Khaled Salah

EDoS-Shield - A Two-Steps Mitigation Technique against EDoS Attacks in Cloud Computing

Cloud computing is currently one of the most hyped information technology fields and it has become one of the fastest growing segments of IT. Cloud computing allows us to scale our servers in magnitude and availability in order to provide services to a greater number of end users. Moreover, adopters of the cloud service model are charged based on a pay-per-use basis of the clouds server and network resources, aka utility computing. With this model, a conventional DDoS attack on server and network resources is transformed in a cloud environment to a new breed of attack that targets the cloud adopters economic resource, namely Economic Denial of Sustainability attack (EDoS). In this paper, we advocate a novel solution, named EDoS-Shield, to mitigate the Economic Denial of Sustainability (EDoS) attack in the cloud computing systems. We design a discrete simulation experiment to evaluate its performance and the results show that it is a promising solution to mitigate the EDoS.

Using Cloud Computing to Implement a Security Overlay Network

This article proposes and analyzes a general cloud-based security overlay network that can be used as a transparent overlay network to provide services such as intrusion detection systems, antivirus and antispam software, and distributed denial-of-service prevention. The authors analyze each of these in-cloud security services in terms of resiliency, effectiveness, performance, flexibility, control, and cost.

An OPNET-based simulation approach for deploying VoIP

These days a massive deployment of VoIP is taking place over IP networks. VoIP deployment is a challenging task for network researchers and engineers. This paper presents a detailed simulation approach for deploying VoIP successfully. The simulation uses the OPNET network simulator.Recently OPNET has gained a considerable popularity in both academia and industry, but there is no formal or known approach or methodology as to how OPNET can be used to assess the support and readiness of an existing network in deploying VoIP.Our approach and work presented in this paper predict, prior to the purchase and deployment of VoIP equipment, the number of VoIP calls that can be sustained by an existing network while satisfying QoS requirements of all network services and leaving adequate capacity for future growth.As a case study, we apply the simulation approach on a typical network of a small enterprise. The paper presents a detailed description of simulation models for network topology and elements using OPNET.The paper describes modeling and representation of background and VoIP traffic, as well as various simulation configurations. Moreover, the paper discusses many design and engineering issues pertaining to the deployment of VoIP. These issues include characteristics of VoIP traffic and QoS requirements, VoIP flow and call distribution, defining future growth capacity, and measurement and impact of background traffic.

Performance Modeling and Analysis of Network Firewalls

Network firewalls act as the first line of defense against unwanted and malicious traffic targeting Internet servers. Predicting the overall firewall performance is crucial to network security engineers and designers in assessing the effectiveness and resiliency of network firewalls against DDoS (Distributed Denial of Service) attacks as those commonly launched by todays Botnets. In this paper, we present an analytical queueing model based on the embedded Markov chain to study and analyze the performance of rule-based firewalls when subjected to normal traffic flows as well as DoS attack flows targeting different rule positions. We derive equations for key features and performance measures of engineering and design significance. These features and measures include throughput, packet loss, packet delay, and firewalls CPU utilization. In addition, we verify and validate our analytical model using simulation and real experimental measurements.

Implementation and experimental performance evaluation of a hybrid interrupt-handling scheme

The performance of network hosts can be severely degraded when subjected to heavy traffic of todays Gigabit networks. This degradation occurs as a result of the interrupt overhead associated with the high rate of packet arrivals. NAPI, a packet reception mechanism integrated into the latest version of Linux networking subsystem, was designed to improve Linux performance to suit todays Gigabit traffic. NAPI is definitely a major step up from earlier reception mechanisms; however, NAPI has shortcomings and its performance can be further enhanced. A hybrid interrupt-handling scheme, which was recently proposed in Salah et al. [K. Salah, K. El-Badawi, F. Haidari, Performance Analysis and Comparison of Interrupt-Handling Schemes in Gigabit Networks, International Journal of Computer Communications, Elsevier, Amsterdam 30 (17) (2007) 3425-3441], can better improve the performance of Gigabit network hosts. The hybrid scheme switches between interrupt disabling-enabling (DE) and polling (NAPI). In this paper, we present and discuss major changes required to implement such a hybrid scheme in the latest version of Linux kernel 2.6.15. We prove experimentally that the hybrid scheme can significantly improve the performance of general-purpose network desktops or servers running network I/O-bound applications, when subjecting such network hosts to both light and heavy traffic load conditions. The performance is measured and analyzed in terms of throughput, packet loss, latency, and CPU availability.

