DDoS – A Moose On Cloud’s Table Or A Pea Under The Mattress?
Readers of my blog will no doubt be familiar with Roland Dobbins. He’s commented on lots of posts here and whilst we don’t always see eye-to-eye, I really respect both his intellect and his style.
So it’s fair to say that Roland is not a shy lad. Formerly at Cisco and now at Arbor, he’s made his position (and likely his living) on dealing with a rather unpleasant issue in the highly distributed and networked InterTubes: Distributed Denial of Service (DDoS) attacks.
A recent article in ITWire titled “DDoS, the biggest threat to Cloud Computing” sums up Roland’s focus:
“According to Roland Dobbins, solutions architect for network security specialist Arbor Networks, distributed denial of service attacks are one of the must under-rated and ill-guarded against security threats to corporate IT, and in particular the biggest threat facing cloud computing.”
…
DDOS, Dobbins claims, is largely ignored in many discussions around network and cloud computing security. “Most discussions around cloud security are centred around privacy, confidentially, the separation of data from the application logic, but the security elephant in the room that very few people seem to want to talk about is DDOS. This is the number one security threat facing the cloud model,” he told last week’s Ausnog conference in Sydney.“In cloud computing where infrastructure is shared by potentially millions of users, DDOS attacks have the potential to have much greater impact than against single tenanted architectures,” Dobbins argues. Yet, he says, “The cloud providers emerging as leaders don’t tend to talk much about their resiliency to DDOS attacks.”
Depending upon where you stand, especially if we’re talking about Public Clouds — and large Public Cloud providers such as Google, Amazon, Microsoft, etc. — you might cock your head to one side, raise an eyebrow and focus on the sentence fragment “…and in particular the biggest threat facing cloud computing.” One of the reasons DDoS is under-appreciated is because in relative frequency — and in the stable of solutions and skill sets to deal with them — DDoS is a long tail event.
With unplanned outages afflicting almost all major Cloud providers today, the moose on the table seems to be good ol’ internal operational issues at the moment…that’s not to say it won’t become a bigger problem as the models for networked Cloud resources changes, but as the model changes, so will the defensive options in the stable.
With the decentralization of data but the mass centralization of data centers featured by these large Cloud providers, one might see how this statement could strike fear into the hearts of potential Cloud consumers everywhere and Roland is doing his best to serve us a warning — a Public (denial of) service announcement.
Sadly, at this point, however, I’m not convinced that DDoS is “the biggest threat facing Cloud Computing” and whilst providers may not “…talk much about their resiliency to DDoS attacks,” some of that may likely be due to the fact that they don’t talk much about security at all. It also may be due to the fact that in many cases, what we can do to respond to these attacks is directly proportional to the size of your wallet.
Large network and service providers have been grappling with DDoS for years, so have large enterprises. Folks like Roland have been on the front lines.
Cloud will certainly amplify the issues of DDoS because of how resources — even when distributed and resiliently load balanced in elastic and “perceptively infinitely scalable” ways — are ultimately organized, offered and consumed. This is a valid point.
But if we look at the heart of most criminal elements exploiting the Internet today (and what will become Cloud,) you’ll find that the great majority want — no, *need* — victims to be available. If they’re not, there’s no exploiting them. DDoS is blunt force trauma — with big, messy, bloody blows that everybody notices. That’s simply not very good for business.
At the end of the day, I think DDoS is important to think about. I think variations of DDoS are, too.
I think that most service providers are thinking about it and investing in technology from companies such as Cisco and Arbor to deal with it, but as Roland points out, most enterprises are not — and if Cloud has its way, they shouldn’t have to:
Paradoxically, although Dobbins sees DDOS as the greatest threat to cloud computing, he also sees it as the potential solution for organisations grappling with the complexities of securing the network infrastructure.
“One answer is to get rid of all IT systems and hand them over to an organisation that specialises in these things. If the cloud providers are following best practice and have the visibility to enable them to exert control over their networks it is possible for organisation to outsource everything to them.”
For those organisations that do run their own data centres, he suggests they can avail themselves of ‘clean pipe’ services which protect against DDOS attacks According to Nick Race, head of Arbor Networks Australia, Telstra, Optus and Nextgen Networks all offer such services.
So what about you? Moose on the table or pea under the mattress?
/Hoff
I would say it depends on the perspective. A single company (especially if it is small) will be even better protected against a DoS attack against that specific company, when it runs its servers on a big cloud provider's platform (since a lot of resources are needed for the attacker to have a chance to be successful). It is much easier to attack e.g. a startup that is running their 5 servers on dedicated servers at a common hosting provider than one running them on EC2 with built-in DoS protection.
