03:18 PM

Cloud-Based Denial Of Service Attacks Looming, Researchers Say

Two consultants use a handful of virtual servers in Amazon's EC2 cloud to take down an SMB's network

LAS VEGAS, NEVADA -- DEFCON 2010 -- With the help of the cloud, taking down small and midsize companies' networks is easy, two consultants told attendees here last week.

With a credit card and e-mail address, security consultants David Bryan of Trustwave and Michael Anderson of NetSPI created a handful of virtual server instances on Amazon's EC2 and used a homemade program to attack the network of a client -- a small business that wanted its connectivity tested.

With only three servers -- although they eventually scaled up to 10 -- the consultants took the company off the Internet. The price? Six dollars.

"A threat agent could potentially run extortion schemes against a company by attacking for a couple of hours -- and then telling the company that, if you don't pay me, then I will attack you again," Bryan said.

It's surprising how easy it is to block a company's lifeblood connection to the Internet, the consultants said. To set up an account on Amazon EC2, there are no special bandwidth agreements or detection of servers taking malicious actions, they claimed. Moreover, complaints to Amazon by the client apparently went unanswered.

"We never got a response from Amazon," Anderson said. "We haven't gotten a call; we never got an email."

Amazon could not comment on the consultants' specific claims, but stressed that the company does have a rigorous response process.

"We do have a process for both detecting and responding to reports of abuse," Amazon spokeswoman Kay Kinton said in an email response. "We take all claims of misuse of our services very seriously and investigate each one. When we find misuse, we take action quickly and shut it down."

Small and midsize businesses should focus on basic strategies to defend themselves against cloud-based denial-of-service attacks, experts say. While cloud services are a new way to deliver attacks, the steps needed to defend a business' network and keep it connected are no different than those used to defend against run-of-the-mill packet floods.

First, employees responsible for a business's IT should have a DoS mitigation strategy and test it. An example of how not to do it: The target of the consultants' attack, a small financial institution, had defensive hardware in place, but had the threshold bandwidth set way too high. The attack failed to trigger defensive measures, but the bandwidth was still enough to take down the network, Bryan said.

"You have to make sure to tune your defenses," he said.

Clear responsibilities in the event of an attack are also key, the consultants said. Once attacked, the client's employees became angry with each other and debated who was responsible for responding.

"In the event of an attack or incident, you cannot be adversarial," Bryan said. "Information sharing is key."

Most cybercriminals use botnets to conduct denial-of-service attacks on their targets. Many botnets can be rented, or a subset of machines leased, essentially giving would-be attackers a criminal "cloud" from which to buy services.

But renting server time from a legitimate cloud service is cheaper and can be more effective, according to Bryan and Anderson. Because the traffic comes from Amazon's Internet space, it can be harder to filter. And scaling the attack up is as easy as instantiating a new virtual server. Moreover, many cloud services -- especially infrastructure-as-a-service clouds -- appear to respond slowly to abuse.

"It's essentially a town without a sheriff," Bryan said.

Amazon refuted those assertions, saying that dealing with attacking servers is much easier since it can identify them and shut them down.

"One thing I'd point out is that abusers who choose to run their software in an environment like Amazon EC2 make it easier for us to access and disable their software," Amazon's Kinton says. "This is a significant improvement over the Internet as a whole, where abusive hosts can be inaccessible and run unabated for long periods of time."

The two consultants created a prototype attack tool, called Thunder Clap, that uses cloud-based services to send a flood of packets toward the target company's network. The software can be controlled directly or through a command left on a social network, the researchers said.

The consultants recommended that providers that offer easy-to-configure cloud services -- Amazon, Google, Microsoft and Rackspace -- should be more responsive to complaints and more aware of the attack potential of their networks.

"If we complain loudly enough, maybe they will become more responsive," Anderson said.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
Microsoft Report Details Different Forms of Cryptominers
Kelly Sheridan, Staff Editor, Dark Reading,  3/13/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.