A noted security analyst has proposed a new twist on the traditional denial of service model where attackers purposefully inflate the bills of cloud service users until they can no longer afford service. Christofer Hoff, the Chief Security Architect at Unisys, has recently been discussing the concept of an Economic Denial of Sustainability on his blog. Put simply, it is an attack against the billing model that underlies the cost of providing a service with the goal of bankrupting the service itself. Before we go into why EDoS is a threat, and one that is separate from DDoS, we have to understand how companies turn dollars into bytes, which they hopefully turn back into dollars.
The operations team at a company does two things. They buy hardware, and they pay people to keep the hardware and its software from falling over. The cost of the boxes and the pipe installation is known as Capital Expenditures, or CAPEX, while the cost of electricity, bandwidth, and the tireless individuals who maintain the systems all hours of the day is the Operational Expenditures, or OPEX. Traditionally all dotcom's had a chunk of CAPEX for systems and then a team of people (your OPEX) to maintain the systems. If you wanted to grow as a company, you had to buy more boxes and more people to maintain them.
This is why CIOs, including the competent ones, are all hot and bothered by Cloud Computing. They can delete the CAPEX sheet from their books and then only consider the OPEX side. All of their budgets are worked out based upon how many dollars they make off of each byte shoveled, and if they can guarantee that they pay less to shovel a byte than they charge for each byte shoveled, you have reached stage 3: profit. These equations even hold true if you have some flash of legitimate traffic that wants your service. Sure, your cloud system bill goes up for the month, but you are making more money off of the traffic, so everyone is happy.
What happens when you introduce DDoS to the equation? In the traditional model where you buy your own boxes and you have your own maintenance staff, a DDoS attack saturates everything you have and starves your legitimate customers of data. Your bandwidth provider is also used to seeing DDoS attacks and has technical strategies, like Arbor Networks systems, in place to limit the damage. The result is you lose out on servicing your customers and face an increased bandwidth bill for the month.
The story is a little different in the Cloud world. Organizations will shift their budget from the CAPEX column over to the OPEX column, and find out that their initial cost is far lower. The variance from quarter to quarter will be higher, but hey, traffic varies from quarter to quarter. When a lightweight, under the radar, DDoS hits the cloud service, the service can elastically scale to meet the worthless demand. This time, in the absence of any self-throttling components, namely the capacity of your services, the result is a massive spike in billing without the commensurate increase in revenue derived from the traffic. Rather than losing money on unserviced customers, you end up overpaying for servicing the non-existent shadow customers of the DoS.
EDoS, like DDoS, is not an insurmountable problem. The billing models that underlie cloud services may not be mature enough to properly account for an EDoS like attack. I am sure they will all be straightened out in time, but there will probably be a business or two that fails in the meantime because their unwarranted usage spike causes them to go deeply into the red.