October 30, 2018
Thanks to the fast growth of cloud computing, enterprises and even governmental departments can provide their services to users far more cost-effectively than ever before.
An increasing number of enterprises and governmental departments over the world find cloud services preferable to on-premise infrastructures, which are costlier than cloud services in terms of maintenance, hardware and space. In addition, coupled with its user-friendliness and plug-and-play features, cloud services have gained widespread adoption in a wide range of industries.
However, with its widespread use, cloud users inevitably fall prey to perpetrators. The question then arises as to what cloud users should do when they have no security enhancements and what they are able to do when encountering cyberattacks. A real case below shows what happened with one of our customers that owned a memcached server in a security zone when they encountered memcached attacks.
We stress that one of the severe impacts of memcached attacks on cloud users is the astronomical service bill. In the course of volumetric attacks, an enormous number of packets will probably alert the intermediary, whereas in the course of such attacks, a small request for which the attack instigates a large reply is often unlikely to do so. That’s why the cloud hosting provider may consider it as normal traffic not to be filtered out. So, serving as an intermediary, cloud users direct the colossal size of outgoing traffic to victims’ servers.
Figure 1. Incoming Traffic to the User
A customer sought our help for being leveraged as an intermediary. In their case, the kilobyte-sized incoming traffic resulted in the megabyte-sized outgoing traffic targeting victims’ servers, causing an increase in the size of outgoing traffic by several thousands times. According to US-Cert, larger responses can be elicited by small incoming requests with an amplification factor ranging between 10,000 and 51,000.
Figure 2. Outgoing Traffic from the User
The astronomical service bill was eventually generated by counting such outgoing traffic on the basis of the present-day pricing scheme of common cloud hosting providers. They have to charge cloud users an additional fee subject to the actual use of increased bandwidth capacity for the enormous size of the outgoing traffic, generating an extremely massive bill.
Figure 3. Invoice for our User
A cloud provider sent our user an invoice, charging them US$5,813.53 due to outgoing traffic within 8 hours for the memcached server. But given such a big bill, a subsequent question may be raised as to whether or not, for a particular volume of outgoing traffic, it is feasible for specific alert conditions and rate limiting to be predefined and enabled.
Technically speaking, having the above-mentioned practices is not that easy and detection is also difficult, whereas on paper it is the other way around. When it comes down to it, once the settings kick in and the alert message is sent out to the customer, the attacks are already taking place. In addition, the big bill reflects the fact that they for sure do not have enough security awareness, since they allowed public access to the server.
Conclusion
Cloud services have grown to be pretty indispensable, as many industries welcome it to replace their on-premise infrastructures to some extent. In view of this, cloud hosting providers have to seek a solution for DDoS protection and provide DDoS mitigation for their cloud services, since DDoS attacks have gone viral in our modern cyberworld.
Among all DDoS attacks, amplification attacks, as mentioned above, are the ones bringing about the most considerable impact on cloud users. It is highly suggested that cloud users solicit aid from professionals for DDoS protection and mitigation. In this case, a quick patch to close the loophole could have prevented the memcached attacks that leverage on our customer’s cloud resources that resulted in an extremely large bill.