杏吧原创

Botclouds: a cyberattacker’s dream

Computing via the cloud could bring all kinds of advantages, but it might also be a haven for cybercriminals
Cloudy, with a chance of fraud
Cloudy, with a chance of fraud
(Image: Gary S. Chapman/Getty)

Editorial: The cloud that hangs over cloud computing

OFFLOADING your software and data to a cloud computing service has never been easier.

Apple last week became the latest tech company 鈥 after Google and Amazon 鈥 to offer cheap online storage, with its new iCloud service allowing users to access music, documents and other files from any Apple device. But cloud services could also be used to launch attacks, send spam and commit fraud.

鈥淩ight now it鈥檚 just a few attacks, most aren鈥檛 well publicised and a lot can go undetected,鈥 says Kassidy Clark of the Delft University of Technology in the Netherlands. 鈥淎s long as cloud service providers are not taking proactive steps to prevent these things, I think this trend will increase.鈥

As well as basic online storage, firms such as Amazon, which provides the largest cloud service, also offer virtual computing. This allows people to rent as many 鈥渧irtual computers鈥 as they need.

Now Clark and colleagues have investigated how the cloud could be used to build a botnet, a network of infected computers under an attacker鈥檚 control. Traditional botnets are built over time by taking control of ordinary people鈥檚 computers without their knowledge, but a cloud botnet 鈥 or botcloud 鈥 can be put together in a couple of minutes just by purchasing space in the cloud with stolen credit card details. 鈥淚t makes deployment much faster,鈥 says Clark, who presented his findings at the CLOSER cloud computing conference in Noordwijkerhout, the Netherlands, last month. 鈥淵ou don鈥檛 have to wait months for millions of machines around the world to get infected.鈥

To find out just how easy it is to construct a botcloud, Clark and colleagues hired 20 virtual computers from a leading cloud service provider for around 鈧100 and used them to carry out attacks on their own web server. They first attempted a distributed denial of service (DDoS) attack, which floods a target with massive amounts of traffic. The botcloud pumped out 20,000 page requests per second and brought the server down in just 10 seconds.

Clark also built a larger botcloud and used it to simulate 鈥渃lick fraud鈥 鈥 clicking links in pay-per-click adverts in order to generate fraudulent revenue. Advertising companies normally stop this by tracking the internet protocol (IP) address of each individual computer and blocking one if it clicks a link too many times. The researchers circumvented this defence by setting up a botcloud of 1000 virtual computers, each with its own address. Neither botcloud attack was detected or shut down by the cloud provider.

So are botclouds being used? There were certainly rumours that the recent attack on Sony鈥檚 PlayStation Network was carried out via Amazon servers rented using stolen credit cards, but these have not been substantiated. 鈥淲e have seen spam coming from some of these environments, but not on a massive scale,鈥 says Paul Wood, a senior analyst at Symantec.cloud, which provides cloud-based security services. He says that it is even possible for a virtual computer in the cloud to become infected by an ordinary botnet, because cloud users don鈥檛 normally run anti-virus software.

Thomas Roth, a security researcher in Cologne, Germany, who recently showed how to use Amazon鈥檚 servers to crack Wi-Fi passwords, agrees the lack of anti-virus protection in the cloud is a problem. 鈥淚 think that Amazon should provide infrastructure for doing vulnerability assessments and virus scans,鈥 he says.

鈥淎mazon Web Services employs a number of mitigation techniques, both manual and automated, to prevent the misuse of the services,鈥 Amazon told New 杏吧原创. 鈥淲e have automatic systems in place that detect and block many attacks before they leave our infrastructure.鈥

But Wood warns that attacks from the cloud could easily take off in countries with more lax web policing. 鈥淚t鈥檚 only a matter of time before a Russian or Chinese equivalent of Amazon offers similar services,鈥 agrees Clark. 鈥淵ou put malicious or illegal software there, it doesn鈥檛 matter, they will never take you offline.鈥