Black Hat: Will New Breed of DOS Attacks Make Cloud Unaffordable?

The cloud is the current Next Big Thing in computing, and the Next Big Thing in attacks could be a new breed of economic denial-of-service attacks intended to use up resources and drive up the cost of cloud computing, warns a senior security researcher at Adobe Systems.

"DOS is the next battleground," Bryan Sullivan said Wednesday at the Black Hat Federal conference being held in Arlington, Va. "That's where the future is going."

The new generation of attacks described by Sullivan operate high in Layer 7, the application layer of the Open Systems Interconnection model, and target specific lines of code in a specific application. Although the impact is less widespread than a traditional Layer 4 distributed DOS attack using the resources of a botnet, it is highly targeted and effective. A single HTTP request of several hundred bytes could crash a server.

Crashing a server is not always easy in the cloud because additional resources can be available as needed to support sharp spikes in demand. But those resources are not free, and an attack could make it economically prohibitive to keep the attacked server or services running. This opens up the possibility of extortion by an attacker, who could threaten to drive up costs or disrupt service for an enterprise. Sullivan called this scenario an "economic denial of sustainability."

The move to the cloud comes at the same time that exploitable bugs are becoming harder to find in code. These bugs traditionally have been used in elevation-of-privilege attacks that can allow an attacker to take over a computer or gain access to resources. But the National Vulnerability Database showed a 20 percent drop in the number of reported vulnerabilities in 2010, as secure development methodologies are bearing fruit and vendors are producing better software.

"The hackers are going to go after the next-lowest hanging fruit on the vulnerability tree, and I think it's clear that DOS is the lowest hanging fruit," Sullivan said.

Because elevation-of-privilege attacks have been the sexy attacks for years among researchers, the dangers of well-executed, targeted DOS attacks has been under-examined, Sullivan said. "But the attackers will not leave this unexplored."

Examples of such attacks described by Sullivan included creating an infinite loop in an application process, making it unavailable by tying up essential services, and the use of Zip bombs. A Zip bomb is a file containing multiple nested compressed files that expand exponentially when unzipped, creating files of petabyte size that can cost tens of thousands of dollars in cloud resources.

A similar attack uses Extensible Markup Language entity macros, a tool for calling up additional data for an XML entry. If these macros are nested, a tiny payload can produce gigabytes of content when parsed, consuming memory and potentially crashing a machine.

These attacks are not unknown and there often are defenses against them, such as turning off XML entity resolution if it is not needed or controlling its activity with rules if it is needed. The threat is not that the defenses are difficult or expensive but that they have not been thought about as enterprises move resources to the cloud, Sullivan said.

"With the move to cloud resources, we need to nip these things in the bud now before it becomes a big problem," he said.

About the Author

William Jackson is the senior writer for Government Computer News (

comments powered by Disqus

Reader Comments:

Tue, Jan 25, 2011 Chris Tampa Bay Area Fl USA

Excellent article. The real allure of a DDOS attack on a cloud asset is that unlike a traditional resource that controls a single, definite entity, a cloud resource would have the additional appeal that its data could be from anywhere, belonging to anyone -- winning the perp bragging rights to taking down a large block of businesses or even general public traffic. Just a few 'hits' could cause great psychological damage not only to cloud services but to the entire cloud model itself, rendering this great potential service unuseable. This is why it is essential that security professionals and their trainers and curricula keep up to the minute with cloud-computing security issues such as these.

Mon, Jan 24, 2011 Jon von Gunten California

Responsibility for keeping the cloud safe lies with us who consider ourselves more savvy than our aunts, neighbors and bubbly fresh grads. *With some admitted exceptions,* an honestly bought O/S, kept well patched, then protected with an anti-malware suite will not be penetrated by the mass-prospecting techniques hackers use to find vulnerable PCs. PLEASE make it your ongoing mission to educate the trusting, non-technical, wide-eyed innocents out there so they never become essentially "accessories to cyber-crime" by leaving their PCs open to attack. Every one that's unprotected and eventually penetrated will then stream out millions of DDOS hits on innocent and productive Web sites. YOU already know that, but you know ten people who do not. It's up to us to constantly preach this message to the unschooled.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.