Ask Your Question
2

DDoS protection for OpenStack Clouds

asked 2014-03-03 15:18:03 -0500

cloudssky gravatar image

updated 2014-03-10 17:07:32 -0500

Is there any DoS / DDoS protection system which can be built into OpenStack? I could find some information about OpenDayLight and Defense4All for Distributed Denial of Service (DDoS) attack protection here:

https://wiki.opendaylight.org/view/Pr...

Has anybody any real world experience with DDoS protection for OpenStack (private) Clouds?

Or is somebody over there which is currently working on this issue?

Which steps are needed to submit a blueprint to OpenStack Foundation?

Thanks!

edit retag flag offensive close merge delete

Comments

I've been pondering this as well but I suspect some new blueprints are required to support this type of functionality. Interested in any answers to the contrary!

sgordon gravatar imagesgordon ( 2014-03-03 22:01:20 -0500 )edit

Do we need some kind of sponsoring for the blueprints? I guess the OS King might be the best sponsor, or the Queen :-)

cloudssky gravatar imagecloudssky ( 2014-03-10 16:46:18 -0500 )edit

OpenStack development is open to anyone who wishes to participate in implementing new features, fixing bugs, documenting existing software, or really anywhere you want to help out. If you want to work on this, I'm sure your efforts will be welcome. https://wiki.openstack.org/wiki/How_To_Contribute

fungi gravatar imagefungi ( 2014-03-11 21:02:06 -0500 )edit

@fungi: Thanks, ok, we will submit our first thoughts on this issue here and see how to register a blueprint as described here: https://wiki.openstack.org/wiki/Blueprints#Creation and provide a link to the blue print later and hopefully implement the solution by the release after Icehouse .

cloudssky gravatar imagecloudssky ( 2014-03-12 10:09:08 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
1

answered 2014-03-12 13:48:28 -0500

Maybe it's me, but wouldn't you not want your OS to filter those requests? The benefit to what Radware has developed is that it's a small module that punts flows to a central or cluster location for scrubbing. It uses information based on a current baseline of the incoming/outgoing requests at different intervals of the day to determine malicious or anomalous traffic. This eases any additional load that your Openstack environment would have to undertake.

You could filter keystone requests via a firewall but you are still susceptible to resource exhaustion. You're better off having an API gateway that's validating your requests.

edit flag offensive delete link more
0

answered 2014-03-12 13:37:58 -0500

cloudssky gravatar image

Our thoughts: the right direction is to go with OpenDaylight and see how the integration is proceeding with OpenStack.

Today we could read this news from Radware:

Radware Releases Defense4All, Industry-First Open SDN Security Application for OpenDaylight Project. http://www.radware.com/NewsEvents/Pre...

But till the solution is implemented and fully tested, we might have a faster solution.

Thanks to Ashish Chaudhari, who provided some great suggestions on this issue, I'll paste a conclusion from our yesterday's conversation here:

From what we have learnt to perform DDoS attack on swift, cinder and nova, attackers will need temp key or session key. Attacker can get this session key via keystone as it is the entry point to the cloud. So one of the solution can be, we will have to filter the request addresses using firewall at keystone or we can give access to the certified users only. OpenStack has build in firewall. But from the description given it seems that, firewall filter rules are only limited to virtual information i.e. id, tenant_id, name and password.

We are not sure if OS can filter user request based on IP addresses. That way a certificate system can be used for trusted users at keystone level. But it will still not limit the multiple number of requests sent to firewall by anonymous packets. We think we can tackle this by implementing one more layer of daemon, which has dynamic thread pool system to pass the trusted packets on priority basis.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2014-03-03 15:18:03 -0500

Seen: 1,635 times

Last updated: Mar 12 '14