Will EDoS be the next DDoS?

Will EDoS be the next DDoS?

Summary: A noted security analyst has proposed a new twist on the traditional denial of service model where attackers purposefully inflate the bills of cloud service users until they can no longer afford service.Christofer Hoff, the Chief Security Architect at Unisys, has recently been discussing the concept of an Economic Denial of Sustainability on his blog.

TOPICS: Security

A noted security analyst has proposed a new twist on the traditional denial of service model where attackers purposefully inflate the bills of cloud service users until they can no longer afford service. Christofer Hoff, the Chief Security Architect at Unisys, has recently been discussing the concept of an Economic Denial of Sustainability on his blog. Put simply, it is an attack against the billing model that underlies the cost of providing a service with the goal of bankrupting the service itself. Before we go into why EDoS is a threat, and one that is separate from DDoS, we have to understand how companies turn dollars into bytes, which they hopefully turn back into dollars.

The operations team at a company does two things. They buy hardware, and they pay people to keep the hardware and its software from falling over. The cost of the boxes and the pipe installation is known as Capital Expenditures, or CAPEX, while the cost of electricity, bandwidth, and the tireless individuals who maintain the systems all hours of the day is the Operational Expenditures, or OPEX. Traditionally all dotcom's had a chunk of CAPEX for systems and then a team of people (your OPEX) to maintain the systems. If you wanted to grow as a company, you had to buy more boxes and more people to maintain them.

This is why CIOs, including the competent ones, are all hot and bothered by Cloud Computing. They can delete the CAPEX sheet from their books and then only consider the OPEX side. All of their budgets are worked out based upon how many dollars they make off of each byte shoveled, and if they can guarantee that they pay less to shovel a byte than they charge for each byte shoveled, you have reached stage 3: profit. These equations even hold true if you have some flash of legitimate traffic that wants your service. Sure, your cloud system bill goes up for the month, but you are making more money off of the traffic, so everyone is happy.

What happens when you introduce DDoS to the equation? In the traditional model where you buy your own boxes and you have your own maintenance staff, a DDoS attack saturates everything you have and starves your legitimate customers of data. Your bandwidth provider is also used to seeing DDoS attacks and has technical strategies, like Arbor Networks systems, in place to limit the damage. The result is you lose out on servicing your customers and face an increased bandwidth bill for the month.

The story is a little different in the Cloud world. Organizations will shift their budget from the CAPEX column over to the OPEX column, and find out that their initial cost is far lower. The variance from quarter to quarter will be higher, but hey, traffic varies from quarter to quarter. When a lightweight, under the radar, DDoS hits the cloud service, the service can elastically scale to meet the worthless demand. This time, in the absence of any self-throttling components, namely the capacity of your services, the result is a massive spike in billing without the commensurate increase in revenue derived from the traffic. Rather than losing money on unserviced customers, you end up overpaying for servicing the non-existent shadow customers of the DoS.

EDoS, like DDoS, is not an insurmountable problem. The billing models that underlie cloud services may not be mature enough to properly account for an EDoS like attack. I am sure they will all be straightened out in time, but there will probably be a business or two that fails in the meantime because their unwarranted usage spike causes them to go deeply into the red.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • All DDoS is 'EDoS' - this isn't a new concept.

    Most DDoS for the better part of the last decade has been directly economically motivated - i.e., DDoS protection rackets, in which the attackers DDoS a victim, then send a demand for payment to make the DDoS stop. Another variation is DDoS-for-hire, in which an online business hires botmasters to DDoS rivals and drive them out of business. While ideologically- or nihilism-based DDoSes do occur, they are the exception, rather than the rule - and they're still based upon the economic premise of costing the defender more than he can afford in order to maintain availability.

    Another commonplace form of attack is click-fraud, of which there are two variations - in the first, botmasters are paid to generate bogus clicks in order to generate payments from the ad network operator to the site admins, while in the second, a business pays a botmaster to perform bogus clicks on the ads of his buisness rivals, who're paying per-impression, in order to zero out his advertising budget.

    So, it's important to understand that, far from being a new concept, economic warfare is the fundamental principle of DDoS, and always has been. This isn't something theoretical, which might happen in the future - it's taking place now, and has been for the better part of the last decade. It's very important that organizations work on hardening their infrastructure and work with their SPs in order to be prepared to defend themselves from DDoS, either direct attacks or the collateral damage spilling over from an attack against another organization.
  • RE: Will EDoS be the next DDoS?

    Thanks for the ping, Adam.

    I updated the latest post you reference by including a brief
    example of how DDoS/EDoS concepts are both related and

    In summary, DoS/DDoS=Blunt Force Trauma, EDoS=Death
    By 1000 Cuts.


  • The same problem might occur with an undersea cable break. (nt)

  • Elephant? What Elephant?

    When tech journalists write a well researched and informative article on security matters such as this one and fail to mention the 'M' word, they help to perpetuate the very problem they are reporting on.

    What's behind a DDoS attack? Millions of zombie PCs. Gee, how did they get to be zombies? Dumb users? Some of them sure, but if a user is smart enough to keep their PC clean, then they are smart enough to use Linux. You can't have it both ways MS die-hards. Microsoft is selling products that have a significant and negative impact on the economy. They have used their money and influence to keep this quiet. Microsoft sells products that need extra products to stay reasonably safe. Microsoft has introduced and reinforced the concept that anti-virus software is necessary and NORMAL. It is not normal if the operating system is built correctly. Microsoft have taken their stand-alone OS and wrapped extra layers around it to make it more secure. They didn't build from scratch like they should have.

    Microsoft's poor security history is responsible for the current malware mess. Not tagging the real culprit just encourages him. Encouraging him makes you a co-conspirator.
    • So victims of EDoS should consider suing Microsoft?

