Economic Denial of Sustainability (EDoS)

Introduction

The primary intent of cloud computing is to move the workloads from a user’s computer system to the cloud via a simple Internet connection where users have the option to pay only for the required and procured servers, networks, apps, and storage services. With enterprises rapidly adopting trending cloud technologies to meet their computing capability or hardware & infra requirements, it is getting increasingly challenging to protect the cloud set up from cyber risks and security vulnerabilities. Malware, DNS or DDoS attacks including malware injection, metadata spoofing, security threats and hacking, all pose as key barriers to the advancement of cloud-based services.

EDoS – The next big threat to cloud

Cloud environments are most susceptible to DDoS attacks among all other kinds of attacks leaving a huge impact on security & risk management, constrained budgets and escalated costs. A special type of DDoS attack, specific to cloud infrastructure, known as Economic Denial of Sustainability (EDoS) is a cyber security threat that takes undue advantage of the elasticity and auto-scaling capabilities of cloud, shoots up cloud bills until it hits bankruptcy and leads to a large amount of service withdrawals.

The availability of cloud services and infrastructure are interfered with or rendered inoperable by EDoS attacks, by stealthily sending bogus requests through remotely controlled bots. Here, the attackers’ attempt is not to take down the cloud services but instead compel additional resource consumption and increase traffic flow to the extent of overwhelming the resources being used, thus generating massive cloud bills.

Traditional incident response techniques are inadequate to counter EDoS attacks for a variety of reasons:

• EDoS use IP spoofing and are difficult to detect with existing web research techniques unless the attacker is using a higher risk or malicious IP.
  
• End users are initially unaffected by EDoS attacks as cloud resources scale up to meet the rise in traffic until the budget gets exhausted. Hence, performance metrics are also unable to detect such attacks until it reaches insolvency.
  
• Hack-proof secured systems and technology are not effective against EDoS because it does not exploit vulnerabilities from a conventional point of view.

• Without an established interface to cloud cost management systems that facilitate automated scaling mechanisms, the incident responder will fail to respond with existing tools even if an EDoS attack is detected.

Why do attackers use EDoS to harm your business?

EDoS, like early DDoS attacks, are aimed at disrupting businesses and causing financial losses. It is like “a manifestation of power” to the attackers with the objective of gaining personal revenge against specific organizations or making money by demanding ransom. Today, DDoS is a $ 1 billion business, with the DoS platform being offered as a service. With EDoS attacks expected to grow in the future, it is vital for business models and ecosystems to provision for them beforehand.

Mitigating EDoS attacks

The biggest challenge here is to be able to identify the EDoS attack. Since it seems like a normal scale-up in your cloud consumption, traditional security tools are unable to differentiate it as an attack. The only way to put an end to it is by disabling auto-scaling mechanisms as soon as the attack is detected.

In the cyber security world, being proactive has proven to be more beneficial than responding after damage or loss has occurred. Since our aim should be to focus on the security tools and offerings, let us take a look at the tools built into AWS, Azure and GCP for centralized security checks, alerts and protection.

AWS Shield is a managed DDoS protection service providing continuous detection and automated inline mitigation that minimizes application downtime. AWS Shield has two layers – basic and advanced. It is best to consider advanced shielding options if you are looking at protecting your applications running on EC2, ELB, Route53 and CloudFront from a diverse set of substantial attacks with 24/7 access to the Shield response team.

Azure DDoS protection enables an “always-on” monitoring mode as well as auto-mitigation of network attacks to protect Azure resources from DDoS attacks. Azure WAF (web application firewall) has policy rules that help control access to web applications and provide protection from threats like SQL injection, cross-site scripting and other web-related vulnerabilities and security flaws.   

Google Cloud Armor, with its ML-driven models analyses signals across web services to detect potential threats and attacks. It has the ability to identify high-volume DDoS attacks and helps reduce the severity of these attacks by sighting abnormal traffic. Armor is equipped with an adaptive always-on DDoS protection that keeps all applications and services behind load balancers secure.

To mitigate EDoS attacks, it is also necessary to use virtual firewalls whose function is to perform real-time traffic analysis and ensure that the traffic flowing in, is from genuine users and not an attacker. The virtual or cloud firewall, filters and monitors the incoming network packets and applies security policy rules to segregate and block suspicious and unapproved requests. The objective behind identifying this is to detect an attack if any, early on and not wait until billing exceeds the budget.

Additionally, make sure that MFA is enabled, auditing is done to track the creation of new IAM accounts and encryption for S3 data is on. Notification and tracking of the changes or modifications made to security groups or access policies, changes made to access of S3 buckets as well as monitoring and confirmation of S3 access logs are equally important to keep a watch on the cloud account security.

The primary intent of cloud computing is to move the workloads from a user’s computer system to the cloud via a simple Internet connection where users have the option to pay only for the required and procured servers, networks, apps, and storage services. With enterprises rapidly adopting trending cloud technologies to meet their computing capability or hardware & infra requirements, it is getting increasingly challenging to protect the cloud set up from cyber risks and security vulnerabilities. Malware, DNS or DDoS attacks including malware injection, metadata spoofing, security threats and hacking, all pose as key barriers to the advancement of cloud-based services.

EDoS – The next big threat to cloud

Cloud environments are most susceptible to DDoS attacks among all other kinds of attacks leaving a huge impact on security & risk management, constrained budgets and escalated costs. A special type of DDoS attack, specific to cloud infrastructure, known as Economic Denial of Sustainability (EDoS) is a cyber security threat that takes undue advantage of the elasticity and auto-scaling capabilities of cloud, shoots up cloud bills until it hits bankruptcy and leads to a large amount of service withdrawals.

The availability of cloud services and infrastructure are interfered with or rendered inoperable by EDoS attacks, by stealthily sending bogus requests through remotely controlled bots. Here, the attackers’ attempt is not to take down the cloud services but instead compel additional resource consumption and increase traffic flow to the extent of overwhelming the resources being used, thus generating massive cloud bills.

Traditional incident response techniques are inadequate to counter EDoS attacks for a variety of reasons:

• EDoS use IP spoofing and are difficult to detect with existing web research techniques unless the attacker is using a higher risk or malicious IP.
  
• End users are initially unaffected by EDoS attacks as cloud resources scale up to meet the rise in traffic until the budget gets exhausted. Hence, performance metrics are also unable to detect such attacks until it reaches insolvency.
  
• Hack-proof secured systems and technology are not effective against EDoS because it does not exploit vulnerabilities from a conventional point of view.

• Without an established interface to cloud cost management systems that facilitate automated scaling mechanisms, the incident responder will fail to respond with existing tools even if an EDoS attack is detected.

Why do attackers use EDoS to harm your business?

EDoS, like early DDoS attacks, are aimed at disrupting businesses and causing financial losses. It is like “a manifestation of power” to the attackers with the objective of gaining personal revenge against specific organizations or making money by demanding ransom. Today, DDoS is a $ 1 billion business, with the DoS platform being offered as a service. With EDoS attacks expected to grow in the future, it is vital for business models and ecosystems to provision for them beforehand.

Mitigating EDoS attacks

The biggest challenge here is to be able to identify the EDoS attack. Since it seems like a normal scale-up in your cloud consumption, traditional security tools are unable to differentiate it as an attack. The only way to put an end to it is by disabling auto-scaling mechanisms as soon as the attack is detected.

In the cyber security world, being proactive has proven to be more beneficial than responding after damage or loss has occurred. Since our aim should be to focus on the security tools and offerings, let us take a look at the tools built into AWS, Azure and GCP for centralized security checks, alerts and protection.

AWS Shield is a managed DDoS protection service providing continuous detection and automated inline mitigation that minimizes application downtime. AWS Shield has two layers – basic and advanced. It is best to consider advanced shielding options if you are looking at protecting your applications running on EC2, ELB, Route53 and CloudFront from a diverse set of substantial attacks with 24/7 access to the Shield response team.

Azure DDoS protection enables an “always-on” monitoring mode as well as auto-mitigation of network attacks to protect Azure resources from DDoS attacks. Azure WAF (web application firewall) has policy rules that help control access to web applications and provide protection from threats like SQL injection, cross-site scripting and other web-related vulnerabilities and security flaws.   

Google Cloud Armor, with its ML-driven models analyses signals across web services to detect potential threats and attacks. It has the ability to identify high-volume DDoS attacks and helps reduce the severity of these attacks by sighting abnormal traffic. Armor is equipped with an adaptive always-on DDoS protection that keeps all applications and services behind load balancers secure.

To mitigate EDoS attacks, it is also necessary to use virtual firewalls whose function is to perform real-time traffic analysis and ensure that the traffic flowing in, is from genuine users and not an attacker. The virtual or cloud firewall, filters and monitors the incoming network packets and applies security policy rules to segregate and block suspicious and unapproved requests. The objective behind identifying this is to detect an attack if any, early on and not wait until billing exceeds the budget.

Additionally, make sure that MFA is enabled, auditing is done to track the creation of new IAM accounts and encryption for S3 data is on. Notification and tracking of the changes or modifications made to security groups or access policies, changes made to access of S3 buckets as well as monitoring and confirmation of S3 access logs are equally important to keep a watch on the cloud account security.