Last year Krish posted about so-called Economic Denial of Sustainability attacks, where malicious requests are sent to utility computing providers that would results in a hefty ramping up of the vendors costs. In his post Krish invited those with a good understanding of the security issues around cloud computing to contact us and look at contributing.
First to respond was Pat O’Day. Pat is the CTO of BlueLock, an Infrastructure as a Service vendor. We’d be keen to hear more feedback about this and the oringal post. As always you’re welcome to contact us.
Today if someone is not using the cloud and they come under a DOS or DDOS attack, their application will generally crash under the load. I would argue that for most mainstream ecommerce or SaaS applications that the cost of downtime is significantly greater than any fees that might be imposed upon you by an insensitive cloud provider.
That being said, even with a cloud, a DOS/DDOS attack will still crash the application it will just take longer. Cloud providers cannot themselves take the risk of giving every individual application full unrestricted access to their excess capacity, so every application is put into a resource box. The box is typically much larger than what the application would normally need with some allowance for burst, but isn’t large enough to allow one application to cause harm to its neighbors or much worse, take the entire cloud itself offline.
Here are some graphs that I mocked up quickly to illustrate the point.
Traditional web facing application, no cloudburst capability, crashes at ~800 concurrent user sessions under a DDOS attack in about 15 minutes.
Cloud hosted web application with about 350% burst capability, crashes at ~3000 concurrent user sessions under a DDOS attack in about 20 minutes.
So your fees for that time period might reflect a lot of excess capacity within your resource box for a short number of minutes prior to the crash, but they’re hardly a financial tornado, especially if you have an understanding cloud provider. Network providers have had this model in use for over a decade on their burstable product lines and it works very well to provide capacity on demand, but not create a large financial exposure risk.
Another scenario would be where someone might not do a full DOS/DDOS, but might just want to create some additional drag on the application knowing it’s in the cloud. Here I add 20% load from a nefarious source attempting to increase the load and tweak up the bill, but not crash the application. A 20% cost increase might be a big deal to some folks, but again, attackers can do this to non-cloud based applications. So either you burst into the cloud to address it, or if you aren’t in the cloud, buy more cpu, ram, network gear, bandwidth, software licenses and someone to figure all that out for you. This isn’t just a cloud problem.
It’s a bummer that I didn’t realize someone had responded to Krish’s post (the gentleman from BlueLock) since the original post and the term EDoS that Krish referred to came from my blog:
http://rationalsecurity.typepad.com/blog/2008/11/cloud-computing-security-from-ddos-distributed-denial-of-service-to-edos-economic-denial-of-sustaina.html
I would have liked to have participated/contributed more in the conversation since I originated it 😉
/Hoff
CH sorry ’bout that – no offence intended – feel free to join in now though!
Actually I have submitted a journal paper on Anti-virus in-the-cloud the other day, and cited Christofer’s blog article. I discussed one problem called “weak-entrance-node”, which can be
used to launch so called EDoS attacks.
If anyone is interested, please email to me, and
I will send you the draft.
section C: DDoS and EDOS
…
For AV In-the-Cloud, DDoS can also negatively affect QoA by significantly delaying virus-scan-request packets in traversing
the anonymous communication network. To protect cloud server clusters from DDoS, efficient DDoS detection and mitigation solutions have been offered by ISPs or security vendors. On the other hand, currently cloud data centers are built on virtualization technologies across the world. Scalable virtual imaging technologies are
low cost by mounting new server virtual images to replace old ones corrupted by attacks.
Instead of launching large-scale DDoS attacks, a recent new counterpart, called Economic Denial of Sustainability (EDoS)[8], has emerged. Nowadays, some vendors pay ISPs by traffic volumes or bandwidths. By controlling some desktop
machines or using botnets, attackers can deteriorate QoS of the cloud network by generating probing traffic disguised as
legitimate requests, and selectively affecting the reliability of a few anonymous nodes. Owing to the “weak-entrance-node”
problem, such attacks can be easily staged. Instead of driving users away from the AV cloud systems, EDoS make these systems less reliable, though still functional. As a result, some
customers may naturally attempt the communication again after the timeouts, resulting in more traffic congestions. By initiating
stealthy attacks, attackers can subtly increase the traffic loads without triggering DDoS protection thresholds [9],[10].
As a result, the whole cloud networking is still seemingly fine. However, EDoS attacks are eroding the profits because the security software companies, not the customers, pay for
the bandwidth for both legitimate and disguised traffics.
…
D. Countermeasures and discussion
…
Security standardization has not addressed the cloud yet; standards need to be made. For examples, currently there
exist two kinds of anonymity networks: volunteer-based and commercial networks. The whole infrastructure is maintained
by volunteers all over the world. Commercial companies can either build their anonymous systems by themselves or pay ISPs to maintain the systems. If something goes wrong with
the location-hidden service, who will take the responsibility, ISPs or the cloud computing service providers?
To overcome the “weak-entrance-node” vulnerability, agreements regarding QoS, QoA, and SLAs (Service Level Agreements)
should be reached between the customers and vendors. Based on the operational models of the customers, in most cases, what kind of specific service level should cloud service
providers guarantee? On the customer side, the local network configurations must pass the penetration testing requirements
before connecting to the cloud. A secure and robust desktop environment with low possibility of being compromised will reduce the abusive traffic and actualize economical saving for the providers.
…
[8] C. Hoff, “Cloud computing security: from DDoS (Distributed Denial of Service) to EDoS (Economic Denial of Sustainability),”
http://rationalsecurity.typepad.com/blog/2008/11/cloud-computingsecurity- from-ddos-distributed-denial-of-service-to-edos-economicdenial-of-sustaina.html.