Cloud Ripe for Botnet Attacks

Monday, November 5, 2012 @ 02:11 PM gHale

Cloud computing is the next wave in for aspects of the manufacturing automation sector, but security will remain an issue as there are some cloud providers that fail to detect and block malicious traffic originating from their networks.

That failure could provide an opportunity fro attackers to launch botnet-style attacks, according to a new report.

Cloud Confusion: Data Ownership
VMware Cloud Security Issue
Security Holes in Cloud Storage
Cloud Computing Security Woes

That was the conclusion of a study that conducted a series of experiments on the infrastructure of five “common,” but unnamed, cloud providers, said researchers from Australian security consultancy firm Stratsec, a subsidiary of British defense and aerospace giant BAE Systems.

The experiments involved sending different types of malicious traffic from remotely controlled cloud instances (virtual machines) to test servers running common services such as HTTP, FTP and SMTP.

In one test case, services running on a targeted server were accessible from the Internet, but the server was in a typical network environment, behind a firewall and an IDS (intrusion detection system). The goal of this test was to see how the cloud provider would respond to the presence of outbound malicious traffic originating from its network.

In a different experiment, the targeted test server was set up inside a separate cloud instance from the same provider in order to test if the provider would detect malicious traffic sent over its own internal network.

A third experiment involved the targeted server running inside a cloud instance at a different cloud provider in order to test how that provider would deal with incoming malicious traffic.

The experiments involved sending malformed network packets and performing aggressive port scanning; sending malware to the victim host via a reverse shell; performing a denial of service attack against a Web server running on the targeted host, performing a brute-force FTP password cracking attack; launching SQL injection, cross-site scripting, path traversal and other attacks against popular Web applications running on the targeted host; and sending known exploit payloads to various services running on the host.

In one experiment, some types of malicious activity, like port scanning, ended up executed for 48 hours in order to see if a large traffic volume and longer attack duration would trigger a response from the cloud provider.

“The results of the experiment showed that no connections were reset or terminated when transmitting inbound and outbound malicious traffic, no alerts were raised to the owner of the accounts, and no restrictions were placed on the Cloud instances,” Stratsec senior consultant Pedram Hayati said.

Based on these results, Hayati said cybercriminals could create and use botnets that run on cloud instances.

Such botnets would be relatively easy to set up and administer if one learns the cloud provider’s API (application programming interface), would take less time to build than traditional botnets because replicating cloud instances can occur very fast, would be more stable because cloud instances have a very good uptime, would be more effective because of the increased computing power and bandwidth available to the cloud instances and wouldn’t cost much, Hayati said.

“Based on our experiment, with the budget of as low as $7 and minimum hardware specification, it is possible to set up a botCloud with tens to hundreds of Cloud instances,” the Stratsec consultant said. “We define ‘botCloud’ as a group of Cloud instances that are commanded and controlled by a malicious entity to initiate cyber-security attacks.”

However, there are also disadvantages to operating such a botnet. For example, this type of botnet is probably not very resilient to takedown efforts, because cloud providers will likely shut down the offending cloud instances down once they receive an abuse notification from security researchers or victims.

Leave a Reply

You must be logged in to post a comment.