A new attack on cloud: economic denial on sustainability

November 16, 2021 Claranet Limited

While security in the Cloud becomes ever more bullet proof, it will always be a game of cat and mouse with the hackers out there. In this short introduction, Alex Hunt, Managed Security Services Practice Lead at Claranet, reviews one of the latest mousetraps.

While you may not know it by name, an Economic Denial of Sustainability (EDoS) is a derivative of a traditional DDoS or DoS attack.

In this scenario, an attacker generates various forms of traffic that ultimately stops your public facing assets from working. A simple example is your payment collection web applications being overwhelmed to the point that the server falls over.

Basically, you are hit… and hit hard.

So how does EDoS target businesses in the Cloud?

It's all about driving up your Cloud consumption. With your monthly bills spiralling out of control, that’s when the bad guys step in with a ransom demand.

The EDoS attempts to consume the resource in the same manner, but thanks to features that the cloud brings such as auto-scaling, the attackers can now consume resources and increase traffic flows not to take your services offline but actually to increase the cost in delivering those services. Auto scaling for example increases resources or replicates servers to handle load. Exactly what you want to respond to supply and demand.

However, consuming additional resources increases your bill at the end of the month. So by increasing traffic flow, attacks do not overwhelm the server to the point of collapse but rather overwhelm the resources so they are increased and continue to drive the consumption to the point where you receive a rather large bill at the end of the month.

So what are the main effects of this attack?

Driven consumption that sees no end in sight would mean lower income from legitimate user’s vs an increased charge for hosting those services. Ultimately a very large bill at the end of the month and continuing until you are able to mitigate the attack.

The challenge with this type of attack is how to mitigate it. Unfortunately DDoS based attacks are very difficult to handle as IP addresses involved can change, countries the attacks come from can change and sometimes it’s easier to ride out the storm.

The attackers do offer you a way out: payment. The attackers at times will ask for a monetary contribution to cease the attack, much in the same way Ransomware works. That’s why you may see this type of attack referenced as RDoS (Ransom Denial of Service) attacks.

If you are unlucky enough to lose your services and have them scale to deal with the load, you have a real problem. On the one hand you face increased charges for hosting your applications and running your infrastructure. But on the other, you are not serving your customers at all, so don’t be surprised when they go to another provider or competitor and you brand reputation is badly damaged.

How do you respond to an EDoS attack?

So you are assuming the answer would be to pay the Ransome, right? Wrong. There is no guarantee that the attack will stop when you pay and the likelihood is the attack will continue and further payments will be demanded.

So what is the mitigation?

Being proactive rather than reactive is always a bonus in the world of cyber security. As this series is focusing on AWS we can start there. AWS offers many security tools that are native and can be turned on very quickly. Let’s have a look at a tool built into AWS: AWS Shield is a managed DDoS protection service that provides always-on detection and automatic inline mitigations that minimises application downtime.

AWS Shield comes in two levels, Basic and Advanced. Our recommendation would be to look at the shield advanced option as it provides protection to applications running on EC2, ELB, Route53, CloudFront, and other platforms. Shield Advanced also help you prevent larger scale attacks and more attack types. One of its clear benefits is 24x7 access to the Shield Response Team. Another protection mechanism from Shield Advanced is it offers protection against DDoS related spikes against your resources from a cost perspective. So in the case of an EDoS your bill would actually be lower.

What else do I need to know?

DDoS attacks or EDoS attacks can be the primary focus of the attacker looking to score quick cash by distrupting services. However, while you believe these to be the primary focus of the attack they can often be the secondary objective, keeping you focused on the loss of services while they have found another way into the network. While your attention is elsewhere, they could be stealing data, adding accounts for persistence, or spinning up their own cloud-based resources in your accounts.

Quite often they are used as a distraction technique to hide the real objective. So, make sure you have monitoring enabled to keep track of new IAM accounts being created, changes or modifications to security groups or access policies, modified access to S3 buckets, S3 access logging being monitored and checked, and rules to inform you if your cloudtrail logs are being disabled. Other basic best practices would be to ensure you have MFA enabled, rotate keys often, use encryption on the data in your S3, and create cloudwatch rules to notify you of key changes to your AWS account such as new EC2 instances being launched in unused regions.

While the list of what you can do is long, perhaps a simpler approach is to reach out to a Cyber Security provider with the focus and expertise to make a real difference. Talk to us about our CREST accredited Security Operations Center and how it is available to support your cloud security needs.

Previous Article
SentinelOne Review
SentinelOne Review

SentinelOne is a 2021 Gartner Magic Quadrant for Endpoint Protection Platforms Leader.

Next Article
SentinelOne vs. Crowdstrike
SentinelOne vs. Crowdstrike

SentinelOne, in our view, offers higher levels of protection across a broader range of platforms than Crowd...