4 responses to “When the Cloud Bursts – Someone Gets Wet…”

  1. Christofer Hoff

    It’s a bummer that I didn’t realize someone had responded to Krish’s post (the gentleman from BlueLock) since the original post and the term EDoS that Krish referred to came from my blog:


    I would have liked to have participated/contributed more in the conversation since I originated it 😉


  2. Ben Kepes

    CH sorry ’bout that – no offence intended – feel free to join in now though!

  3. weiyan

    Actually I have submitted a journal paper on Anti-virus in-the-cloud the other day, and cited Christofer’s blog article. I discussed one problem called “weak-entrance-node”, which can be
    used to launch so called EDoS attacks.

    If anyone is interested, please email to me, and
    I will send you the draft.

    section C: DDoS and EDOS

    For AV In-the-Cloud, DDoS can also negatively affect QoA by significantly delaying virus-scan-request packets in traversing
    the anonymous communication network. To protect cloud server clusters from DDoS, efficient DDoS detection and mitigation solutions have been offered by ISPs or security vendors. On the other hand, currently cloud data centers are built on virtualization technologies across the world. Scalable virtual imaging technologies are
    low cost by mounting new server virtual images to replace old ones corrupted by attacks.
    Instead of launching large-scale DDoS attacks, a recent new counterpart, called Economic Denial of Sustainability (EDoS)[8], has emerged. Nowadays, some vendors pay ISPs by traffic volumes or bandwidths. By controlling some desktop
    machines or using botnets, attackers can deteriorate QoS of the cloud network by generating probing traffic disguised as
    legitimate requests, and selectively affecting the reliability of a few anonymous nodes. Owing to the “weak-entrance-node”
    problem, such attacks can be easily staged. Instead of driving users away from the AV cloud systems, EDoS make these systems less reliable, though still functional. As a result, some
    customers may naturally attempt the communication again after the timeouts, resulting in more traffic congestions. By initiating
    stealthy attacks, attackers can subtly increase the traffic loads without triggering DDoS protection thresholds [9],[10].
    As a result, the whole cloud networking is still seemingly fine. However, EDoS attacks are eroding the profits because the security software companies, not the customers, pay for
    the bandwidth for both legitimate and disguised traffics.

    D. Countermeasures and discussion

    Security standardization has not addressed the cloud yet; standards need to be made. For examples, currently there
    exist two kinds of anonymity networks: volunteer-based and commercial networks. The whole infrastructure is maintained
    by volunteers all over the world. Commercial companies can either build their anonymous systems by themselves or pay ISPs to maintain the systems. If something goes wrong with
    the location-hidden service, who will take the responsibility, ISPs or the cloud computing service providers?

    To overcome the “weak-entrance-node” vulnerability, agreements regarding QoS, QoA, and SLAs (Service Level Agreements)
    should be reached between the customers and vendors. Based on the operational models of the customers, in most cases, what kind of specific service level should cloud service
    providers guarantee? On the customer side, the local network configurations must pass the penetration testing requirements
    before connecting to the cloud. A secure and robust desktop environment with low possibility of being compromised will reduce the abusive traffic and actualize economical saving for the providers.

    [8] C. Hoff, “Cloud computing security: from DDoS (Distributed Denial of Service) to EDoS (Economic Denial of Sustainability),”
    http://rationalsecurity.typepad.com/blog/2008/11/cloud-computingsecurity- from-ddos-distributed-denial-of-service-to-edos-economicdenial-of-sustaina.html.