Avi Shua is the Chief Innovation Officer at Orca Security.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks have been around for so long that they can be considered ancient compared to today’s sophisticated spear-phishing and ransomware attacks. But DoS and DDoS are still among the most common attack vectors because taking down a system or service—whether for blackmail, hacktivism, or other reasons—is still effective. And cloud infrastructures can provide a new way for attackers to use this type of attack.
A cloud infrastructure can mitigate the impact of DoS attacks, at least sometimes, because of its ability to scale. It’s not impossible, but it’s harder to pull off a modern cloud environment.
However, we are beginning to see a variation on DoS-style attacks, in which an attacker can easily flood a cloud system with requests that greatly increase the workload on a server supporting a cloud implementation, significantly increasing operating costs for target organization. It’s an attack you might call a “denial of funds” attack.
Cloud systems create a potentially expensive vulnerability
An extreme, if unintentional, example of this came to light in April when Maciej Pocwierz, a software engineer for cloud services company Semantive, wrote about creating a private AWS S3 bucket for a customer. That bucket then saw 100 million PUT requests seeking to add an object to the bucket in a single day. He had expected his work to fall within AWS’s free tier limits, but instead received a bill for more than $1,300.
Problem: The default configuration for a popular open source tool used a placeholder bucket name that had the same name as the bucket the developer created. As a result, many users unknowingly sent requests to that bucket, and although the requests were rejected, S3 charges – or did – fees for unauthorized requests. The fee may have been as little as $0.005 per 1,000 requests, but it adds up quickly when there are millions of requests.
Again, this is an extreme example of an unintended consequence, and Amazon S3 quickly eliminated the practice of charging for unauthorized requests. But it is also just an example. There are many scenarios in which an outside entity can – wittingly or unwittingly – increase a target organization’s costs, particularly involving cuts. An attacker might try to perform an API operation, for example, or compromise a user identity.
I have come across several other cases recently where actors, on purpose or by mistake, sent requests that caused a large number of operations from the host organization, resulting in a large overhead. Once an attack like this is underway, your options are limited; you will need to disable the logging service or configuration to stop it.
The vulnerability can often be in the configuration of a cloud client, such as when a configuration results in excessive activity logs, including rejected requests. In the cloud era, this translates into cost. Organizations have a natural tendency to store everything and record everything for security and compliance reasons. However, in cases like this, deforestation can be the thing that increases the cost.
Attackers have an asymmetric opportunity
The potential here is for asymmetric attacks that require very little effort or investment on the part of the attacker, while creating a significant financial burden—potentially, thousands of dollars per hour—on the target organization. An attacker could take about a second to send 10,000 requests which would occupy a large number of resources. This is basically how a denial of service attack works – DoS attacks may not be after the money, at least not directly, but they put a victim in an untenable situation.
Considering the prevalence of cloud environments, it is possible that denial-of-service attacks can shift, at least slightly, to this denial-of-funds model because it scales. This type of attack would be effective.
Some organizations may be more vulnerable than others to this type of attack. E-commerce sites or online gambling platforms could be seriously affected, for example. Political or government sites linked to countries experiencing internal or external conflicts would be vulnerable. But no organization wants to pay additional operational costs due to an attack or a bug.
How organizations can avoid a denial-of-funds attack
What can organizations do to prevent an attack of this type?
1. Don’t share data about your environment that you don’t need to share, even if it’s data, such as an account or bucket name, that doesn’t seem sensitive. In many cases, the name is all an attacker needs to carry out this type of attack.
2. You should ask what records the organization must keep. It’s tempting for organizations to say they should log everything “just to be safe,” but that’s neither wise nor realistic. No one can record everything. You need to prioritize risk and understand compliance within your organization and focus on the logs that matter most.
3. Make sure you can control cost increases. If something increases by 1000%, you should treat it as a security issue, because it is very likely IS a security issue. A cloud agent can continuously collect data about cloud assets and send alerts about anomalous or malicious activities.
CONCLUSION
DoS and DDoS attacks have seen a bit of a resurgence in recent years, especially when coupled with other attacks and tactics. A DoS attack can force the target organization to take a system offline, making it vulnerable to other attacks. An attacker might follow up a DDoS attack with a ransomware note demanding payment to stop the attack, for example. And DDoS attacks can also be used to amplify a ransomware attack, with denial of service bundled into a ransomware attack to increase the incentive for the victim to pay.
A denial-of-funds attack is another way to take a DoS-style approach to cyberattacks. It may not shut down complete systems, but it can impose potentially debilitating costs on a company or organization.
The Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology leaders. Do I qualify?
