An AWS customer inadvertently launched a "denial of money" attack on himself, with help from Google's cloud. As cloud services proliferate, their interactions will continue to turn up such surprises.
The cloud is one of the greatest enhancers of business agility ever invented. It's no wonder corporations at all scales are rushing to find out how they can best leverage this flexible, scaleable, and rentable resource. But the tale of Panos Ipeirotis should give us pause to think about unintended consequences as we implement cloud solutions, especially ones that span the boundaries between cloud service providers.
Ipeirotis, a computer science professor at New York University, first became aware he might have a problem when an automated email from Amazon alerted him to unusual bandwidth charges on his Amazon web Services account. His blog post details the path of deduction he embarked on over the next few hours to find out why the meter was suddenly running on his AWS account at $100 per hour.
He had a bucket at AWS containing 25,000 images -- 250GB worth. For an experiment in the crowdsourcing of image metadata, Ipeirotis had set up a spreadsheet in Google Docs with thumbnails of those 25,000 images, and he had invited all the world to edit the spreadsheet and describe the images. The problem was that Google was fetching the images repeatedly from AWS. Google's crawler was downloading the entire 250 GB every single hour.
This wasn't a mistake on Google's part. They wanted to make sure that when someone viewed the spreadsheet, they would see the very latest data -- in case one of the images had changed. They were pre-fetching all of the images in order to make sure they were ready when someone scrolled to that part of the spreadsheet. For reasons of user privacy, Google was not caching the images. And the rate limits Google imposes on some of its crawlers, so that they won't hammer sites into oblivion, were not in effect because the source was AWS, which is essentially immune from harm from any level of traffic demand.
Writing in Wired, Robert McMillan seems to have coined the term "denial of money attack" for this scenario; Ipeirotis does not use it. The professor did note, however, that what he had inadvertently done to himself, a bad actor could direct against a target who happened to store data in AWS.
To their great credit, Amazon rescinded the bandwidth charges, calling the activity "accidental." Google told McMillan it is investigating the issue; I expect the company will fix its crawler ("Feedfetcher") to make such a denial-of-money attack impossible.
The lesson here is that unexpected effects can result when applications set up cloud services tht interpenetrate. This won't be the last one we see, as the industry works to settle on cloud interoperability standards. When building out your cloud strategy, be alert for surprises like this that can spring out of the complexity of the infrastructure on which we are all coming to depend.