BotClouds Still Hard to Detect (And Mitigate)
This morning, during my usual virtual promenade through my feeds, I came across a really interesting post from Stratsec, a subsidiary of Bae Systems.
The post unveils the details of an unprecedented experiment aimed to verify how easy and cheap is to setup a botCloud and how hard is for the Cloud providers to detect them (and consequently advise the victims).
As the name suggests, a botCloud is defined as a group of Cloud instances that are commanded and controlled by malicious entity to initiate cyber-attacks.
The research was carried on by subscribing to five common Cloud providers and setting up to 10 Cloud instances targeting a victim host, protected by traditional technologies such as IDS, and flooded with several common attack techniques (malformed traffic, non-RFC compliant packets, port scanning, malware traffic, denial of service, brute force, shellcode and web application attacks) in 4 scenarios:
- Victim host placed in a typical network scenario with a public IP, firewall and IDS;
- Victim host setup as a cloud instance inside the same cloud service provider then the attackers;
- Victim host setup as a cloud instance inside a different cloud service provider then the attackers;
- Same scenario as test 1 with a major duration (48 hours) to verify the impact of duration on the experiment;
The findings are not so encouraging, and confirm that the security posture of the cloud providers needs to be improved:
- No connection reset or connection termination on the outbound or inbound network traffic was observed;
- No connection reset or termination against the internal malicious traffic was observed;
- No traffic was throttled or rate limited;
- No warning emails, alerts, or phone calls were generated by the Cloud providers, with no temporary or permanent account suspensions;
- Only one Cloud provider blocked inbound and outbound traffic on SSH, FTP and SMTP, however these limitation was bypassed by running the above service on non-default port.
The other face of the coin is represented by the moderate easiness needed to setup an army of cloud-hidden zombie machined which can leverage the advantages of a Cloud infrastructure. In fact a botCloud
- Is relatively easy to setup and use;
- Needs significantly less time to build;
- Is Highly reliable and scalable;
- Is More effective;
- Has a Low cost.
Cloud Service Providers (and their customers), are advised…