**4. Existing cloud security solutions**

The focus of this research is on distributed denial of service (DDoS) attacks on the cloud. The authors researched on existing cloud security solutions and also present an implementable solution focusing on DDoS mitigation for IT infrastructure. The authors define the scope and recommend few focus areas:


DDoS attack mitigation solutions are discussed here based on design perspective:

a.**On-premise based:** Having a devoted on-premise DDoS attack mitigation answer are first-rate desirable for government entities, financial establishments, and healthcare but not beneficial for all. When the highest stage of safety is mandatory and organizations opt to give as little visibility into their customer facts or approximately their encryption certificate to as few third birthday celebration providers, this could be regarded as a limited scope option. On-premise DDoS devices might store encryption certificates and inspect visitors regionally without any scrubbing, redirection, or inspection. The mitigation device would be required to guard against numerous DDoS vectors like flooding (UDP/ICMP, SYN), SSL based, application layer (HTTP GET/POST), or low and slow attacks. With mitigation structures in house, the proximity to facts center sources is useful, and the systems may be fine-tuned at once by the in-residence IT teams. They have a tendency to have a miles more cognizance to their setup for any adjustments in site visitor flows or from the

application servers. Thus, they might have a tendency to have a higher chance of detecting any suspicious traits or visitors requests.

	- Cannot discover and block application layer attacks and slow attack.
	- Unable to defend stateful infrastructure structures like firewalls or IPS.
	- Unable to deal with attacks like software layer attack, state exhaustion, and multi-vector attacks.
	- Widest security coverage that can simplest be finished by means of combining on-premise and cloud insurance.
	- Shortest reaction time by using an on-premise solution that begins right away and mechanically to mitigate the assault.
	- Single touch point during an attack both for on-premise and cloud mitigation.
	- Scalability—each tier is impartial of the other and can scale horizontally, in case there is a web application attack spike, adding extra WAF devices to ensure enough WAF capability may be done within the application defense tier without affecting the community tier.
	- Performance—on the grounds that requests come in tiers, network utilization is minimized, and load decreased overall.

**23**

*Cloud Computing Security Services to Mitigate DDoS Attacks*

• Availability—with hybrid solutions, if the first or second tier is down, at least there is one tier left to serve consumer requests. This satisfies the BCP of the

• Vendor independence—community and application protection infrastructure can setup the usage of hardware structures or even specific software

• Policy independence—while new policies are implemented at the application defense tier, the opposite tier directs simplest that specific visitors in the direction of the rules until they are established and ready for production use.

Based on the developing threats and effect of attacks, company firms having their very own cloud services as well as cloud providers put into effect DDoS mitigation using hybrid cloud architecture. When there are multi-vector DDoS attacks targeted at layers 3, 4, and 7, mitigation strategies are essential. These mitigation strategies assist in detecting and preventing volumetric, software, and encrypted assault vectors. By making use of public cloud capabilities to cover for scalability taking on floods and appearing because the first point of defense with community and web application firewalls detecting assault visitors and mitigating the DDoS threats and the SaaS utility, web portals and backend database resides stable in the residence private statistics center. For this research, the experimental environment involved community infrastructure architectures being designed and setup to testing the proposed DDoS solution having the fol-

• Cisco 4000 ISR Series Routers and Cisco Nexus 5000 Series Switch for routing

• Big IP LTM-4200 for high-performance application traffic load management

• Cisco Firepower FPR-2110, Imperva Web Application Firewall Gateway with

• HP DL-360G8 1U-Rackmount with Intel E5, 128 GB DDR3, 32 TB SSD

• VMware NSX-T 3.0 virtualization software on bare-metal HP Server

• Front End Web Portal with .NET supporting 2-Factor authentication

• Back End Database running Microsoft SLQ Datacenter license on Windows

• DDoS Tools for attack simulation: LOIC or Low Orbit Ion Canon, HOIC or High Orbit Ion Canon, Packet Storm (HTTP Unbearable Load King), Are You Dead Yet (R.U.D.Y), Motoma IO's PyLoris, Slowloris and TOR's Hammer

• SaaS Application running Windows Server 20012 64-bit OS

*DOI: http://dx.doi.org/10.5772/intechopen.92683*

organisation.

program versions.

**5. Proposed DDoS solution**

lowing hardware and software:

and switching

Manager Console

Servers

2012 OS

