Thunder from the cloud

According to a report from security site DarkReading, by investing only $6, security experts David Bryan and Michael Anderson managed to take down their client's server with the help of Amazon's flexible EC2 cloud infrastructure. After entering a name and credit card number, the experts were able to upload their "Thunder Clap" program, which eventually brought down their client's server via a DoS attack, to Amazon's virtual servers. The experts say that they encountered no special bandwidth agreements or detection mechanisms to stop them.

Amazon reportedly also failed to respond to the complaints by these clients, who launched the attack to test their own infrastructure. In an email reply available on the DarkReading web page, Amazon spokeswoman Kay Kinton says the opposite: "We do have a process for both detecting and responding to reports of abuse. [...] When we find misuse, we take action quickly and shut it down." Amazon didn't comment about why this did not happen on this occasion.

Bryan says that protective measures do exist: "While cloud services are a new way to deliver attacks, the steps needed to defend a business' network and keep it connected are no different than those used to defend against run-of-the-mill packet floods." He says that in this case although his clients were prepared for the scenario, their security hardware was not configured tightly enough to detect the attack. According to Bryan and Anderson, so far criminals have mainly used botnets for their attacks, but renting server time from a legitimate cloud service is cheaper and can be more effective. The experts fear that threat agents could use cloud services to run extortion schemes against companies and have called on vendors such as Amazon, Google, Microsoft and Rackspace, who operate easily accessible cloud services, for a faster response to complaints.

(crve)