Cloud
3/29/2013
01:34 AM
50%
50%

Should Cloud Providers Secure Their Outbound Traffic?

As attackers focus on using hosted or virtual servers to power their denial-of-service attacks, calls for a cleaner cloud may become louder

Discerning between malicious traffic and legitimate traffic in real time is challenging for companies targeted by distributed denial-of-service attacks, but the task is made more difficult when the attacks come from reputable Internet properties that cannot easily be filtered.

The attacks on U.S. financial institutions, for example, have used compromised publishing platforms to target banks with a variety of attack traffic since last September. A key factor in the success of those distributed denial-of-service (DDoS) attacks is the use by attackers of compromised, but reputable hosts. While attacks from hosted and cloud platforms have been uncommon so far, they will likely become a larger problems in the future, says Carl Herberger, vice president of security solutions at network security firm Radware.

Providers need to take some responsibility for obvious abuses of acceptable-use policy, such as packet floods and attacks on applications, he says.

"They need to come to terms with the fact that, if one of their hosted clients is attacking a victim on the Internet, they play a role," Herberger says.

Just as Internet service providers have started taking a more involved role in detecting, warning, and mitigating compromised systems in their network that are owned by consumers, cloud service providers may need to take a more hands-on approach to detecting and helping mitigate compromises that turn their customers' hosted systems into an attack.

[Outages at CloudFlare and Microsoft's Azure in the past month underscore that widespread chaos can be the result of a weak point in cloud infrastructure. See Cloud Providers Work To Disperse Points Of Failure.]

Yet for cloud providers, any sort of filtering could cause a disruption to their customers' services, an unacceptable risk. Some cloud providers that focus on secure hosting, such as FireHost, do monitor outbound traffic for signs of malicious behavior. But adapting that generally to public clouds may not work, says Kurt Hagerman, director of information security for FireHost.

"When you look at public cloud infrastructure in general, most of those come with little to no outbound security," Hagerman says. "They rely on the customers to add security."

Defending against DDoS attacks is expensive, making the stakes higher. One recent survey found that companies pay up to $6,500 an hour to recover from the attacks.

Such damages could make legal liability a problem. Despite common carrier statutes and the Communications Decency Act, which protects providers from being held responsible for the acts of their subscribers, distributed denial-of-service attacks coming from hosted, or cloud, servers could expose a provider to risk.

"If I was running a bank, and I was repeatedly getting DDoSed from the same space, and I was reporting that to the provider and trying to work with them, but it seemed like it just didn't matter, might I try to sue them? Sure, I might," says Hagerman. "It might get their attention and convince them to do something to stop the attacks."

Not all massive DDoS attacks come from issues with hosted servers and cloud providers. The recent distributed denial-of-service attack that topped 300Gbps originated from a different, although arguably related, problem of using misconfigured infrastructure--in this case, domain-name system (DNS) recursive resolvers--to redirect and amplify the control of a much smaller amount of bandwidth into a much larger attack.

If cloud providers run their infrastructure like a gated community, then attackers should not be able to get away with such damaging attacks, says Dan Holden, director of security research for Arbor Networks. Paying attention to outbound traffic could give attackers less incentive to use cloud resources for their attacks.

"It comes down to a return-on-investment issue for the attacker," Holden says. "I think it would come down to whether they thought the success of the attack would be better using the cloud or not."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8370
Published: 2015-01-29
VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, VMware Fusion 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allow host OS users to gain host OS privileges or cause a denial of service (arbitrary write to a file) by modifying a configuration file.

CVE-2015-0236
Published: 2015-01-29
libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface.

CVE-2015-1043
Published: 2015-01-29
The Host Guest File System (HGFS) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware Fusion 6.x before 6.0.5 and 7.x before 7.0.1 allows guest OS users to cause a guest OS denial of service via unspecified vectors.

CVE-2015-1044
Published: 2015-01-29
vmware-authd (aka the Authorization process) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allows attackers to cause a host OS denial of service via unspecified vectors.

CVE-2015-1422
Published: 2015-01-29
Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[], (2) jak_catid, (3) jak_content, (4) jak_css, (5) jak_delete_log[], (6) jak_email, (7) jak_extfile, (8) jak_file, (9) jak_hookshow[], (10) j...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.