With a credit card and e-mail address, security consultants David Bryan of Trustwave and Michael Anderson of NetSPI created a handful of virtual server instances on Amazon's EC2 and used a homemade program to attack the network of a client -- a small business that wanted its connectivity tested.
With only three servers -- although they eventually scaled up to 10 -- the consultants took the company off the Internet. The price? Six dollars.
"A threat agent could potentially run extortion schemes against a company by attacking for a couple of hours -- and then telling the company that, if you don't pay me, then I will attack you again," Bryan said.
It's surprising how easy it is to block a company's lifeblood connection to the Internet, the consultants said. To set up an account on Amazon EC2, there are no special bandwidth agreements or detection of servers taking malicious actions, they claimed. Moreover, complaints to Amazon by the client apparently went unanswered.
"We never got a response from Amazon," Anderson said. "We haven't gotten a call; we never got an email."
Amazon could not comment on the consultants' specific claims, but stressed that the company does have a rigorous response process.
"We do have a process for both detecting and responding to reports of abuse," Amazon spokeswoman Kay Kinton said in an email response. "We take all claims of misuse of our services very seriously and investigate each one. When we find misuse, we take action quickly and shut it down."
Small and midsize businesses should focus on basic strategies to defend themselves against cloud-based denial-of-service attacks, experts say. While cloud services are a new way to deliver attacks, the steps needed to defend a business' network and keep it connected are no different than those used to defend against run-of-the-mill packet floods.
First, employees responsible for a business's IT should have a DoS mitigation strategy and test it. An example of how not to do it: The target of the consultants' attack, a small financial institution, had defensive hardware in place, but had the threshold bandwidth set way too high. The attack failed to trigger defensive measures, but the bandwidth was still enough to take down the network, Bryan said.
"You have to make sure to tune your defenses," he said.
Clear responsibilities in the event of an attack are also key, the consultants said. Once attacked, the client's employees became angry with each other and debated who was responsible for responding.
"In the event of an attack or incident, you cannot be adversarial," Bryan said. "Information sharing is key."
Most cybercriminals use botnets to conduct denial-of-service attacks on their targets. Many botnets can be rented, or a subset of machines leased, essentially giving would-be attackers a criminal "cloud" from which to buy services.
But renting server time from a legitimate cloud service is cheaper and can be more effective, according to Bryan and Anderson. Because the traffic comes from Amazon's Internet space, it can be harder to filter. And scaling the attack up is as easy as instantiating a new virtual server. Moreover, many cloud services -- especially infrastructure-as-a-service clouds -- appear to respond slowly to abuse.
"It's essentially a town without a sheriff," Bryan said.
Amazon refuted those assertions, saying that dealing with attacking servers is much easier since it can identify them and shut them down.
"One thing I'd point out is that abusers who choose to run their software in an environment like Amazon EC2 make it easier for us to access and disable their software," Amazon's Kinton says. "This is a significant improvement over the Internet as a whole, where abusive hosts can be inaccessible and run unabated for long periods of time."
The two consultants created a prototype attack tool, called Thunder Clap, that uses cloud-based services to send a flood of packets toward the target company's network. The software can be controlled directly or through a command left on a social network, the researchers said.
The consultants recommended that providers that offer easy-to-configure cloud services -- Amazon, Google, Microsoft and Rackspace -- should be more responsive to complaints and more aware of the attack potential of their networks.
"If we complain loudly enough, maybe they will become more responsive," Anderson said.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.