Lack of abuse detection allows cloud computing instances to be used like botnets, study says

Some cloud providers don't detect attacks launched from their networks, researchers say

Some cloud providers fail to detect and block malicious traffic originating from their networks, which provides cybercriminals with an opportunity to launch attacks in a botnet-like fashion, according to a report from Australian security consultancy firm Stratsec.

Researchers from Stratsec, a subsidiary of British defense and aerospace giant BAE Systems, reached this conclusion after performing a series of experiments on the infrastructure of five "common," but unnamed, cloud providers.

The experiments involved sending different types of malicious traffic from remotely controlled cloud instances (virtual machines) to a number of test servers running common services such as HTTP, FTP and SMTP.

In one test case, services running on a targeted server were accessible from the Internet, but the server was located in a typical network environment, behind a firewall and an IDS (intrusion detection system). The goal of this particular test was to see how the cloud provider would respond to the presence of outbound malicious traffic originating from its network.

In a different experiment, the targeted test server was set up inside a separate cloud instance from the same provider in order to test if the provider would detect malicious traffic sent over its own internal network.

A third experiment involved the targeted server running inside a cloud instance at a different cloud provider in order to test how that provider would deal with incoming malicious traffic.

The experiments involved sending malformed network packets and performing aggressive port scanning; sending malware to the victim host via a reverse shell; performing a denial of service attack against a Web server running on the targeted host, performing a brute-force FTP password cracking attack; launching SQL injection, cross-site scripting, path traversal and other attacks against popular Web applications running on the targeted host; and sending known exploit payloads to various services running on the host.

In one experiment, some types of malicious activity, like port scanning, were executed for 48 hours in order to see if a large traffic volume and longer attack duration would trigger a response from the cloud provider.

"The results of the experiment showed that no connections were reset or terminated when transmitting inbound and outbound malicious traffic, no alerts were raised to the owner of the accounts, and no restrictions were placed on the Cloud instances," Stratsec senior consultant Pedram Hayati said Monday in a blog post.

Based on these results, Hayati concluded that cybercriminals could easily create and use botnets that run on cloud instances.

Such botnets would be relatively easy to set up and administer if one learns the cloud provider's API (application programming interface), would take less time to build than traditional botnets because replicating cloud instances can be done very fast, would be more stable because cloud instances have a very good uptime, would be more effective because of the increased computing power and bandwidth available to the cloud instances and wouldn't cost much, Hayati said.

"Based on our experiment, with the budget of as low as $7 and minimum hardware specification, it is possible to set up a botCloud with tens to hundreds of Cloud instances," the Stratsec consultant said. "We define 'botCloud' as a group of Cloud instances that are commanded and controlled by a malicious entity to initiate cyber-security attacks."

However, there are also disadvantages to operating such a botnet. For example, this type of botnet is probably not very resilient to takedown efforts, because cloud providers will likely shut down the offending cloud instances down once they receive an abuse notification from security researchers or victims.

"Computing is becoming cheaper and cheaper and for something like $10 one can buy enough computing power to take down a small website for a few hours," Costin Raiu, director of the Global Research & Analysis Team at antivirus vendor Kaspersky Lab, said Tuesday via email. "However, it's also important to say that 'traditional' methods of infecting users with trojans are probably even cheaper and much more resilient to takedowns."

"It takes a lot of time to find a user which is infected by something like a bot from the Pandora DDoS family and convince him to clean his PC," Raiu said. "Such infections can last for weeks or for months - making them a lot cheaper than cloud computing solutions."

That said, cloud platforms can definitely be useful to launch vulnerability scans that can be followed or complemented by other attacks executed with the help of traditional botnets, Raiu said. "I believe that cloud providers should definitely look a bit more into improving the security of their configs."

"The experiment suggests that providers BAE looked at may not be prioritizing monitoring for malicious traffic and the sound implementation of security measures that you'd expect to be implemented on a corporate network," David Harley, a senior research fellow at antivirus vendor ESET, said Tuesday via email. "I can't comment on how typical these providers were. However, when and where cloud providers do implement such countermeasures, the overheads for developing a resilient malicious network are likely to increase sharply."

When making the switch to cloud computing, organizations should search for cloud providers that use high-end firewalls and intrusion detection systems and which undertake regular independent security tests of their environments, Hayati said. "Do not get tempted with ease of use and cheap cost."

In addition, companies should not treat traffic that is coming from public cloud providers as safe, he said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags firewallsonline safetystratsecBAE Systemscloud computingesetinternetmalwarekaspersky labDetection / preventionintrusionsecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?