BotCloud attacks - are cloud providers prepared?

Opinion Davey Winder Nov 2, 2012

BotCloud hosting is not something that's been spoken about much but it's something that could spell trouble for cloud providers

When talking about cloud security, most people quite rightly think in terms of securing the data that they themselves are storing or accessing through the cloud.

Quite often this is limited pretty much to the areas of authentication, encryption and regulatory compliance. Those with a little more understanding of the field may broaden the definition to include predictable availability and data recovery, application security and privacy issues surrounding e-discovery and physical access to datasets with an emphasis on logging and audit trails.

The reason I have gone over old ground and stated the obvious is simple, there's one area of cloud security that is all too often overlooked with potential dire consequences: botCloud hosting.

Bot what now?
A botCloud, defined by Stratsec as being 'a group of cloud instances that are commanded and controlled by malicious entity to initiate cyber-attacks'. See, I told you that it was unlikely you would think of cloud security in terms of how cybercriminals might use cloud service providers to host attacks.

If a study conducted by Stratsec, a BAE security subsidiary, is anything to go by all that could change soon enough. The company was able to establish a whole series of botnets, which it refers to as botClouds because they were set up within cloud services.

In fact, Stratsec opted to test five different cloud providers to see if they were being proactive enough to secure their services against such malicious usage, and in all five instances it was able to establish a botCloud. What's more, in all five cases Stratsec says that there were no restrictions placed upon the accounts they used and no alerts raised about the malicious traffic originated by these botCloud accounts.

Obviously, in order not to break the law, such malicious traffic was directed against consenting machines and networks owned by Stratsec for the purposes of this testing. But the cloud providers were not to know that, it could have been fired at anyone including you.

To make these work, they had to be representive of the average cloud customer across several scenarios. There was a typical corporate network environment complete with firewall and IDS in place, a victim on the same cloud as the hosted attack and another on a different cloud service.

One of the attacks, in order to give the cloud providers every chance to detect what was happening and hit the kill switch, was against a private network and lasted an entire 48 hours.

Let's stress that again. That's 48 hours of malformed traffic (a series of non-RFC compliant packets, as well as aggressive port scanning), malware propagation (a set of publicly known and commonly detected malware sent to the victim host via a reverse shell), Denial of Service (a flood of traffic to a web server on the victim host), brute-forcing (attempting to brute-force the password for the credentials on the FTP service), web application attacks (launching commonly known web application attacks against the victim host including SQL injection, cross-site scripting, path traversal) and even shellcode attacks on services (launching a set of known shellcodes against various services running on the victim host). That's a lot of different attacks.

BotClouds are easy to establish when compared to a traditional botnet, and very easy to use 

The point of this study was twofold: to see if it was possible to launch security attacks including DoS and malware propagation from a cloud provider, and to see if the abuse detection features in place at the cloud providers were adequate enough to spot such activity and stop it. Or, as the Stratsec IT Security Winter School 2012 research study puts it "to investigate the security posture of cloud providers in protecting against malicious usage". The posture was about as good as your average obese chav as it turns out, with the answers to the questions being a bloody big YES and NO respectively.

It will be interesting to see how the cloud providers respond to this study, and to the threat in general. Especially as the benefits to the bad guys are pretty worthwhile in that botClouds appear currently to be pretty easy to establish when compared to a traditional botnet, and very easy to use for good measure.

As well as being easy to get going, they are also quick. Stratsec was able to have a botCloud instance up and running in a matter or minutes. Combine the speed and ease of assembly with the reliability and scaleability of the botCloud platform and it's something of a win-win for the bad guys it would seem. 

Davey Winder

daveywinder (2).jpg

Davey Winder has been covering the IT security beat for the last 20 years. Along the way he has won the 'Information Security Journalist of the Year' title no less than three times, and in 2011 was bestowed with the Enigma award for his lifelong contribution to information security journalism.