Bankruptcy Bots: How Your Cloud Is Used Against You
The Cloud has taken data storage by storm. Industry giants such as Microsoft’s Azure platform and Amazon Web Service support companies across the globe from fintech to farming. Almost every department across finance, inventory management and sales, often all depend on multiple cloud platforms to manage and protect their critical data.
And for good reason – cloud environments are fantastic for scalability. The dominance of the cloud is a result of its overall tight security, and drastically greater cost-effectiveness than physical data storage. However, it’s these exact unique selling points that are now being used by cyber criminals.
Despite high-quality security features such as distributed servers and cloud WAFs, criminals are finding new and concerning ways to undermine data (and brand) integrity. Now, they’re pushing cloud clients to the brink of bankruptcy.
Table of Contents
Amazon’s cloud infrastructure forms the backbone of many databases. Two major components to this are Amazon’s EC2 and Route 53.
As the user hops onto your site, Route 53 is the DNS service that connects the brand’s domain name with its 6-figure IP address. This helps the server identify which page to retrieve for the user. As the server finds and returns this page, it demands a very small amount of processing power. One user, browsing the web for around an hour, uses roughly 15MB of data.
Amazon’s EC2 cloud servers provide the CPU, memory, storage, and networking capacity to support your site as user numbers ebb and flow. Under normal day to day operations, this gives you the flexibility to efficiently maintain your site without overspending or underperforming. You pay only for the size of your resource pool. Cybercriminals know this, and are all too happy to take advantage of it.
A traditional DDoS attack utilizes a botnet, spamming a specific server with hundreds or thousands of requests. Manipulating the three-way handshake of a TCP, each bot requests data from the server without completing the final acknowledgement step. This not only places greater pressure on the server’s hardware, but also leaves the server languishing in a waiting state.
This way, a traditional DDoS can overwhelm a server’s resources and force a complete site outage.
The Cloud’s Double Edge
When a DDoS attack is applied to a cloud environment, forcing a site entirely offline is no longer feasible. This is one major advantage of a cloud database: because cloud services utilize distributed servers, you can retain normal business operations even while an attack is underway.
During an attack, cloud resources scale up to meet the additional traffic. Maintaining your business’ operations during an attack could be worth a slight bump in fees. However, DDoS attacks are changing. Old school methods were almost as demanding on the cyber criminals as it was for their victims: massive outages required similarly massive botnets, which are expensive to acquire and maintain.
However, DDoS amplification is shifting this balance in the criminals’ favor.
An amplified DDoS takes advantage of some firewalls’ block responses. Sending sequences of blocked traffic to a firewall forces the server to respond with an HTML block page. This process requires more resources than just loading the HTML page would.
This allows large botnets to launch apocalyptic attacks: even if a cloud server can handle the extra resource demands, attackers can keep upping the bandwidth to monstrous numbers Eventually, something has to give. Usually it’s the client’s budget, as the swollen resource management inflicts steeper and steeper costs.
In mid-2020, this came to a head when AWS was hit by the largest DDoS attack ever recorded. This attack saw 2.3 Terabytes of data usage per second.
This is how a DDoS becomes an Economic Denial of Service (EDoS): the attackers are not out to deny a company its site, or customers. Instead, they can simply attach a lead balloon to your bottom line and watch it sink.
Cloud Defense: An Impossible Task?
Cloud infrastructure is historically bad at recognizing DDoS attacks.
Because attackers use legitimate IPS addresses, DNS services like Route 53 cannot determine genuine user traffic from malicious botnet traffic. AWS’ own DDoS-mitigation platform, Shield Advanced, actually contributed to the 2020 attack when it began flagging legitimate traffic, adding to the outages.
A Distributed Defense
While DDoS attacks appear invulnerable thanks to their distribution, the same strategy can empower your own cloud and application defenses. Protecting your server is a shared responsibility between you and your cloud provider; your responsibility revolves around reducing the attack surface.
Your first form of defense is to isolate your internal traffic from the outside world. Focus on deploying instances without public IP addresses, if possible, and set a limit to the number of instances exposed to the internet.
The second layer of defense is your WAF appliance. The Web Application Firewall must be configured to receive only whitelisted HTTPs traffic.
Alongside this, WAFs actively monitor the amount of data flowing through your server. With threshold limits in place, the WAF can detect when the number of packets per second rises above the threshold. The WAF then logs and reports the suspicious activity.
Most WAFs also include a full reverse-proxy mode. This architecture separates the client-side requests from server-side. This protects the WAF’s performance, allowing it to inspect and block higher amounts of traffic without performance degradation. It also means that only legitimate traffic is sent on to the server.
Your cloud provider should have their own modules in place that focus on verifying server-side requests. One example is a combined VF and V node structure: here, V nodes use graphic Turing tests to verify requests at the site or application, while the Virtual Firewall automatically blacklists the failed IP address.
The final, last-ditch defense against an EDoS is to cut the automatic scaling mechanism. This unfortunately still places you in a catch-22 position, as you must choose between inflated cloud costs or unsatisfied customers.
Overall, there is no single technique that completely eliminates the risk of DDoS attacks for a cloud-based server. With collaborative infrastructure in place, however, you can retain a full, real-time overview of your cloud integrity – and make yourself less of a target.