When enterprises talk about public cloud computing, they generally mean computing, storage and network resources for IT, delivered by third-party service providers via remote infrastructure shared by its users. Amazon Web Services, Microsoft Azure and Google Cloud Platform are the leaders in public cloud, and between them they have changed the way that startups and established businesses alike operate. In 2012, RedMonk analyst Stephen O'Grady got to the heart of why public cloud is so popular, observing that AWS offers "[s]ervers in 90 seconds via a credit card," a huge gain in convenience over typical IT provisioning times.
With great convenience comes great responsibility. More specifically, CIOs et al have have had to weigh the benefits of on-demand public cloud – resource elasticity and a pay-as-you-go business model – against their obligations to maintain compliance and data security. While 89 percent of respondents to a 2014 RightScale survey reported using the public cloud in some fashion, more than half of them also confirmed that they were using a hybrid cloud, a combination of third-party and self-hosted systems often set up to address requirements around performance, control and cloud security.
Public cloud, vulnerable infrastructure opens door for DDoS
The public cloud is understandably synonymous with risk, since the end-user is not in control of the infrastructure. Perception of its porousness has declined as it has matured, though. The CIO Mid-Year Review 2014, a survey of CIOs in India, found that the number of executives citing security as the top concern dropped from 44 percent to 25 percent from 2013 to 2014. Still, cloud computing opens up many possibilities for cybercriminals, not least of which is powerful distributed denial-of-service attacks:
- Elasticsearch, a popular search engine in Amazon EC2 environments, was compromised in July 2014, enabling attackers to flood websites with UDP traffic while forcing site owners to shift their hosting.
- At the 2014 Black Hat conference, a pair of testers from Bishop Fox demonstrated how free-tier public cloud services could be pooled into a mini botnet that could mine the Litecoin cryptocurrency and potentially carry out DDoS or password cracking.
- Targeted attacks such as Operation Ababil in 2013, which specifically went after banking websites, have capitalized on Web vulnerabilities, the number of which may be rising as more organizations supply and become dependent upon software-, platform- and infrastructure-as-a-service.
Moreover, what makes the public cloud useful in the first place, namely its scalability, ease-of-use and stewardship by high-profile vendors, also turns it into an ideal platform for staging DDoS attacks.
Exploiting vulnerable servers en masse is a much more efficient tactic than targeting PCs, because, if done successfully, it yields access to considerable bandwidth as well as cutting-edge technologies. Plus, it is a feasible alternative now that IT departments are closing off protocols such as the Network Time Protocol that could become DDoS attack vectors. Record-breaking, seemingly intractable DDoS attempts have been fueled by this renewed focus on weaknesses around the Web and in its supporting cloud infrastructure.
"Attacking from PaaS and IaaS instances allows attackers to hide behind legitimate, reputable IP spaces," wrote the authors of the Prolexic Quarterly Global DDoS Attack Report for the second quarter of 2014. "It also provides with defense technologies that make it more difficult for defenders to mitigate these attacks."
Understanding the risks of cloud-backed DDoS
DDoS attacks create a number of headaches for enterprises, including prolonged outages that are detrimental to customers, organizational reputation and the bottom line. Operation Ababil caused 249 hours of downtime for the affected banks, as well as a fair share of confused and disgruntled users.
While it may seem like cloud-backed DDoS is simply traditional DDoS with added punch, there are other differences between the two, and understanding them can help in mitigation:
- Start with security responsibilities, and who is tasked with doing what. Cloud service-level agreements and other documentation can be vague on the issue of data protection, but some at least clearly spell out that the customer bears the burden of keeping software up-to-date and hence as secure as possible against threats. In regard to the recent Elasticsearch vulnerability, Amazon's Shared Security Model stipulates that the AWS user is responsible for updates to supporting apps.
- Along the same lines, research and due diligence are imperative when vetting Internet service providers and hosting companies – addressing weak points within one's own enterprise infrastructure alone is no longer enough to contain all risk. ISPs et al may rely on older, less secure variants of Microsoft Windows and/or open source stacks that are common targets for hackers. Such vulnerabilities are issues not only for these companies, but for their customers.
- Email security of all things is more important than ever in light of powerful DDoS attacks. Cloud service providers may assume that each email account indicates a unique user, rather than consider the possibility that an attacker is gathering email addresses for spam distribution and DDoS. While the amount of free resources given to a single account on platforms such as Google App Engine are modest, thousands of profiles in tandem can form the basis for a formidable botnet.
Both enterprises and their cloud service providers have significant work ahead of them in clamping down on today's DDoS campaigns. With the cloud playing an increasingly large role in IT, the stakes are high for updating network security practices and accounting for potential vulnerabilities both inside and outside the company perimeter.
Just this year, a DDoS attack on CodeSpaces put that company out of business. In a Q2 2014 roundup, "Turning the Tables on Cyber Attacks: Responding to Evolving Tactics," Trend Micro researchers stressed the importance of taking a comprehensive approach to cybersecurity to avoid a similar fate.
"The data breaches and DDoS attacks recorded this quarter showed that an organization-wide strategy is required if companies wish to survive their aftermath," wrote the authors of the report. "Organization-wide understanding and commitment to carrying out a strategic security plan is necessary. Otherwise, they may resort to highly impractical measures such as reverting to manual processing, as in P.F. Chang's case or, worse, to go out of business, as in Code Spaces's case."