However, from a more global perspective, the Internet ecosystem gets more centralized with cloud-computing and so the impact of a successful attack is much higher – thus more interesting for someone who wants to cause huge damage. In the same way as the collapse of our financial system was due to a centralization of risk, the Internet ecosystem becomes more vulnerable (even though large amount of resources are needed to succeed).
Just want to mention another aspect of this topic: infrastructure services may also facilitate DoS attacks originating in cloud platforms. Someone who has stolen 10000 credit cards could create a huge army of virtual machines quite rapidly…
<blockquote cite="#commentbody-15520">
Matthias :
Just want to mention another aspect of this topic: infrastructure services may also facilitate DoS attacks originating in cloud platforms. Someone who has stolen 10000 credit cards could create a huge army of virtual machines quite rapidly…
Like or Dislike: <img style="background: #000; padding: 0px; border: none; cursor: pointer;" id="up-15520" src="http://www.rationalsurvivability.com/blog/wp-content/plugins/comment-rating/images/gray_up.png" alt="Thumb up" onclick="javascript:karma('15520', 'add', 'www.rationalsurvivability.com/blog/wp-content/plugins/comment-rating/');"><small id="karma-15520-up">1</small> <img style="background: #000; padding: 0px; border: none; cursor: pointer;" id="down-15520" src="http://www.rationalsurvivability.com/blog/wp-content/plugins/comment-rating/images/gray_down.png" alt="Thumb down" onclick="javascript:karma('15520', 'subtract', 'www.rationalsurvivability.com/blog/wp-content/plugins/comment-rating/')"><small id="karma-15520-down">0</small>
You might want to check out:
http://www.rationalsurvivability.com/blog/?p=7
Specifically, the definition of 'CloudFlux':
"Take a mess of stolen credit cards, open up a slew of Amazon AWS accounts using them, build/scale to thousands of instances overnight, launch carpet bomb attack (you choose,) tear it down/have it torn down, and move your botnet elsewhere…rinse, lather, repeat…"
😉
DDoS is potentially the biggest *financial* threat to companies leveraging public cloud if they aren't very careful about limiting that "unlimited" scalability inherent in cloud.
And yes on CloudFlux. Perhaps the biggest threat associated with cloud computing is exactly that scenario.
Thanks for the citation, Chris – the respect is mutual.
;>
What I mean by 'the biggest threat' is that DDoS can kill the cloud model dead. When your data and applications are all remote, and then the availability of said data and applications is disrupted, this sort of puts a damper on the cloud, heh.
There are lots of BCPs, techniques, and tools out there which cloud providers can and should leverage in order to increase their resiliency in the face of attack. And as you've pointed out, the potential for abusing cloud services themselves in order to launch DDoS is a distinct possibility (we've already seen this in re spam).
When we look at the classic infosec triad of confidentiality, integrity, and availability, availability must be paramount, IMHO – especially in the cloud model. Otherwise, the other two legs of the triad really don't matter much.
You're right that most organizations don't tend to talk much about their security postures; with regards to threats to maintaining availability, a firm acknowledgement that the appropriate measures are being taken is something I'd urge anyone to ask of their cloud provider(s).
One other thing I forgot to mention is that while I agree with you that many of the various forms of online crime are in fact predicated upon the availability of servers/applications/data/services/networks, DDoS-driven extortion is predicated upon denying access to same. And of coure, there're DDoS motivated by ideology as well as simple nihilism.
Multi-tenanted infrastructure mean that a DDoS against one specific organization is in potentially a DDoS against all tenants sharing the same infrastructure. The cloud model must address DDoS, as the potential for collateral damage is even higher than we currently see with more traditional infrastructure – and we certainly do see this today.
It is interesting to read back over articles such as this that were published 4 years ago, in light of what has happened since.
I think Roland has been largely correct in his estimation of the potential threats of DDoS attacks on ‘the Cloud’, however the threat certainly hasn’t killed the ‘Cloud model’ which is flourishing in 2013 and beyond. However, the threat still exists perhaps more than ever, and numerous DDoS attacks affecting businesses big and small throughout the World in 2013 are evidence of this.
Would it be possible for you to remove the link in comment submitted Dec 8th 2013, as it is showing as over 5,000 no follow links against our website I think due to being in your recent comments widget in sidebar?
Many thanks.
Richard