Skip to main content
SpringerLink
Log in

Improving Cloud Performance with Router-Based Filtering

  • Chapter
  • First Online:
Book cover High Performance Cloud Auditing and Applications

Abstract

Our goal in this chapter is to introduce a router-based filtering technology aimed at enhancing the availability and performance of cloud computing. When this technology is integrated with cloud auditing methods, it can make use of cloud auditing information to detect malicious intrusion and traffic anomalies, and to define appropriate filtering rules that can be exchanged between routers in the network, for filtering malicious traffic early and rerouting excessive legitimate requests to other suitable replicated servers. We first give an overview of the specification and generation of filtering rules used by routers. Then we present a theoretical model to find the best locations for hardware routers in a network to block malicious traffic, and discuss how to integrate this theoretical model with cloud auditing techniques. Finally, we present results of experiments that validate our router-based filtering approach.

“Approved for Public Release; Distribution Unlimited: 88ABW-2013-0140, 18-Jan-2013”

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abbes, T., Bouhoula, A., Rusinowitch, M.: An inference system for detecting firewall filtering rules anomalies. In: Proceedings of the 2008 ACM Symposium on Applied Computing, SAC’08, Fortaleza, pp. 2122–2128. ACM, New York (2008). doi:10.1145/1363686.1364197

    Google Scholar 

  2. Abramov, E., Mordvin, D., Makarevich, O.: Automated method for constructing of network traffic filtering rules. In: Proceedings of the 3rd International Conference on Security of Information and Networks, SIN’10, Taganrog, Rostov-on-Don, pp. 203–211. ACM, New York (2010). doi:10.1145/1854099.1854141

    Google Scholar 

  3. Agapi, A., Birman, K., Broberg, R.M., Cotton, C., Kielmann, T., Millnert, M., Payne, R., Surton, R., Renesse, R.v.: Routers for the cloud: can the Internet achieve 5-nines availability? IEEE Internet Comput. 15(5), 72–77 (2011). doi:10.1109/MIC.2011.122

    Google Scholar 

  4. Almquist, P.: ietf.org, RFC 1349 – type of service in the internet protocol suite. http://goo.gl/6O5jQ (1992)

  5. Andersen, D.G., Snoeren, A.C., Balakrishnan, H.: Best-path vs. multi-path overlay routing. In: Proceedings of the 3rd ACM SIGCOMM Conference on Internet Measurement, IMC’03, Miami Beach, pp. 91–100. ACM, New York (2003). doi:10.1145/948205.948218

    Google Scholar 

  6. Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: a novel firewall management toolkit. ACM Trans. Comput. Syst. 22(4), 381–420 (2004). doi:10.1145/1035582.1035583

    Article  Google Scholar 

  7. Bleikertz, S., Schunter, M., Probst, C.W., Pendarakis, D., Eriksson, K.: Security audits of multi-tier virtual infrastructures in public infrastructure clouds. In: Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop, CCSW’10, Chicago, pp. 93–102. ACM, New York (2010). doi:10.1145/1866835.1866853

    Google Scholar 

  8. Casalicchio, E., Silvestri, L.: An inter-cloud outsourcing model to scale performance, availability and security. In: Proceedings of the 5th IEEE/ACM International Conference on Utility and Cloud Computing, UCC’12, Chicago, pp. 151–158. IEEE Computer Society, Washington, DC (2012). doi:10.1109/UCC.2012.16

    Google Scholar 

  9. Chen, S., Nahrstedt, K.: An overview of quality of service routing for next-generation high-speed networks: problems and solutions. Netw. Manage. Global Internetwork. 12(6), 64–79 (1998). doi:10.1109/65. 752646

    Google Scholar 

  10. Dainotti, A., King, A., Claffy, K., Papale, F., Pescapè, A.: Analysis of a “/0” stealth scan from a botnet. In: Proceedings of the 2012 ACM Conference on Internet Measurement Conference, IMC’12, Boston, pp. 1–14. ACM, New York (2012). doi:10.1145/2398776.2398778

    Google Scholar 

  11. Duvivier, B.: cisco.com, Cisco BGP security enhancements. http://goo.gl/7NDpc (2011)

  12. Esposito, C., Cotroneo, D., Gokhale, A.: Reliable publish/subscribe middleware for time-sensitive internet-scale applications. In: Proceedings of the 3rd ACM International Conference on Distributed Event-Based Systems, DEBS’09, Nashville, pp. 16:1–16:12. ACM, New York (2009). doi:10.1145/1619258.1619280

    Google Scholar 

  13. François, J., Aib, I., Boutaba, R.: FireCol: a collaborative protection network for the detection of flooding DDoS attacks. ACM Trans. Comput. Syst. 20(6), 1828–1841 (2012). doi:10.1109/TNET.2012. 2194508

    Google Scholar 

  14. Ghosh, D., Sarangan, V., Acharya, R.: Quality-of-service routing in IP networks. IEEE Trans. Multimed. 3(2), 200–208 (2001). doi:10.1109/ 6046.923819