      That seems like a stretch but Windows is full holes, especially the most prevalent version XP...
      • There is no analogy that will do this justice.

        We are becoming more of a digital society, not less. Of all the operating systems available only one is a security nightmare. It has been proven time and time again that Microsoft's atrocious security record has nothing to do with it's popularity or "Security Through Obscurity" myth. It is simply bad software. I guess when you agree to their EULA you could not take them to court even if they caused your city to burn down.
    • While everything you just said is true

      Please keep in mind that this is ZDNet, speaking the truth about MS isn't allowed here. Prepare to get trolled by the MS fanatics.

      P.S. prove me wrong please, MS fanbois. :p
  • RE: Will EDoS be the next DDoS?

    No, it is the same thing. As i see this is more like an accountants problem (AKA financial fraud)
    I dont see a "new" concept here
  • RE: Will EDoS be the next DDoS?

    But what does this have to do with the potential for an EDoS attack? If companies build clouds from Linux servers (which is likely) the weaknesses in MS desktop OS versions matters little. Companies will not deploy Linux desktops because Linux is simply not ready for the role--no matter how more secure it may or may not be. The issue here is not desktop security but how to justify the traffic flowing towards the cloud servers to ensure it is ligitimate business traffic for billing purposes.

    Granted MS has severe security issues in their OS, and contrary to current opinion I doubt Windows 7 will be any better. (Honestly, I find it laughable that people are downloading a beta that has been out for only a short time and are proclaiming it "more secure". My money says this new MS OS will be just as plagued with security issues as previous versions. We'll have to wait and see.)

    The point here is that the perceived cloud billing model may allow for the inflation of the service costs. This might happen not just from poor desktop security, but routing issues, misconfigured multicast traffic, broadcast storms, or any number of other potential causes of undesirable network traffic that may put an unintended traffic load on the cloud server. There has to be a better way to justify the amount of traffic being billed.

    -Mike D
  • DDOS = EDOS = Flood.

    DDOS = EDOS = Flood (or flood attack), just DDOS and EDOS are fancy names to define a specific way to attack a webpage (relabeled as services).

    Businessmen like to stamp a new concept, just labeling a named action so giving a new name to it, the becoming a king on this of situation (and king that give a name but any solution). For example, the "inventor" of "spam" word haven't a clue to how to solve it, just he put a fancy name to "unsolicited email".

    Anyways, IMHO the problem with the "cloud" is the ISP provider, they are far from perfection and far from to be cheap, a single 10mb connection can cost me over $40 x month, while a 1000mb lan (100x times fasten) connection cost me less than $3 x month (electric bill).
  • RE: Will EDoS be the next DDoS?

    It's not EDOS it's cloudfraud.
  • Thanks, Adam,

    for a well thought out article, which gives a sensible
    warning for the right persons to think about -- and at
    a time when they can properly think about it.

    I think you have really helped here, and should see
    some results.

    Narr Vi
    Narr vi
  • Fallacy of the Cloud

    "intial costs are lower"
    Yep, but if you plan on having a presence longer than 18 months, you're going to end up paying for the capital expenditures of the hosting company
    • Actually you only pay for your share of their capital expenditures

      If they are allocating resources efficiently and sharing hardware, your share of it all may amount to fractions of a piece of hardware. Given that you cannot purchase 7.3 network routers, that may still save you money.

      Also the effect of sharing extends to maintaining that hardware as well. You cannot hire 0.00023 employees but that may be all that's needed to maintain your share of the hardware resources.

      Furthermore economies of scale still operate here, a cloud may benefit from bulk purchase discounts.
  • RE: Will EDoS be the next DDoS?

    That's already been done. Distributed denial of service attacks have been done against some website to 'bulk up' the amount of data that it appears that they are using, to the point where the person in question is THOUSANDS of dollars in the hole because of the amount of data that they are supposedly using.

    Thankfully, after complaints, most companies changed their policies to make it so that if there is a DDoS attack that is provable, they will waive the costs or they already have policies where you are only charged the amount you budgeted for that month, no matter how much bandwidth you used, but the NEXT month you have to upgrade or when they see a pattern of overages.
  • RE: Will EDoS be the next DDoS?

    The issue is not the cloud servers, but the masses of end-user computers subverted for the attack. It is difficult, if not impossible, to stop a zombie attack. How could you filter out legitimate page loads and clicks from the zombie ones?

    The best analogy I can come up with is that end-user computers are like cars on the road and the reason that you have to have safety and emissions testing in most US states. Some pollute little to none and some pollute a lot. Sometimes even the most conscientious driver with best maintenance will have the car that is polluting. Not because he hasn't tried to prevent it, but simply he doesn't know that he's polluting. Then, of course, you have the people who don't know any better, and they are likely to have polluting cars because they don't have clue one how to prevent it. At least with the car there is a licensing procedure where there is the occasional check to make sure that your car is in compliance with emissions controls and the pollution from your car is within reasonable tolerance. Unfortunately, some vehicles can't be made to come into compliance and will not be legally allowed on the road.

    I am NOT recommending that the government start controlling end computing. However, just as with the car industry, the US government has been somewhat effective in attacking the problem by putting the manufacturer on the hook to make less polluting vehicles. Maybe Microsoft should be put on the hook. They are producing the Hummer H1 equivalent of an operating system.

    Windows is the H1 - It's fancy and popular but hell on the environment

    Apple is the Prius - It's trendy, flashy, and pretty easy on the environment but just isn't built for 4 wheeling

    Linux is the EV - The perfectly clean solution built for speed and serious off-road adventures, unfortunately it only has a range of 3km
    • Agreed

      Except for the 3KM part, which is bollox. You're missing a dozen or so zeros.
  • RE: Will EDoS be the next DDoS?

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>