What is EDOS?
Economic Denial of Sustainability (EDoS) is a cybersecurity threat targeting cloud environments. EDoS attacks exploit the elasticity of clouds, particularly auto-scaling capabilities, to inflate a cloud user’s bill until the account goes bankrupt or service is withdrawn at scale.
EDoS attacks exploit the cloud’s economies of scale to disrupt or disable the availability of cloud services and infrastructure that support applications, systems, and enterprise networks. These are usually remote-controlled bots that covertly send fake requests. When these requests bypass security controls, the cloud service allocates additional resources and charges the cloud user.
Traditional incident response strategies are poorly equipped to deal with EDoS threats for several reasons:
- EDoS traffic uses IP spoofing and is difficult to detect with existing network analysis techniques unless attackers use known malicious IPs.
- Application and end users are initially unaffected by EDoS attacks. Cloud resources are scaled to handle the additional traffic, at least until the budget is exhausted, so application performance metrics cannot be used to detect the attack.
- System hardening techniques are not effective against EDoS because the traffic does not exploit any type of vulnerability in the traditional sense.
- Even if an EDoS attack is detected, incident responders cannot respond with existing tools. You need to interface with cloud cost management systems to be able to short-circuit automatic scaling mechanisms.
DoS vs DDoS vs EDoS
Let’s examine the difference between the more well-known “..oS” attacks and the new kid-on-the-block – EDoS.
In a Denial of Service (DoS) attack, attackers send fake requests that can prevent legitimate users from accessing the system, using resources such as server processing power, memory, and network bandwidth, and in some cases, crashing the target system .
Roughly speaking, there are two variants of DoS attacks. A flood DoS attack exploits the fact that server buffers cannot process packets when there are too many incoming requests, resulting in service degradation or traffic being rejected. In a “crash” DoS attack, corrupted packets or requests are created that exploit vulnerabilities in the target system, causing the target system to crash or fail.
A Distributed Denial of Service (DDoS) attack is an evolved version of a DoS attack. This type of attack is often used by attackers as a smokescreen to keep security teams occupied while attackers penetrate an organization’s network behind the scenes.
DDoS attacks are enabled by massive botnets created by attackers installing malware on thousands or even millions of computer systems. These systems can be as small as end-user devices, Internet of Things (IoT) devices, or larger entities such as servers or other Internet-connected systems. All of these devices are “locked” into a robotic network and are under the central control of the attacker running the Command and Control (C&C) server.
DDoS attacks target a specific feature of the internet protocol architecture. A common technique used by attackers is IP spoofing, where attackers send packets using a fraudulent originating IP address, making traffic appear legitimate, making it difficult to detect, track, and block.
EDoS attacks take advantage of the rapid scalability and resiliency of cloud environments. The attackers aim to make the victim’s cloud account financially unsustainable.
Attackers primarily target Infrastructure-as-a-Service (IaaS) solutions. EDoS attacks use a common pattern of DDoS attack methods: exploiting vulnerabilities in cloud systems, such as B. old software versions, insecure protocols and publicly accessible IP addresses to install malicious software. They hijack devices or cloud resources that follow attacker’s instructions and send spoofed traffic packets to a targeted system or service. This additional traffic causes the cloud service to scale until it is no longer economically viable.
Why attackers use these methods to harm an organization
EDoS attacks, like the early DDoS attacks, aim to disrupt a business and cause financial loss. They have no direct use for the attackers. For individual cybercriminals, these attacks could be a “show of force” or the attacker’s personal revenge on an organization. For hacktivists, they could be used to sabotage organizations that oppose the hacktivist‘s cause. For larger criminal groups, backed by hostile nation-states, they could be a way to disrupt economic activity in a targeted population.
Today, DDoS is a billion dollar business where DoS platforms are provided as a service and attackers generate revenue by demanding ransom and other means. I expect EDoS attacks will continue to grow, so it’s likely that a business model and criminal ecosystem will develop around them as well.
The concept of EDoS attacks was described in research over a decade ago. The biggest challenge in EDoS protection is detecting the attack, as to a traditional security tool it would appear like a normal scale-up event in a cloud system. Once the attack is detected, operators can disable auto-scaling mechanisms, stopping the attack.
Several theoretical frameworks have been proposed to detect EDoS attacks. However, these approaches had disadvantages and therefore were not implemented in widely used security tools:
- Support Vector Machines (SVM) and Self-Organizing Maps (SOM) – These are Machine Learning (ML) models that successfully detect an EDoS attack. However, they are comparatively slow and therefore cannot process real-time data in a large-scale attack.
- Fully Connected Neural Network (FCNN) – This deep learning method performs better than ML algorithms because it can extract features more efficiently using multiple neural layers. However, their accuracy is relatively low since EDoS is an ongoing process that requires time-series analysis, while an FCNN has no “memory” capability (it analyzes each event or data packet separately).
- Recurrent neural network (RNN) and long short-term memory (LSTM) – RNN is more successful in detecting EDoS because it can analyze a sequence of events. It is more accurate when equipped with LSTM cells, which can capture a memory of recent events and take them into account when analyzing a current event. However, RNN models are again inefficient when applied to real-time data.
A new approach has been proposed in recent research by Vinh Quoc Ta and Minho Park.
They propose a framework that makes both the training and prediction phases faster than LSTM by using a parallel processing strategy. The approach works as follows:
- Use LSTM attention cells to predict a unit in an attack traffic sequence by determining how strongly it is correlated with other units.
- Calculate an attention value Use of the widely used Transformer Encoder Decoder model. However, the EDoS detection model uses only one encoder module to compute inputs in parallel. This significantly improves performance while maintaining the accuracy of previous LSTM models.
- Consider relative scores of a network packet compared to others in a flow, which helps the model “remember” historical characteristics of earlier units in the sequence.
- Use one rating for multiple functions to improve computational efficiency. In other words, when the model analyzes a package, it uses the score in all related packages to reduce processing time.
- Can classify the results of zero-day attacks with an unsupervised learning strategy.
- real-time updates with the model allow live data to be retrained and parameters fine-tuned to adapt to changes in attacks.
Researchers tested the model on realistic flooding attacks used to perform EDoS actions and found that it can detect attacks and process data with sufficient performance.
The elasticity and flexibility of the cloud reduces the potential for traditional DDoS attacks. However, attackers can bombard systems with additional traffic, causing the systems to scale indefinitely until the victim incurs an unbearable economic cost.
Although EDoS attacks are difficult to detect with traditional security tools, alternative methods are available to enable early mitigation.
It is important to understand that while the threat is real, the tools to counter it are slow to develop. This article aims to help you understand the new threat landscape, adopt new security approaches as they are introduced, and even develop your own practical approaches to stopping EDoS attacks.
About the author: Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, creating technical and trend-setting content explaining technical solutions for developers and IT leaders. Today he leads Agile SEO, the leading marketing agency in the technology industry.
LinkedIn: Gilad David Maayan
FB: Gilad David Maayan
Publisher’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.