In recent years, the popularity of serverless computing has skyrocketed as companies continue to reap the benefits of this seamless scalable cloud infrastructure model.
In fact, the number of serverless consumers is estimated to exceed seven billion by 2021.
However, this trend is accompanied by a new threat of cyberattacks, particularly targeting the cloud infrastructure.
Among this list of exploit development is the denial of portfolio, a lesser known but easy-to-execute strategy that can cause serious monetary damage to victims.
Denial of Portfolio (DoW) exploits are classic denial of service (DoS) attacks in which they are carried out with the aim of causing disruptions.
However, while DoS attacks aim to force a targeted offline service, DoW seeks to cause a monetary loss to the victim.
In addition, while classic web-based Distributed Denial of Service (DDoS) attacks flood the server with traffic until it crashes, DoW attacks in particular are directed to non-server users.
Unlike its “serverless” name, this does not mean that the user is not connected to a server, however, they will pay to access a server controlled through a third party.
Portfolio denial attacks exploit the fact that serverless providers classify users based on the amount of resources an application consumes, which means that if an attacker floods traffic, the site owner can receive a huge bill.
Learn more about the latest in cloud security
An attacker does not benefit from DoW attacks in the same way as he would through other exploits, except, of course, to cause the monetary misery of his target.
“When you have servers in a knowledge center and an attacker just needs to hurt you, you can do DDoS to you and your breakdowns,” says Scott Piper, AWS Security Representative at Summit Route.
“When running in the cloud, an attacker can do things to keep their site active while ruining it.”
Rain: Portfolio denial attacks can result in massive monetary losses for server users
Serverless computer is when backend installations are supplied according to the type of usage. The company will pay a serverless provider to supply the infrastructure and server.
Popular serverless brands come with Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), which in combination have millions of users.
Pros server
Serverless mode has apparent benefits, one of which is that it allows small businesses to put their facilities up and running without having to invest in hardware.
Its positive aspect is that because the service is provided through a pay-as-you-go system, the user is charged for the bandwidth or resources they use.
YOU CAN LOVE A Spear-Phishing Consultant: How to Protect Yourself from Targeted Attacks
“Serverless computing is a stateless architecture for stateless applications,” Erica Windish, founder of serverless provider IOpipe, told The Daily Swig. “I think this architecture is secure because it reinforces immutability.”
Because serverless environments are updated, it’s difficult for malware or malware to remain idle in the infrastructure for too long.
Against a server
However, there are dangers related to the use of serverless computers. For example, look at Windish, this can interfere with the ability to perform a thorough analysis of the infrastructure.
“The serverless server also creates observation security challenges, for example, if a compromised container is destroyed every five minutes at 8 o’clock, how do you do an autopsy? There is no tool to freeze or save those environments for analysis,” she said.
Serverless style also leads the user to rely on vendor security practices. If the server is not secure, Wallet denial is not the only cyberattack that directors are involved in.
A victim will notice that anything happens when their bill is higher than expected. However, there are tactics to prevent a denial-of-portfolio attack before it is too expensive.
As a first step, Summit Route Piper suggests a billing alert. This will tell the user if it exceeds a predefined spending limit.
Users also use limits to mitigate any packaged code, especially lines that can cause an infinite loop scenario.
“Many other people have stories about infinite loops on AWS that have caused resource creation over and over again, or a Lambda cause that has been triggered again,” Piper said.
“This is not an unusual enough challenge for the Cloudwatch event rule documentation to even imply a warning about it.”
He added: “Without those limits, an attacker can simply attempt to run a million EC2s, but due to those limitations, the attacker can throw a few dozen EC2s.”
Users without a server will need to set limits to generate billing alerts.
The origin of the DoW attack dates back to 2008, Piper told the Daily Swig, when he called an “economic denial of sustainability” in a Rational Security blog post.
Piper suggests that the term “Portfolio Rejection” was first used in 2013, referring to a Twitter user named gepeto42.
There is no true bullet-proof coverage that opposes denial-of-portfolio attacks. In contrast, users without a server deserve to set the above limits to generate alerts if they are a target.
The top 10 OWASP Serverless Threats (PDF) describes DoW:
To “protect” against such attacks, AWS allows you to set limits for calls or budget. However, if the attacker can exceed this limit, it can cause a DoS in account availability. There is no genuine coverage that does not result in DoS. The attack is not as undeniable in classical architecture as it is in serverless architecture. Therefore, the threat is high.
Steps should also be taken to protect credentials related to a serverless account.
Piper stated that if an attacker is able to make estimated API calls to a victim’s AWS account, “he probably also has the ability to delete all of his files in S3, end all his time, and cause additional devastation that can cause aggravation.” have an effect on companies.”
He advised mitigating this situation by deploying less privileged services, applying multi-factor authentication to all users, and implementing service policies.
READ ALSO Cloud-based cyberattacks erupt a coronavirus pandemic
Suite Burp
Vulnerabilities
Customers
Company
Insights