Cloud Traffic Hijacking Protection (Cope, Erl)
How can cloud communication be protected from traffic hijacking?
ProblemAttackers can often locate Internet service providers (ISPs) whose internal or ISP-to-ISP Border Gateway Protocol (BGP) session is susceptible to a man-in-the-middle attack. Once located, an attacker can potentially advertise any prefix they want, causing some or all traffic to be diverted from the real source towards the attacker.
SolutionA series of mechanisms are established to ensure mutually authenticated and encrypted communications data channels where possible, encryption and integrity protection of data in transit between the cloud consumer and cloud provider, as well as the monitoring and alerting of traffic anomalies.
ApplicationCloud traffic hijacking attacks can be mitigated using either a third party and/or on-premise traffic monitoring system in conjunction with validated encryption and digital signatures or authentication codes for the data in transit.
Compound PatternsBurst In, Burst Out to Private Cloud, Burst Out to Public Cloud, Cloud Authentication, Elastic Environment, Infrastructure-as-a-Service (IaaS), Isolated Trust Boundary, Multitenant Environment, Platform-as-a-Service (PaaS), Private Cloud, Public Cloud, Resilient Environment, Resource Workload Management, Secure Burst Out to Private Cloud/Public Cloud, Software-as-a-Service (SaaS)
Various traffic hijacking mitigations are executed.