Cloud customers risk collateral DDoS

Organisations considering a move to the cloud should consider the "neighbourhood” and a provider’s ability to shield them from collateral risks, security experts have warned.

According to Arbor Networks chief scientist Craig Labovitz, collateral damage was a “tremendous issue” for carriers, cloud providers and their customers.

“We see many cases where an attack against a small co-located or hosted website will impact dozens or more of other unsuspecting sites that reside off the same switch or cluster,” Labovitz said.

“At a larger scale, carriers can lose entire cross-country links impacting thousands or millions of customers due to collateral damage from DDoS [distributed denial of service].”

Last December, domain name provider EveryDNS terminated its agreement with Wikileaks as it came under a sustained DDoS attack after leaking US embassy documents to the media.

The provider said the attacks on Wikileaks would “threaten the stability” of EveryDNS infrastructure and almost 500,000 customer sites.

In September, a DDoS attack by 'Anonymous' hackers on anti-piracy lobby group AFACT caused performance degradation for many other Australian websites.

The attack directed 60,000 active HTTP connections and 100 Mbps of additional bandwidth on webhost Netregistry's 'Zeus' cluster of servers that hosted the AFACT website.

Thousands of other websites on the cluster were affected, plus some webmail services and website administration consoles.

In separate discussions with iTnews.com.au, spokesmen for Microsoft Azure, Amazon Web Services and Salesforce.com downplayed the possibility of collateral damage on their clouds.

Amazon

Amazon spokesman Regina Tan said the company employed the same security isolations as those found in a traditional data centre, including physical security, network separation, server hardware and storage isolation (pdf).

Amazon provided each customer with individual firewalls to prevent intrusion from other instances, as well as packet-level isolation of network traffic and industry-standard encryption.

An additional virtual private cloud offering provided further protection by blocking unauthorised IP addresses. Further, Amazon’s scale allowed it to invest more heavily in policing and countermeasures than individual companies could afford, Tan said.

“There is nothing inherently at odds about providing on-demand infrastructure while also providing the security isolation companies have become accustomed to in their existing, privately-owned environments,” she said.

“We often find that we can improve companies’ security posture when they use Amazon Web Services.”

Microsoft

Microsoft’s chief security adviser Stuart Strathdee also highlighted economies of scale as an argument for how the cloud might improve, rather than harm, availability.

While “you can never say never” when considering security risks, Strathdee argued that Azure’s ability to monitor and address attacks was “unparalleled”.

“In an Azure environment, it really comes down to what Microsoft has, compared to what an organisation can do on their own,” he told iTnews.

“We’ve got extremely high levels of monitoring ... If they [attackers] were able to take a workload offline – and that’s a huge if – the alerts go out immediately.”

Explaining that the Azure environment was far from static, Strathdee said Microsoft frequently moved workloads between resource pools, data centres, and countries, to allow for maintenance, balance resources and defend against attacks.

Can public clouds be completely safe? Read on to page two for Salesforce.com's experience and why providers won't reveal who lives in your neighbourhood.

Salesforce.com experience

Salesforce.com also boasted international data centres and exeception-handling mechanisms that customers could use to isolate or abort suspicious behaviour.

The company's platform research director Peter Coffee said that although customers shared physical infrastructure and a foundation code base, data and customisations were rigorously partitioned at a metadata level.

“Not only are Salesforce.com customers isolated from each other, but even within a customer’s operations there’s unsurpassed precision of managing privileges and auditing actions,” he said.

“It would take a Hollywood screenplay writer to come up with a movie plot that takes down Salesforce.com, and even then, our customers would knowingly tell each other, ‘that would never happen’.”

But there was no getting away from the fact that cloud customers shared infrastructure including compute blades, routers, switches and storage.

According to Jason Needham, a senior product management director of security vendor F5, the effect one cloud customer might have on another depended on where the services met.

Cloud customers shared data centres, network connections and even computing systems, so operating in the cloud could put users “kind of at the mercy of what everyone else is doing”, Needham said.

Know your neighbours

Despite a growing cloud market, he expected organisations – especially those in the finance industry and the public sector – to prefer a ‘hybrid’ cloud model that kept critical data in-house while using cheaper, more flexible public cloud services for limited applications.

Arbor’s Labovitz said potential cloud customers needed to ask hard questions of their providers, and consider service level agreements and DDoS protection when selecting a provider.

“As a customer, you generally don't know how your services maps to physical resources and what you may or may not be sharing with other customers,” he said.

“And you may be sharing resources in a ‘bad neighbourhood’ with customers likely to incur DDoS attacks like gambling, adult content, etc.”

Neither Microsoft’s Strathdee nor Salesforce.com’s Coffee would disclose terms of their respective service-level agreements, citing client confidentiality.

Strathdee said customers had “no need to know” which other organisations shared their resource pool, since Microsoft assumed responsibility for maintaining the agreed availability.

Last year, Coffee said that risk management was an opportunity for insurance providers, criticising service-level agreements for being “written by lawyers to be consumed by accountants”.

“We have enormous incentive to stay up," he said at the time, referring to the publicity that any downtime would attract. "Our life is on the line."