    Article  Google Scholar 

  15. Gill, P., Schapira, M., Goldberg, S.: Let the market drive deployment: a strategy for transitioning to bgp security. In: Proceedings of the 2011 ACM SIGCOMM Conference, SIGCOMM’11, Toronto, pp. 14–25. ACM, New York (2011). doi:10.1145/2018436.2018439

    Google Scholar 

  16. Gregori, E., Improta, A., Lenzini, L., Rossi, L., Sani, L.: On the incompleteness of the AS-level graph: a novel methodology for BGP route collector placement. In: Proceedings of the 2012 ACM Conference on Internet Measurement Conference, IMC’12, Boston, pp. 253–264. ACM, New York (2012). doi:10.1145/2398776.2398803

    Google Scholar 

  17. Houmansadr, A., Nguyen, G.T., Caesar, M., Borisov, N.: Cirripede: circumvention infrastructure using router redirection with plausible deniability. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS’11, Chicago, pp. 187–200. ACM, New York (2011). doi:10.1145/2046707.2046730

    Google Scholar 

  18. Huang, C.T., Han, K.J., Perretta, J.: Automatic selection of routers for placing early filters of malicious traffic. In: Proceedings of IEEE GLOBECOM 2011, Houston, pp. 1–5. IEEE (2011). doi:10.1109/ GLOCOM.2011.6133640

    Google Scholar 

  19. Juels, A., Oprea, A.: New approaches to security and availability for cloud data. Commun. ACM 56(2), 64–73 (2013). doi:10.1145/2408776. 2408793

    Article  Google Scholar 

  20. juniper.net, Enabling BGP to carry flow-specification routes. http://goo.gl/zxv8C (2010)

  21. Kalakota, P., Huang, C.T.: On the benefits of early filtering of botnet unwanted traffic. In: Proceedings of the 18th International Conference on Computer Communications and Networks, ICCCN’09, San Francisco, pp. 1–6. IEEE Computer Society, Washington, DC (2009). doi:10.1109/ ICCCN.2009.5235325

    Google Scholar 

  22. Li, J., Guidero, M., Wu, Z., Purpus, E., Ehrenkranz, T.: BGP routing dynamics revisited. SIGCOMM Comput. Commun. Rev. 37(2), 5–16 (2007). doi:10.1145/1232919.1232921

    Article  MATH  Google Scholar 

  23. Li, Y., Liljenstam, M., Liu, J.: Real-time security exercises on a realistic interdomain routing experiment platform. In: Proceedings of the 23rd ACM/IEEE/SCS Workshop on Principles of Advanced and Distributed Simulation, PADS’09, Lake Placid, pp. 54–63. IEEE Computer Society, Washington, DC (2009). doi:10.1109/PADS.2009.12

    Google Scholar 

  24. Li, C., Li, L.: An efficient resource allocation for maximizing benefit of users and resource providers in Ad Hoc grid environment. Inf. Syst. Front. 14(5), 987–998 (2012). doi:10.1007/s10796-011-9310-4

    Article  Google Scholar 

  25. Mansmann, F., Göbel, T., Cheswick, W.: Visual analysis of complex firewall configurations. In: Proceedings of the 9th International Symposium on Visualization for Cyber Security, VizSec’12, Seattle, pp. 1–8. ACM, New York (2012). doi:10.1145/2379690.2379691

    Google Scholar 

  26. Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., McPherson, D.: ietf.org, RFC 5575 – Dissemination of flow specification rules. http://goo.gl/y8XVq (2009)

  27. Nazario, J.: DDoS: DDoS attack evolution. Netw. Secur. 2008(7), 7–10 (2008). doi:10.1016/S1353-4858(08)70086-2

    Article  Google Scholar 

  28. nongnu.org, Quagga routing software suite. http://goo.gl/FqSJE

  29. Oreku, G.S., Li, J., Pazynyuk, T.: An application-driven perspective on wireless devises security: the case of distributed denial-of-service (DDOS). In: Proceedings of the 2nd ACM Workshop on Performance Monitoring and Measurement of Heterogeneous Wireless and Wired networks, PM2HW2N’07, Chania, pp. 81–83. ACM, New York (2007). doi:10.1145/1298275.1298292

    Google Scholar 

  30. Rai, A., Bhagwan, R., Guha, S.: Generalized resource allocation for the cloud. In: Proceedings of the 3rd ACM Symposium on Cloud Computing, SoCC’12, San Jose, pp. 15:1–15:12. ACM, New York (2012). doi:10.1145/2391229.2391244

    Google Scholar 

  31. Rekhter, Y., Li, T., Hares, S.: RFC 4271 – a border gateway protocol 4 (BGP-4). http://goo.gl/7NDpc (2006)

  32. Rodolakis, G., Siachalou, S., Georgiadis, L.: Replicated server placement with QoS constraints. In: Proceedings of the 3rd International Conference on Quality of Service in Multiservice IP Networks, QoS-IP’05, Catania, pp. 207–220. Springer, Berlin/Heidelberg (2005). doi:10.1007/ 978-3-540-30573-6_16

