DDHCS: Distributed Denial-of-service Threat to YARN Clusters based on Health Check Service

Wenting Li, Qingni Shen, Chuntao Dong, Yahui Yang, Zhonghai Wu

Abstract

Distributed denial-of-service (DDoS) attack continues to grow as a threat to organizations worldwide. This attack is used to consume the resources of the target machine and prevent the legitimate users from accessing them. This paper studies the vulnerabilities of Health Check Service in Hadoop/YARN and the threat of denial-of-service to a YARN cluster with multi-tenancy. We use theoretical analysis and numerical simulations to demonstrate the effectiveness of this DDoS attack based on health check service (DDHCS). Our experiments show that DDHCS is capable of causing significant impacts on the performance of a YARN cluster in terms of high attack broadness (averagely 85.6%), high attack strength (more than 80%) and obviously resource utilization degradation. In addition, some novel schemes are proposed to prevent DDHCS attack efficiently by improving the YARN security.

References

  1. Alarifi, S., & Wolthusen, S. D. (2014, April). Mitigation of Cloud-Internal Denial of Service Attacks. In Service Oriented System Engineering (SOSE), 2014 IEEE 8th International Symposium on (pp. 478-483). IEEE.
  2. Barham, P., Donnelly, A., Isaacs, R., & Mortier, R. (2004, December). Using Magpie for Request Extraction and Workload Modelling. In OSDI (Vol. 4, pp. 18-18).
  3. Chen, M. Y., Kiciman, E., Fratkin, E., Fox, A., & Brewer, E. (2002). Pinpoint: Problem determination in large, dynamic internet services. InDependable Systems and Networks, 2002. DSN 2002. Proceedings. International Conference on (pp. 595-604). IEEE.
  4. Criscuolo, P. J. (2000). Distributed Denial of Service: Trin00, Tribe Flood Network, Tribe Flood Network 2000, and Stacheldraht CIAC-2319 (No. CIAC-2319). CALIFORNIA UNIV LIVERMORE RADIATION LAB.
  5. Durcekova, V., Schwartz, L., & Shahmehri, N. (2012, May). Sophisticated denial of service attacks aimed at application layer. In ELEKTRO, 2012 (pp. 55-60). IEEE.
  6. Ficco, M., & Rak, M. (2015). Stealthy denial of service strategy in cloud computing. Cloud Computing, IEEE Transactions on, 3(1), 80-94.
  7. Girma, A., Garuba, M., Li, J., & Liu, C. (2015, April). Analysis of DDoS Attacks and an Introduction of a Hybrid Statistical Model to Detect DDoS Attacks on Cloud Computing Environment. In Information Technology-New Generations (ITNG), 2015 12th International Conference on (pp. 212-217). IEEE.
  8. Hameed, S., & Ali, U. (2015). On the Efficacy of Live DDoS Detection with Hadoop. arXiv preprint arXiv:1506.08953.
  9. Huang, J., Nicol, D. M., & Campbell, R. H. (2014, June). Denial-of-Service Threat to Hadoop/YARN Clusters with Multi-Tenancy. In Big Data (BigData Congress), 2014 IEEE International Congress on (pp. 48-55). IEEE.
  10. Huseyin Ulusoy, Pietro Colombo, Elena Ferrari, Murat Kantarcioglu, Erman Pattuk. (2015, April). GuardMR: Fine-grained Security Policy Enforcement for MapReduce System. ASIA CCS'15.
  11. Karthik, S., & Shah, J. J. (2014, February). Analysis of simulation of DDOS attack in cloud. In Information Communication and Embedded Systems (ICICES), 2014 International Conference on (pp. 1-5). IEEE.
  12. Khattak, R., Bano, S., Hussain, S., & Anwar, Z. (2011, December). DOFUR: DDoS Forensics Using MapReduce. In Frontiers of Information Technology (FIT), 2011 (pp. 117-120). IEEE.
  13. Kholidy, H., & Baiardi, F. (2012, April). CIDS: a framework for intrusion detection in cloud systems. In Information Technology: New Generations (ITNG), 2012 Ninth International Conference on (pp. 379- 385). IEEE.
  14. Kholidy, H., Baiardi, F., & Hariri, S. (2015). DDSGA: A Data-Driven Semi-Global Alignment Approach for Detecting Masquerade Attacks. Dependable and Secure Computing, IEEE Transactions on, 12(2), 164- 178.
  15. Kiciman, E., & Fox, A. (2005). Detecting applicationlevel failures in component-based internet services. Neural Networks, IEEE Transactions on, 16(5), 1027- 1041.
  16. Koskinen, E., & Jannotti, J. (2008, April). Borderpatrol: isolating events for black-box tracing. In ACM SIGOPS Operating Systems Review (Vol. 42, No. 4, pp. 191-203). ACM.
  17. Lee, Y., Kang, W., & Lee, Y. (2011). A hadoop-based packet trace processing tool (pp. 51-63). Springer Berlin Heidelberg.
  18. Lee, Y., & Lee, Y. (2011, December). Detecting ddos attacks with hadoop. InProceedings of The ACM CoNEXT Student Workshop (p. 7). ACM.
  19. Mizukoshi, M., & Munetomo, M. (2015, May). Distributed denial of services attack protection system with genetic algorithms on Hadoop cluster computing framework. In Evolutionary Computation (CEC), 2015 IEEE Congress on (pp. 1575-1580). IEEE.
  20. O'Malley, O., Zhang, K., Radia, S., Marti, R., & Harrell, C. (2009). Hadoop security design. Yahoo, Inc., Tech. Rep.
  21. Sabahi, F. (2011, May). Cloud computing security threats and responses. InCommunication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on (pp. 245-249). IEEE.
  22. Specht, S. M., & Lee, R. B. (2004, September). Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures. In ISCA PDCS (pp. 543- 550).
  23. Vavilapalli, V. K., Murthy, A. C., Douglas, C., Agarwal, S., Konar, M., Evans, R., & Baldeschwieler, E. (2013, October). Apache hadoop yarn: Yet another resource negotiator. In Proceedings of the 4th annual Symposium on Cloud Computing (p. 5). ACM.
  24. Wu, H., Tantawi, A. N., & Yu, T. (2013, June). A selfoptimizing workload management solution for cloud applications. In Web Services (ICWS), 2013 IEEE 20th International Conference on (pp. 483-490). IEEE.
Download


Paper Citation


in Harvard Style

Li W., Shen Q., Dong C., Yang Y. and Wu Z. (2016). DDHCS: Distributed Denial-of-service Threat to YARN Clusters based on Health Check Service . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 146-156. DOI: 10.5220/0005741801460156


in Bibtex Style

@conference{icissp16,
author={Wenting Li and Qingni Shen and Chuntao Dong and Yahui Yang and Zhonghai Wu},
title={DDHCS: Distributed Denial-of-service Threat to YARN Clusters based on Health Check Service},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={146-156},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005741801460156},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - DDHCS: Distributed Denial-of-service Threat to YARN Clusters based on Health Check Service
SN - 978-989-758-167-0
AU - Li W.
AU - Shen Q.
AU - Dong C.
AU - Yang Y.
AU - Wu Z.
PY - 2016
SP - 146
EP - 156
DO - 10.5220/0005741801460156