page 1 of 1
Comments: 9 | Views: 213
#Oct 26th @ 12:17 PM
Irakli_Lomidze
Irakli_Lomidze

Denial of Budget Attack

 

Hello Sirs. I want to explain new types of the attacks. Kind of the attacks might be called DDOB (distributed denial of Budget Attack).

 

Our Primary aim is Azure Microsoft's new Initiate.

 

Briefly what is an Azure?   Azure is an Advanced Hosting (Marketing name Cloud).

 

So Azure is a Hosting Plan that you bought for hosting you application.

 

1)     You have flexible hosting environment clustering over many datacenter is the world. (Up time is more than 100%).

2)      Access on your server not depended on single connection line. (Access from every were)

3)     You have dynamically growing disk space

4)     Possibility dynamically changes your Application performance by attaching more CPU power to your hosting plan.

5)     By design have n-tier application

6)     Already installed Microsoft Server Solutions.

 

 All this are in quite good price. Even more:

 

1)     You do not pay for unused space

2)      For unused traffic

3)      For CPU Idle time.

 

You pay only for those are you using. See: http://www.microsoft.com/windowsazure/pricing/

 

Windows Azure: Compute = $0.12 / hour, Storage = $0.15 / GB stored / month, Storage Transactions = $0.01 / 10K, Bandwidth = $0.10 in / $0.15 out / GB. …

 

All above sounds great, is it?  You may think not to build own datacenter any more, and host all your applications in cloud.

 

Yes but Cloud is so great idea it might not be fully true.

 

Why?

 

In real live we have groups of the people have interest to destroy our business. They try finding new ways to damage our every day works. Now I will explain how it is possible attack Cloud Application.

Assume you host your Application in Cloud. You have 100 000 Customers, your estimate outcome per month assume is 1000$ (cloud service cost).  As Attacker I may make hundred accounts and make fake requests to your Application.

From Application point this requests is garbage, and it will ignored by them or even more store it in Log file.

From Cloud this is real traffic and real CPU Calls all that cost real money.

By end of the month you will receive check from Azure Service much more than you expected 100 000 000$.

Company has no possibility to pay kid of money to Microsoft (Azure), and Company is bankrupt.

 

DDOB attack is done.

 

Think about it. If Microsoft will not change Payment terms and will keep payment calculation as it is. Kind attacks will be always successful.

Is it not detectable attack by Microsoft because is not a real DDOS attack, it attacks only single Application and keeps it online (With helping Cloud Power).

 

 

Thanks for Comments.

#Oct 26th @ 7:47 PM
figuerres
figuerres
???

sounds very very weak.

 

it can be detected by the patern you describe.

 

the attacker can be blocked in many ways from ever reaching the service.

 

and the attacker will be at least partly tracable such that the data center can block them.

 

and i would bet that microsoft and other will take court action on such attacks if they happen.

 

one simple example is to use a client id certificate plus ssl.

 

attacker never gets to the service w/o a cert.  every cert is issued to a known customer and revoked when / if abused or compromised.

with all the data using ssl + cert hacker has almost no chance to see any trafic or to know what it valid.

a hardware firewall could block traffic that does not have the cert before granting access to the web servers or other network elements.

firewall can log attempted inbound traffic and use this to block or to alert staff to trace hackers and finhd them.

 

no different really than any other network attack.

 

#Nov 3rd @ 2:10 AM
Irakli_Lomidze
Irakli_Lomidze

Your Answers is very similar as Typical System Administrators answer

1) It can't be detected because, this is not a real attack on application.

Attackers does not try to destory your service, Potential attacker trys to send request to your application keeping all Azure Protocols.

From Azure Point this is a "normal" customer to your application

From your applicaton this is "stupid" customer witch send messages with mistakes. you application will requre to send it again and again.

2) SLL is one more simple barier, not a real protection.

 

Idea of kind attacks is that you attack applications without breaking genearal rules. Smiley and your aim is not working application your aim is budget of application owner.

