This story was written by Keith Dawson for UBM DeusM’s community Web site Develop in the Cloud, sponsored by AT&T. It is archived here for informational purposes only because the Develop in the Cloud site is no more. This material is Copyright 2012 by UBM DeusM.

Cloud As Botnet

Cloud providers don't filter attack traffic, study finds.

A study of 5 "common" but unnamed cloud providers found that not one throttles, warns about, or otherwise reacts to blatantly malicious traffic on their clouds, either outbound or inbound.

An international group of researchers from Austria-based Stratsec, a subsidiary of BAE Systems, mounted a series of experiments to see how cloud service providers reacted to malicious activity on their networks. The short answer: whether known-bad traffic originated on their networks -- as if bad guys were using the clouds as botnets -- or were directed from outside to their own cloud instances, none of the cloud providers seemed to notice. The tests went on for 21 days; one of them involved a high volume of suspicious traffic that was maintained for 48 hours.

"The results of the experiment showed that no connections were reset or terminated when transmitting inbound and outbound malicious traffic, no alerts were raised to the owner of the accounts, and no restrictions were placed on the Cloud instances," a Stratsec blog post states.

The researchers set up some cloud resources and sent different types of malicious traffic from remotely controlled cloud instances (virtual machines) to a number of test servers running common services such as HTTP, FTP, and SMTP. In one experiment, attacker and target machines were in the same cloud; the intent was to gauge the provider's reaction to internal traffic that followed known-bad patterns. In another experiment, the bad traffic was sent from one cloud to another, to scope out two providers' responses to both inbound and outbound suspicious activity.

Nothing.

The things the researchers were doing were well beyond suspicious, they were smoking-gun bad: sending malformed network packets, performing aggressive port scans, sending malware to victim hosts by means of a reverse shell, performing denial-of-service attacks against Web servers running on the targets, performing brute-force FTP password cracking attacks, launching SQL injection attacks, etc.

Nothing.

The researchers warn that the cloud providers' lack of security scanning could encourage bad guys to set up "botClouds" in addition to or in preference to using armies of conscripted zombie PCs. "With the budget of as low as $7 and minimum hardware specification, it is possible to set up a botCloud with tens to hundreds of cloud instances," the researchers claim.

It's not clear that legitimate clouds offer much of a price advantage over the illicit variety. A recent report from Trend Micro, titled Russian Underground 101 (PDF), outlines a year of research on Russia-based chat forums that are frequented by cyber-criminals. It lists the wide variety of services available to bad guys in this underground economy, with prices. A day of DDoS against a single address costs around $50.

And relying on public clouds for a botnet has the downside that the cloud operator will probably be very responsive to any abuse notifications. Much more so than the anonymous operator of a Chinese fast-flux network hosting botnet command-and-control servers.

This situation is indicative of the relative immaturity of cloud technology. Probably as a result of this study, at least some cloud providers will put measures into place to watch for for malicious activity in which their customers may be engaging. A provider's security posture will become part of the checklist that customers will run.

In the meantime, don't whitelist traffic just because it originates from one of the reputable cloud providers.