Thunder in the cloud: $6 cloud-based denial-of-service attack

When you hear the rumble of thunder, then you know the storm is near. Two security researchers warned that cloud-based denial-of-service attacks are looming on the horizon. With $6 and a homemade “Thunder Clap” program, security experts David Bryan and Michael Anderson managed to take down their client’s server with the help of Amazon’s EC2 cloud infrastructure.

The cloud-based denial-of-service attack was part of a DefCon presentation called, Cloud Computing, a Weapon of Mass Destruction? In the description for their DefCon talk, they wrote, “We have been using the cloud computing environment to test real world scenarios for different types of attacks, such as Distributed Denial of Service, Flooding, and Packet Fragmentation.”

According to a report from DarkReading, the security consultants told DefCon attendees, “With the help of the cloud, taking down small and midsize companies’ networks is easy.” Bryan said, “It’s essentially a town without a sheriff.”

After Bryan and Anderson entered a name and credit card number, the experts created a handful of virtual server instances on Amazon’s EC2. They started with only three virtual servers, uploaded their prototype attack tool, called Thunder Clap, scaled up to 10 servers, and then took their client’s company off the Internet.

Security consultants David Bryan of Trustwave and Michael Anderson of NetSPI said that they encountered nothing to stop them, like no special bandwidth agreements and no detection mechanisms for servers taking malicious actions. Their Thunder Clap program uses cloud-based services to send a flood of packets toward the target company’s network. The researchers reported that they can control the software directly or through a command left on a social network.

Bryan and Anderson launched the attack to test their client’s network, a small business that wanted its connectivity tested. According to DarkReading, Bryan said, “A threat agent could potentially run extortion schemes against a company by attacking for a couple of hours — and then telling the company that, if you don’t pay me, then I will attack you again.” Amazon reportedly failed to reply to complaints by the security consultants.

In an email reply available on the DarkReading, Amazon spokeswoman Kay Kinton wrote, “We do have a process for both detecting and responding to reports of abuse. [...] When we find misuse, we take action quickly and shut it down.”

Bryan and Anderson explained that so far cybercriminals have mainly used botnets for their denial-of-service attacks. Botnets can be rented, giving “would-be attackers a criminal ‘cloud’ from which to buy services.” The security consultants said that easy-to-configure cloud services like Amazon, Google, Microsoft and Rackspace need to respond faster to complaints.

According to DarkReading, Anderson said, “If we complain loudly enough, maybe they will become more responsive.”

Full Credit To: Darlen Storm with ComputerWorld