cloud computing: weapon of choice for DDoS?

Is the Cloud a weapon of choice for launching dedicated denial of service (DDoS) attacks?

Denial of service attacks are seeing a huge boom. One flagrant example of this is the recent WikiLeaks news. But what does cloud computing have to do with the resources used to launch DDoS attacks? Will the Cloud make botnets and hacktivist groups just two more things of the past?

Here’s how I would answer these questions:

botnets and cyber-hacktivists

In a denial of service attack, the goal of the attacker is to render a website completely nonresponsive and unusable for its typical users. One of the keys to a DDoS attack is the bot (or zombie). Most of the time this is a machine infected with a virus that is remotely controlled by the attacker, all while the real owner of the machine remains completely oblivious.

Less frequently, a group of hackers who share a common goal work together to attack a target. Online protests like this are generally known as cyber-hacktivism. The Anonymous group’s assault on banking Websites in connection with the Wikileaks affair is just one recent example.

a network of infected machines isn’t ideal

In the case of zombies/bots, infecting a sufficient number of machines in a short timeframe remains fairly complex: you have to set traps and make sure people will fall for them to infect their machines. This takes skill, tools, and enough time to recruit a large enough pool of machines.

In any case, you will have to stay under the radar so as not to be detected by an antivirus or another detection system. In addition, network access points are typically asymmetrical, the upload bandwidth available for each bot is slow, etc. In short, you’ll have to recruit a lot of machines.

the limits of cyber-hacktivism

Recruiting a large number of people with the same goals is a formidable attack strategy. When workstation defenses are inefficient (owners agree to infect their own machines or use attack tools), it is possible to rally enough people around a common cause.

But the main problem is finding that common cause: it is difficult if not impossible to motivate people to attack a competitor’s website or extort funds. In addition, the person in charge of the attack remains dependent on the cooperation and availability of the recruits. Launching repeated attacks over several days or weeks is unrealistic since motivation will quickly wear off.

creating a botnet in the Cloud

The Cloud has several really attractive features:

  • access to high-performance networks with a lot of available bandwidth
  • ability to quickly and remotely activate new resources
  • payment per use and systems spread over different parts of the globe

In addition to these, we should also add another important feature: the commitment of cloud service suppliers to respect and protect the privacy of customer data in the Cloud against any attacks.

Anyone looking to put together a network of zombie machines could thus use the Cloud to their advantage.

anonymity thanks to “all remote” and “all automatic”

Using information from one or more previously stolen debit cards (or prepaid cards), attackers can open accounts with several cloud platforms provided by different suppliers.

Of course, any attacker will want to use proxies and other anonymous networks, such as Tor, so as to not leave a trail when creating a cloud account or interacting with a cloud management platform.

VMs preset for attack

In each Cloud, attackers can deploy an ISO image (or a virtual machine, ie VM, image) set up to connect immediately upon startup to one or more meeting points to receive marching orders. Meeting points can either be machines located in the Cloud or social network platforms like Twitter.

VMs built for this purpose will of course be optimized so as to use very little live memory or disk space: this way the attacker can streamline costs and launch even more VMs with the extra cash.

elastic botnets using remote API

The cool thing is that more and more clouds are configuring application programming interfaces (API) so you can manage them remotely. In a perfect world (this isn’t the case yet but it’s the trend), APIs would be standardized.

For an attacker, this is perfect. They can develop a script to remotely start or stop as many VMs as they need to launch their attack. Did someone say flexibility and remote management?

huge bandwidth

All these machines are on high-performance platforms and have powerful network connections with high bandwidth. What’s more, they are located all over the world. So as far as network access goes, there’s a strong chance they will hit the nail hard on the head.

impunity ensured by privacy protection?

Like I said above, cloud service providers have to take every measure available to make sure that all data they receive remains securely in the Cloud and that no one can access it without the owner’s permission. This rule of course applies to everyone, including the cloud provider’s administrators.

So it’s impossible to check out a suspicious VM. Which is great for attackers: their VMs will stay safely tucked away inside a cloud.

next time: security techniques

Yes, clouds can actually work to encourage denial of service attacks. And I didn’t even touch on all the possible scenarios: compromising vulnerable VMs, using PaaS platforms, etc.

It’s up to security professionals, service providers, and service operators to make sure the benefits of the cloud outweigh the drawbacks.

In a future post, I’ll talk about what kinds of measures cloud computing providers can take to combat the “botnet-ification” of their Cloud. Stay tuned !


photo credit: © fotomek -

Jean-François Audenard

Au sein de la direction sécurité du Groupe Orange, je suis en charge de la veille sécurité et de la sensibilisation à la sécurité. Franchise, optimisme et bonne-humeur sont mes moteurs quotidiens