 

 

 

 

 

#Nov 3rd @ 5:45 AM
figuerres
figuerres
???

if you do not belive me than go try it....

 

it's an attack and can be proven by the very standards you have set forth.

 

my first basis is that to use my service you have to be my customer, if you do not have the right credentails then you will not have acess and each attempt is proof of an attempted attack on my service.

 

and if you some how fake my customer identity when i see junk requests i just stuf off that account and contact that customer.

and you have to start over...  repeat that a few times and i have a load of info i can report.

 

the more time you spend finding a way in the more it costs you in time and cpu power and network access costs to keep trying.

so that also works against you.

 

this becomes like the old mad magazine  "spy vs. spy"  in a way....

 

#Nov 3rd @ 12:24 PM
staceyw
staceyw
Before C# there was darkness...

Actually, I have had same concerns.  Unless your sitting watching accounting all the time, you may not find out about some expensive DOS until after the fact (i.e. after the bill comes).  It is an open check book.  For a mid-size business, this could be a small distraction.  For a small business, it could mean no payroll that month.    They may have it already, but you need a "Do not exceed" limit on each user for compute, bandwidth, and disk *and a master do not exceed limit (i.e. stop limit), and some progressive warnings via email.  Mr. Bad can come in via many different IPs also.  An SSL cert on the server does not help.  You would need to restrict via Client certs to allow only xyz clients which would be a pain to manage.  

#Nov 5th @ 6:36 AM
ScottWelker
ScottWelker

"you need a "Do not exceed" limit on each user for compute, bandwidth, and disk *and* a master do not exceed limit (i.e. stop limit), and some progressive warnings via email."

 

Absolutely agree. I'm just beginning to explore Azure and have this very concern. Sure you can - eventually - detect and act on such an attack but I worry that for many small customers, that may be too late. Reminds me of my first cell phone bill for one of my children :-0

 

Without this, I am hesitant to recommend the service to small-sized customers.

 

#Nov 5th @ 11:41 AM
figuerres
figuerres
???

Scott and Stacey:  the OP wrote that the attack he was thinking of was to send fake requests to the service.

my point all thru his posts was very simple:  I would never allow random calls to my service from callers i did not know.

 

yes if someone signs up for a service and then abuses it there is a problem.  but that is true for any kind of service over the network and always has been. the OP seems to think that his idea is somehow new and different. my view is that it's not very different at all.

 

if you offer web hosting and some silly client runs huge bandwith thru your server you have to deal with it.

you have to have limits and safeguards. 

the OP also seems to think that the hosting provider will not be interested in stopping the attacks as they get paid when you get this kind of attack. my view is that a hosting provider or service provider that handles business that way will lose customers very fast.

it's not a thing they would really want to shine on / ignore.

 

yes there is reason to think about what to setup and how to manage it.

 

but I think we can also build in good safegaurds to limit such junk form hurting the businesses the way the OP seems to think is so easy.

#Nov 5th @ 12:35 PM
staceyw
staceyw
Before C# there was darkness...

@ figuerres.  We seem to be in agreement then.  There needs to be more limit knobs.  And they need to be in the framework, not in my code (but you would have those to).  If it hits my code, I has already cost me money.  Maybe they are already there and I have not seen them yet. 

#Nov 5th @ 1:12 PM
figuerres
figuerres
???

Thanks,

 

and I would say that yes, much of this *MUST* be in the system for it to be worth developing with / for.

 

and i would expect the provider to be willing to see a log and agree to take it off the bill if i was not at-fault and treat it like any other case of netowork abuse / hacking etc... and be willing to work with me in taking the issue to the proper authorities if the case merits that.

 

any provider that did not treat it that way would not be getting my business for very long.

 

*IF* most developers and businesses do that then the providers will work that way or go out of business. that will prove the concept as valid or not in short order.

page 1 of 1
Comments: 9 | Views: 213
Microsoft Communities