Cloud Computing Patterns, Mechanisms > Network Security, Identity & Access Management and Trust Assurance Patterns > Cloud Traffic Hijacking Protection
Cloud Traffic Hijacking Protection (Cope, Erl)
How can cloud communication be protected from traffic hijacking?
Attackers can often locate Internet service providers (ISPs) whose internal or ISP-to-ISP Border Gateway Protocol (BGP) session is susceptible to a man-in-the-middle attack. Once located, an attacker can potentially advertise any prefix they want, causing some or all traffic to be diverted from the real source towards the attacker.
A series of mechanisms are established to ensure mutually authenticated and encrypted communications data channels where possible, encryption and integrity protection of data in transit between the cloud consumer and cloud provider, as well as the monitoring and alerting of traffic anomalies.
Cloud traffic hijacking attacks can be mitigated using either a third party and/or on-premise traffic monitoring system in conjunction with validated encryption and digital signatures or authentication codes for the data in transit.
Burst In, Burst Out to Private Cloud, Burst Out to Public Cloud, Cloud Authentication, Cloud Balancing, Elastic Environment, Infrastructure-as-a-Service (IaaS), Isolated Trust Boundary, Multitenant Environment, Platform-as-a-Service (PaaS), Private Cloud, Public Cloud, Resilient Environment, Resource Workload Management, Secure Burst Out to Private Cloud/Public Cloud, Software-as-a-Service (SaaS)
Various traffic hijacking mitigations are executed.