attack-mitigation schemes that employ common network mechanisms, such as TCP pacing and Network Virtualization, and also present a new source-based filtering scheme to regulate network communications.