    Google Scholar 

  33. Siachalou, S., Georgiadis, L.: Efficient QoS routing. Comput. Netw. 43(3), 351–367 (2003). doi:10.1016/S1389-1286(03)00286-X

    Article  MATH  Google Scholar 

  34. Soldo, F., Argyraki, K., Markopoulou, A.: Optimal source-based filtering of malicious traffic. IEEE/ACM Trans. Netw. 20(2), 381–395 (2012). doi:10.1109/TNET.2011.2161615

    Article  Google Scholar 

  35. sourceforge.net, Iperf. http://goo.gl/4ubV5 (2008)

  36. Sun, H., Hughes, H.D.: Adaptive QoS routing by cross-layer cooperation in Ad Hoc networks. EURASIP J. Wirel. Commun. Netw. 2005(5), 661–671 (2005). doi:10.1155/WCN.2005.661

    Article  MATH  Google Scholar 

  37. Tague, P., Nabar, S., Ritcey, J.A., Poovendran, R.: Jamming-aware traffic allocation for multiple-path routing using portfolio selection. IEEE/ACM Trans. Netw. 19(1), 184–194 (2011). doi:10.1109/TNET. 2010.2057515

    Article  Google Scholar 

  38. Uludag, S., Lui, K.S., Nahrstedt, K., Brewster, G.: Analysis of topology aggregation techniques for QoS routing. ACM Comput. Surv. 39(3) (2007). doi:10.1145/1267070.1267071

    Google Scholar 

  39. Undheim, A., Chilwan, A., Heegaard, P.: Differentiated availability in cloud computing SLAs. In: Proceedings of the 12th IEEE/ACM International Conference on Grid Computing, GRID’11, Lyon, pp. 129–136. IEEE Computer Society, Washington, DC (2011). doi:10. 1109/Grid.2011.25

    Google Scholar 

  40. West, A.G., Lee, I.: Towards the effective temporal association mining of spam blacklists. In: Proceedings of the 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS’11, Perth, pp. 73–82. ACM, New York (2011). doi:10.1145/2030376.2030385

    Google Scholar 

  41. Wiebelitz, J., Brenner, M., Kunz, C., Smith, M.: Early defense: enabling attribute-based authorization in grid firewalls. In: Proceedings of the 19th ACM International Symposium on High Performance Distributed Computing, HPDC’10, Chicago, pp. 336–339. ACM, New York (2010). doi:10.1145/1851476.1851524

    Google Scholar 

  42. Xia, L., Cui, Z., Lange, J.R., Tang, Y., Dinda, P.A., Bridges, P.G.: VNET/P: bridging the cloud and high performance computing through fast overlay networking. In: Proceedings of the 21st International Symposium on High-Performance Parallel and Distributed Computing, HPDC’12, Delft, pp. 259–270. ACM, New York (2012). doi:10.1145/ 2287076.2287116

    Google Scholar 

  43. Xu, L., Hu, J., Mkandawire, S., Jiang, H.: SHHC: a scalable hybrid hash cluster for cloud backup services in data centers. In: Proceedings of the 31st International Conference on Distributed Computing Systems Workshops, ICDCSW’11, Minneapolis, pp. 61–65. IEEE Computer Society, Washington, DC (2011). doi:10.1109/ICDCSW.2011.31, http://dx.doi.org/10.1109/ICDCSW.2011.31

  44. Zegura, E.W., Ammar, M.H., Fei, Z., Bhattacharjee, S.: Application-layer anycasting: a server selection architecture and use in a replicated web service. IEEE/ACM Trans. Netw. 8(4), 455–466 (2000). doi:10.1109/90.865074

    Article  Google Scholar 

Download references

Acknowledgements

This material is based upon work partially supported by the National Science Foundation (NSF) grants CNS-0916857, the Air Force Office of Scientific Research (AFOSR) Summer Faculty Fellow Program (SFFP), the Air Force Research Laboratory (AFRL) Visiting Faculty Research Program (VFRP), and AFOSR/AFRL LRIR 11RI01COR.

Author information

Authors and Affiliations

  1. University of South Carolina, Columbia, SC, USA

    Chin-Tser Huang & Heath Carroll

  2. Air Force Research Laboratory, Rome, NY, USA

    James Perretta

Authors
  1. Chin-Tser Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Heath Carroll
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. James Perretta
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Chin-Tser Huang .

Editor information

Editors and Affiliations

  1. Air Force Research Laboratory, Rome, New York, USA

    Keesook J. Han

  2. School of Computing and Engineering, University of Missouri - Kansas City, Kansas City, Missouri, USA

    Baek-Young Choi

  3. Department of Engineering Technology The Dwight Look College of Engineering, Texas A&M University, College Station, Texas, USA

    Sejun Song

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer Science+Business Media New York

About this chapter

Cite this chapter

Huang, CT., Carroll, H., Perretta, J. (2014). Improving Cloud Performance with Router-Based Filtering. In: Han, K., Choi, BY., Song, S. (eds) High Performance Cloud Auditing and Applications. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-3296-8_13

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-3296-8_13

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-3295-1

  • Online ISBN: 978-1-4614-3296-8

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation