A Cloud computing service under attack

Date : November 05, 2009

Simply a fashion or a real revolution in the computing world, "cloud computing” brings numerous questions.

Last year, CERT-IST published a first article on this type of architecture and also dedicated one presentation to it during its Forum 2009 event.

News articles and various presentations address on a quasi daily basis about the advantages and disadvantages of the “Cloud”, cover new solutions to implement such an architecture, or mention examples of applications leveraging of such a service type.

CERT-IST keeps you aware about such information via its media monitoring bulletins. But this month a specific event related to the Cloud has brought our attention from a security standpoint and we decided to describe it in an article in our monthly bulletin.

A service hosted on a Cloud solution of Amazon went through several service outages beginning of October, due to a denial of service attack.

 

The Provider

Amazon Web Services (AWS) provides various on-line services amongst which :

  • “Amazon Elastic Compute Cloud” (EC2) service, which provides computing capacity allowing to deploy virtual servers without caring about hardware aspects and dimensioning.
  • “Amazon Elastic Block Store” (EBS) service, which provides storage capacity for EC2 virtual servers.

 

The Customer

BitBucket is a web site that provides a software development platform, based on the distributed version management system Mercurial.

This site makes use of Amazon EC2 and EBS services to store databases, logs and user data.

 

The Facts

Due to a malfunction of the Amazon services, the BitBucket site went down for more than 19 hours at the beginning of October, hence preventing numerous developers from accessing their virtual development platform.

According to Jesper Nøhr, BitBucket manager, this malfunction would have been triggered by a massive number of UDP packets, all formatted on purpose and sent to a targeted IP address. Amazon would have taken 16 hours to identify and counter the attack.

Then a few hours later, a new massive number of TCP SYN requests would have again blocked BitBucket services for two hours.

Jesper Nøhr also suspects that a third wave of attacks took place but which failed to completely disrupt the service.

 

The pending questions

Amazon did not communicate about this incident and even asked its customers not to mention the root cause of the issue.

BitBucket’s manager regrets that Amazon routers relayed millions of malformed UDP packets without reacting and that it took Amazon 16 hours to identify the issue.

On the other hand, the attack gives the feeling that the EBS service is accessible from the Internet although it should only be accessible internally from the EC2 service. This is only a hypothesis since the very principle of “Cloud computing” is precisely to hide the infrastructure architecture to the users.

 

Lessons

According to Craig Balding, cloudsecurity.org’s founder, the lesson to be learnt is that one should not depend on a single Cloud service provider.

Amazon’s CloudWatch service can also be used to protect oneself against such attacks. This service (currently in beta testing) suggests to automatically extend the resources depending on the load, with an automatic provisioning of the systems allowing to support the extra load. In addition of the fact that it is still in beta version, the disadvantages of this solution are that it is not free and that it requires an important design work for the customer.

 

For more information:

 

Previous Previous Next Next Print Print