You could have read about a new interesting attack vector. It got the cool name of the Denail-of-Money attack. The first published case (which was actually an accident) was happened with an Associate Professor at Leonard N. Stern School of Business of New York University called Panos Ipeirotis.

His story in nutshell is that he made himself a more then $1700 Amazon AWS bill in a couple of hours. The root cause of the problem was that he shared 250 GB images in an S3 bucket. He used the thumbnails of these images in a Google spreadsheet. As it turned out Google in this case doesn’t cache content because it is considered private. Instead of caching Google simply downloaded all the 250GB every hour which costed a huge amount of money(although at the end Amazon refunded it).

This way as Professor Ipeirotis called it the ‘Denial-of-Money’ attack was born. This means that anybody could create traffic to a target website to drive up their bills. Although this kind off attack could have been applicable before the cloud era as well because resources and performance always costed money in one way or another. Using public clouds the connection between performance and costs is trivial.

You can think of numerous attack scenarios (leave a comment if you have) but I will give one that just popped into my head as an example. Imagine company A that runs a cool service which goes quite well. Since the clouds give a great opportunity to startups company B starts a new service quite similar to company A’s. Company A sees the potential competitor which should be stopped. Hence company A starts a Denial-of-Money attack. Company B’s business model was based on the idea that thair income will cover the costs of their infrastructure in the cloud. Unfortunately this way company A can drive up the costs of company B’s infrastructure without paying and that could lead to the bankruptcy of company B.

To launch a Denial-of-Money attack various techniques could be used. Mostly it depends on the services that the target system uses in the cloud. It could be generating network traffic, downloading data or even initiating huge amount of DNS resolutions.

After all this attack vector still has something in the pro list. It could draw the attention to the fact that IT resources are as well resources as electricity or oil and they do cost money. Usually they are treated if there would be no limitation. In an average application optimization is only done when there is a usability problem and never to save for instance bandwidth. As clouds brought a direct mapping from resources to money people might see that somebody will pay for wasteful implementation. The problem is that probably it will be someone else.

To add some value to this post here are a few things you can do to avoid this kind of attacks:

  • Don’t share things on the Internet which are actually not used there.
  • Most of the cloud providers offer services to send notifications. Use them to send alerts when unexpected traffic is detected.
  • You could set rate limit for some services which somewhat kills the whole idea of scale-able clouds but still it could be useful.
  • The protection mechanisms against plain DOS could also work in this case as well.

Hopefully the Denial-of-Money attack won’t be a real threat, but get prepared, save resources and turn off the light when leaving the room.