Apple last week became the latest tech company – after Google and Amazon – to offer cheap online storage, with its new iCloud service allowing users to access music, documents and other files from any Apple device. But cloud services could also be used to launch attacks, send spam and commit fraud.
“Right now it’s just a few attacks, most aren’t well publicised and a lot can go undetected,” says Kassidy Clark of the Delft University of Technology in the Netherlands. “As long as cloud service providers are not taking proactive steps to prevent these things, I think this trend will increase.”
As well as basic online storage, firms such as Amazon, which provides the largest cloud service, also offer virtual computing. This allows people to rent as many “virtual computers” as they need.
Now Clark and colleagues have investigated how the cloud could be used to build a botnet, a network of infected computers under an attacker’s control. Traditional botnets are built over time by taking control of ordinary people’s computers without their knowledge, but a cloud botnet – or botcloud – can be put together in a couple of minutes just by purchasing space in the cloud with stolen credit card details. “It makes deployment much faster,” says Clark, who presented his findings at the CLOSER cloud computing conference in Noordwijkerhout, the Netherlands, last month. “You don’t have to wait months for millions of machines around the world to get infected.”
To find out just how easy it is to construct a botcloud, Clark and colleagues hired 20 virtual computers from a leading cloud service provider for around €100 and used them to carry out attacks on their own web server. They first attempted a distributed denial of service (DDoS) attack, which floods a target with massive amounts of traffic. The botcloud pumped out 20,000 page requests per second and brought the server down in just 10 seconds.
Clark also built a larger botcloud and used it to simulate “click fraud” – clicking links in pay-per-click adverts in order to generate fraudulent revenue. Advertising companies normally stop this by tracking the internet protocol (IP) address of each individual computer and blocking one if it clicks a link too many times. The researchers circumvented this defence by setting up a botcloud of 1000 virtual computers, each with its own address. Neither botcloud attack was detected or shut down by the cloud provider.
So are botclouds being used? There were certainly rumours that the recent attack on Sony’s PlayStation Network was carried out via Amazon servers rented using stolen credit cards, but these have not been substantiated. “We have seen spam coming from some of these environments, but not on a massive scale,” says Paul Wood, a senior analyst at Symantec.cloud, which provides cloud-based security services. He says that it is even possible for a virtual computer in the cloud to become infected by an ordinary botnet, because cloud users don’t normally run anti-virus software.
Thomas Roth, a security researcher in Cologne, Germany, who recently showed how to use Amazon’s servers to crack Wi-Fi passwords, agrees the lack of anti-virus protection in the cloud is a problem. “I think that Amazon should provide infrastructure for doing vulnerability assessments and virus scans,” he says.
“Amazon Web Services employs a number of mitigation techniques, both manual and automated, to prevent the misuse of the services,” Amazon told New Scientist. “We have automatic systems in place that detect and block many attacks before they leave our infrastructure.”
But Wood warns that attacks from the cloud could easily take off in countries with more lax web policing. “It’s only a matter of time before a Russian or Chinese equivalent of Amazon offers similar services,” agrees Clark. “You put malicious or illegal software there, it doesn’t matter, they will never take you offline.”