Last year Krish posted about so-called Economic Denial of Sustainability attacks, where malicious requests are sent to utility computing providers that would results in a hefty ramping up of the vendors costs. In his post Krish invited those with a good understanding of the security issues around cloud computing to contact us and look at contributing.
First to respond was Pat O’Day. Pat is the CTO of BlueLock, an Infrastructure as a Service vendor. We’d be keen to hear more feedback about this and the oringal post. As always you’re welcome to contact us.
Today if someone is not using the cloud and they come under a DOS or DDOS attack, their application will generally crash under the load. I would argue that for most mainstream ecommerce or SaaS applications that the cost of downtime is significantly greater than any fees that might be imposed upon you by an insensitive cloud provider.
That being said, even with a cloud, a DOS/DDOS attack will still crash the application it will just take longer. Cloud providers cannot themselves take the risk of giving every individual application full unrestricted access to their excess capacity, so every application is put into a resource box. The box is typically much larger than what the application would normally need with some allowance for burst, but isn’t large enough to allow one application to cause harm to its neighbors or much worse, take the entire cloud itself offline.
Here are some graphs that I mocked up quickly to illustrate the point.
Traditional web facing application, no cloudburst capability, crashes at ~800 concurrent user sessions under a DDOS attack in about 15 minutes.
Cloud hosted web application with about 350% burst capability, crashes at ~3000 concurrent user sessions under a DDOS attack in about 20 minutes.
So your fees for that time period might reflect a lot of excess capacity within your resource box for a short number of minutes prior to the crash, but they’re hardly a financial tornado, especially if you have an understanding cloud provider. Network providers have had this model in use for over a decade on their burstable product lines and it works very well to provide capacity on demand, but not create a large financial exposure risk.
Another scenario would be where someone might not do a full DOS/DDOS, but might just want to create some additional drag on the application knowing it’s in the cloud. Here I add 20% load from a nefarious source attempting to increase the load and tweak up the bill, but not crash the application. A 20% cost increase might be a big deal to some folks, but again, attackers can do this to non-cloud based applications. So either you burst into the cloud to address it, or if you aren’t in the cloud, buy more cpu, ram, network gear, bandwidth, software licenses and someone to figure all that out for you. This isn’t just a cloud problem.