Cloud security

Cloud originated DDoS attacks

October 31, 2016 by Frank Siemons

The business model of a Cloud Service Provider certainly includes the capacity to supply very high-bandwidth Internet connectivity to and from its customers’ virtual instances. This bandwidth is then limited or simply charged by usage, depending on the purchased service level. Solely from a technical perspective, however, upscaling to very high levels of bandwidth should not be an issue, because of the shared, high capacity infrastructure the CSP utilizes. Bandwidth can be changed by “the flick of a switch,” quite often by the customer itself.

Taking into account the rise in occurrences and growth of Distributed Denial of Service attacks, CSP’s would be of serious interest of these attackers in the ongoing war for bandwidth. Access to this treasure trove directly via the CSP or indirectly via one or more of its customers could easily take malicious DDoS operations to the next level. Is this a real threat and how could an enterprise which uses cloud services, help protect against such a threat?

Recent developments

In 2012 a group of cyber-criminals exploited the CVE-2014-3120 Elasticsearch 1.1.x vulnerability, followed by the use of Linux DDoS Trojan Mayday and with that, they compromised several Amazon EC2 Virtual Machines. Although this vulnerability was not unique to cloud-based systems and could have been used against any server, including non-cloud based systems, it did open up some interesting opportunities to the attackers. They were able to launch a UDP based DDoS attack from the compromised cloud instances. They utilized the outbound bandwidth of the Cloud Service Provider, Amazon in this case. This is a far from desirable situation for Cloud Service Providers. If their public IP address range becomes linked to a DDoS attack, they could find it registered on blacklists or on individual organizations’ firewall blacklists. Their customers will then in turn experience connectivity issues and possibly service downtime. Even though the likelihood of such a major provider-wide breach is low, the impact to the CSP and its customers could be quite dramatic. It is expected that providers have all possible security control in place, but nothing is truly bulletproof.

The risks

What exactly this means for the future of DDoS remains unclear for now, but keep in mind that both Cloud Services and DDoS as a serious attack method, have not been around for that long. In theory, a large scale DDoS attack originating from a cloud platform is only a matter of time. Cloud Service Providers have platform-wide DDoS protection systems in place for incoming traffic. They also monitor outgoing traffic for DDoS traffic and could even shut down hosts on their systems that are participating in an attack. This leaves the CSP relatively safe, for now. However, the shutdown of VM’s would not be a desirable outcome for the VM owner, as it would of course cause an outage to their hosted system. That means it remains in the best interest of the customer to secure and monitor their own cloud-based hosts, whether that is handled internally or via a 3rd party security provider. Outside the cloud-space, there are additional risks involved as well, such as having the DDoS participating public IP added to one or more blacklists. This would result in, for instance, the loss of e-mail services or even web services because they are being blocked by external anti-malware products.

Detection and Prevention

There are many security best-practices that are specifically aimed at reducing the risk and impact of the, often undetected, participation to a DDoS attack.

As mentioned, providers do monitor their managed networks and will shut down offending VM’s if needed. Any cloud customer should have a well-configured, hardened egress firewall on their perimeter, which will prevent the need for such a shutdown by the Cloud Service Provider in the first place. The egress filter would for instance block outgoing NTP traffic or would block any requests to an external web server once a threshold of connections per second has been reached. This firewall should be monitored as well. It is one thing to block the traffic, but another to find the actual cause of it within the internal network.

The cause of DDoS traffic leaving the network is usually associated with malware, installed on one or more systems, which link that infected system to a much larger, global botnet. Not only does this result in the DDoS related issues mentioned before, it usually gives the botnet owner full control of the infected systems, leading to risks of data theft, outages and possibly even data ransom situations. Quality host-based malware detection and prevention tools are a must-have for any system.

Dedicated DDoS mitigation products or 3rd party DDoS protection providers could also be utilized. The customer would direct all incoming and outgoing traffic through such a solution which will filter out the offending DDoS related traffic from the stream. When using a 3rd party provider, the outgoing bandwidth of the CSP would still be consumed if the customer is (unknowingly) participating in a DDoS attack. In the case of the use of a dedicated cloud-based product the incoming bandwidth of the CSP would still be consumed if the customer is a target of a DDoS attack. This means it is important to weigh up what solution works best for the environment.

A well-placed Intrusion Detection or Prevention system could catch suspicious or malicious traffic as well. This might not only detect the DDoS traffic, but it could also detect and prevent the malware and botnet Command and Control traffic in the first place, which of course is a much better situation.

Finally, the Cloud Service Provider service models and contracts need to be reviewed to see if they match the customer expectations. A potential risk is that the enormous amount of outgoing traffic is billed to the customer as per normal. Some CSP’s, however, do not bill for outgoing traffic and some waive the bill in the case of a proven DDoS scenario.


Whatever configuration an organization uses, whether it is a full cloud solution, a hybrid model or an on-premises data centre, participation in a DDoS attack is a bad situation in any case. The risks seem higher if the actual systems are hosted in a public cloud environment. Not necessarily only because of the DDoS attack itself. In theory, customer systems can be switched off by a 3rd party (the CSP), and the high volume of outgoing traffic could result in a considerable bill. If the right security measures are taken, however, most of these risks can be fairly easily controlled. This means more focus can be placed on incoming DDoS protection which is quite a different issue.

What the future brings for CSP’s themselves being used for a large scale DDoS attack, we don’t know yet. In the IT space, nothing is completely safe.

Posted: October 31, 2016
Frank Siemons
View Profile

Frank Siemons is an Australian security researcher at InfoSec Institute. His trackrecord consists of many years of Systems and Security administration, both in Europe and in Australia. Currently he holds many certifications such as CISSP and has a Master degree in InfoSys Security at Charles Sturt University. He has a true passion for anything related to pentesting and vulnerability assessment and can be found on His Twitter handle is @franksiemons