Could a new breed of DOS attacks make the cloud unaffordable?

January 19, 2011 Off By David
Object Storage
Grazed from Government Computer News.  Author: William Jackson.

The cloud is the current Next Big Thing in computing, and the Next Big Thing in attacks could be a new breed of economic denial-of-service attacks intended to use up resources and drive up the cost of cloud computing, warns a senior security researcher at Adobe Systems.

“DOS is the next battleground,” Bryan Sullivan said Wednesday at the Black Hat Federal conference being held in Arlington, Va. “That’s where the future is going.”

The new generation of attacks described by Sullivan operate high in Layer 7, the application layer of the Open Systems Interconnection model, and target specific lines of code in a specific application. Although the impact is less widespread than a traditional Layer 4 distributed DOS attack using the resources of a botnet, it is highly targeted and effective. A single HTTP request of several hundred bytes could crash a server.

Crashing a server is not always easy in the cloud because additional resources can be available as needed to support sharp spikes in demand. But those resources are not free, and an attack could make it economically prohibitive to keep the attacked server or services running. This opens up the possibility of extortion by an attacker, who could threaten to drive up costs or disrupt service for an enterprise. Sullivan called this scenario an “economic denial of sustainability.”


Related coverage:

WikiWars: The face of future conflicts


The move to the cloud comes at the same time that exploitable bugs are becoming harder to find in code. These bugs traditionally have been used in elevation-of-privilege attacks that can allow an attacker to take over a computer or gain access to resources. But the National Vulnerability Database showed a 20 percent drop in the number of reported vulnerabilities in 2010, as secure development methodologies are bearing fruit and vendors are producing better software.

“The hackers are going to go after the next-lowest hanging fruit on the vulnerability tree, and I think it’s clear that DOS is the lowest hanging fruit,” Sullivan said.

Because elevation-of-privilege attacks have been the sexy attacks for years among researchers, the dangers of well-executed, targeted DOS attacks has been under-examined, Sullivan said. “But the attackers will not leave this unexplored.”