On the deployment of VoIP in Ethernet networks: methodology and case study

Deploying IP telephony or voice over IP (VoIP) is a major and challenging task for data network researchers and designers. This paper outlines guidelines and a step-by-step methodology on how VoIP can be deployed successfully. The methodology can be used to assess the support and readiness of an existing network. Prior to the purchase and deployment of VoIP equipment, the methodology predicts the number of VoIP calls that can be sustained by an existing network while satisfying QoS requirements of all network services and leaving adequate capacity for future growth. As a case study, we apply the methodology steps on a typical network of a small enterprise. We utilize both analysis and simulation to investigate throughput and delay bounds. Our analysis is based on queueing theory, and OPNET is used for simulation. Results obtained from analysis and simulation are in line and give a close match. In addition, the paper discusses many design and engineering issues. These issues include characteristics of VoIP traffic and QoS requirements, VoIP flow and call distribution, defining future growth capacity, and measurement and impact of background traffic.

Estimating service response time for elastic cloud applications

This paper presents a Markovian analytical model to estimate service response time for elastic cloud applications. Given the expected application workload, the number of virtual machine (VM) instances, and the capacity of each VM instance, the model can approximate the mean service time. The mean service time is a critical metric to estimate, and contributes to the SLA end-to-end response time experienced by application users. The end-to-end response time is an aggregated delay of the service time in addition to delays incurred at the network nodes and links. Our analytical model focuses on estimating the mean service time; however, the model is sufficiently general and can be extremely useful in studying cloud performance. Equations for key performance measures are derived. These measures include mean response time, throughput, request loss, queueing probability, and CPU utilization. The correctness of the model has been verified using discrete-event simulation.

Performance evaluation comparison of Snort NIDS under Linux and Windows Server

In this paper, we present an experimental evaluation and comparison of the performance of Snort NIDS when running under the two popular platforms of Linux and Windows 2003 Server. Snorts performance is measured when subjecting a PC host running Snort to both normal and malicious traffic, and with different traffic load conditions. Snorts performance is evaluated and compared in terms of throughput and packet loss. In order to offer sound interpretations and get better insight into the behavior of Snort, we also measure the packet loss encountered at the kernel level. In addition, we identify key system parameters (for both Linux and Windows) that provide a fine-grained control over the percentage of the CPU bandwidth allocated to Snort application and can consequently impact its performance. We investigate such an impact, and determine the most appropriate values to improve and optimize Snorts performance. Specifically, for Windows we investigate the impact of customizing the Processor Scheduling configuration option; and for Linux, we investigate the impact of tuning the Budget configurable parameter used in the Linux kernels packet reception mechanism.

Assessing readiness of IP networks to support desktop videoconferencing using OPNET

OPNET is a powerful network design and simulation tool that has gained popularity in industry and academia. However, there exists no known simulation approach on how to deploy a popular real-time network service such as videoconferencing. This paper demonstrates how OPNET can be leveraged to assess the readiness of existing IP networks to support desktop videoconference. To date, OPNET does not have built-in features to support videoconferencing or its deployment. The paper offers remarkable details on how to model and configure OPNET for such a purpose. The paper considers two types of video traffic (viz. fixed and empirical video packet sizes). Empirical video packet sizes are collected from well-known Internet traffic traces. The paper presents in-depth analysis and interpretation of simulation results and shows how to draw proper engineering conclusions.

Performance analysis and comparison of interrupt-handling schemes in gigabit networks

Interrupt processing can be a major bottleneck in the end-to-end performance of Gigabit networks. The performance of Gigabit network end hosts or servers can be severely degraded due to interrupt overhead caused by heavy incoming traffic. In particular, excessive latency and significant degradation in system throughput can be encountered. Also, user applications may livelock as the CPU power gets mostly consumed by interrupt handling and protocol processing. A number of interrupt-handling schemes has been proposed and employed to mitigate the interrupt overhead and improve OS performance. Among the most popular interrupt-handling schemes are normal interruption, polling, interrupt coalescing, and disabling and enabling of interrupts. In previous work, we presented a preliminary analytical study and models of normal interruption and interrupt coalescing. In this article, we extend our analysis and modeling to include polling and the scheme of interrupt disabling and enabling. For polling, we study both pure (or FreeBSD-style) polling and Linux NAPI polling. The performances for all these schemes are compared using both mathematical analysis and discrete-event simulation. The performance is studied in terms of three key performance indicators: throughput, system latency, and the residual CPU bandwidth available for user applications. As opposed to our previous work, we consider not only Poisson traffic, but also bursty traffic with empirical packet size distribution. Our analysis and simulation work gives insight into predicting the system performance and behavior when employing a certain interrupt-handling scheme. It is concluded that no single interrupt-handling scheme outperforms all other schemes under all traffic conditions. Based on obtained results, we propose and discuss a novel hybrid scheme of interrupt disabling-enabling and pure polling in order to attain peak performance under low and heavy traffic loads.