Sunday, January 25, 2009

Cloud Attack: Economic Denial of Sustainability (EDoS)

Some interesting discussions recently on the topic of attacking the economic viability of cloud computing. Christofer Hoff, a popular security blogger and Chief Security Architect at Unisys has coined a new approach to the use of so-called "cloud based denial-of-service attacks" or what he calls an "Economic Denial of Sustainability" (EDoS).

The general idea of an EDoS attack is to unitilize cloud resources to disable the economic drivers of using cloud computing infrastructure services. In an EDoS attack the goal is to make the cloud cost model unsustainable and therefore making it no longer viable for a company to affordability use or pay for their cloud based infrastructure.

In Hoff's post he says "Specifically, this usage-based model potentially enables $evil_person who knows that a service is cloud-based to manipulate service usage billing in orders of magnitude that could be disguised easily as legitimate use of the service but drive costs to unmanageable levels. "

Adam O'Donnell, the Director of Emerging Technologies at Cloudmark, points out that "The billing models that underlie cloud services may not be mature enough to properly account for an EDoS like attack."

What this means is that just using the cloud for the purposes of easily scaling your environment may soon not be enough. Traditional scaling and performance planning may quickly be giving way to cost based scaling methodologies. These new cost centric approaches to scaling cloud infrastructure will look at more then just monitoring the superficial aspects of your applications load time but instead focus on how much it's actually costing you.

The ability to adjust based on realtime economic factors may soon play an equally critical role in a company's decision to use "the cloud" or potentially continuing to use the it. This is particularly true of infrastructure as a service offerings such as Amazon or Gogrid, where the cost are passed directly onto the users of the service in a pay per use fashion.

In the platform-as-a-service world, this may not be as big of an issue because of the economies of scale that companies like Google and Microsoft bring to bear. But for the smaller guys or DIY clouds, this could pose a major problem.

The classic example Amazon and others use is that of Animoto, but what if 50% of Animoto's traffic was purely that of an upset customer looking to break the bank? Never under estimate the power of a upset customer or ex-employee's vendetta. Worse yet, what if that irate customer used the very cloud as the method to create a denial of sustainability attack? It's become easier then ever to acquire fake credit card numbers.

For a while it seems the cloud computing was advancing more quickly then criminals, but this is probably going to be a short lived trend, a trend which may have already passed. In the very near future the next generation of cloud based capacity planning and scaling may start to focus more on building cost based strategies along with the load and user experience. A strategy capable of being able to determine the optimal cost while also providing comparisons along with everything else you need to be competitive.

#DigitalNibbles Podcast Sponsored by Intel

If you would like to be a guest on the show, please get in touch.