News

Black Hat: Will New Breed of DOS Attacks Make Cloud Unaffordable?

• By William Jackson
• 01/20/2011

The cloud is the current Next Big Thing in computing, and the Next Big Thing in attacks could be a new breed of economic denial-of-service attacks intended to use up resources and drive up the cost of cloud computing, warns a senior security researcher at Adobe Systems.

"DOS is the next battleground," Bryan Sullivan said Wednesday at the Black Hat Federal conference being held in Arlington, Va. "That's where the future is going."

The new generation of attacks described by Sullivan operate high in Layer 7, the application layer of the Open Systems Interconnection model, and target specific lines of code in a specific application. Although the impact is less widespread than a traditional Layer 4 distributed DOS attack using the resources of a botnet, it is highly targeted and effective. A single HTTP request of several hundred bytes could crash a server.

Crashing a server is not always easy in the cloud because additional resources can be available as needed to support sharp spikes in demand. But those resources are not free, and an attack could make it economically prohibitive to keep the attacked server or services running. This opens up the possibility of extortion by an attacker, who could threaten to drive up costs or disrupt service for an enterprise. Sullivan called this scenario an "economic denial of sustainability."

The move to the cloud comes at the same time that exploitable bugs are becoming harder to find in code. These bugs traditionally have been used in elevation-of-privilege attacks that can allow an attacker to take over a computer or gain access to resources. But the National Vulnerability Database showed a 20 percent drop in the number of reported vulnerabilities in 2010, as secure development methodologies are bearing fruit and vendors are producing better software.

"The hackers are going to go after the next-lowest hanging fruit on the vulnerability tree, and I think it's clear that DOS is the lowest hanging fruit," Sullivan said.

Because elevation-of-privilege attacks have been the sexy attacks for years among researchers, the dangers of well-executed, targeted DOS attacks has been under-examined, Sullivan said. "But the attackers will not leave this unexplored."

Examples of such attacks described by Sullivan included creating an infinite loop in an application process, making it unavailable by tying up essential services, and the use of Zip bombs. A Zip bomb is a file containing multiple nested compressed files that expand exponentially when unzipped, creating files of petabyte size that can cost tens of thousands of dollars in cloud resources.

A similar attack uses Extensible Markup Language entity macros, a tool for calling up additional data for an XML entry. If these macros are nested, a tiny payload can produce gigabytes of content when parsed, consuming memory and potentially crashing a machine.

These attacks are not unknown and there often are defenses against them, such as turning off XML entity resolution if it is not needed or controlling its activity with rules if it is needed. The threat is not that the defenses are difficult or expensive but that they have not been thought about as enterprises move resources to the cloud, Sullivan said.

"With the move to cloud resources, we need to nip these things in the bud now before it becomes a big problem," he said.