About these ads
Home > Botnets, Security > BotClouds Still Hard to Detect (And Mitigate)

BotClouds Still Hard to Detect (And Mitigate)


This morning, during my usual virtual promenade through my feeds, I came across a really interesting post from Stratsec, a subsidiary of Bae Systems.

The post unveils the details of an unprecedented experiment aimed to verify how easy and cheap is to setup a botCloud and how hard is for the Cloud providers to detect them (and consequently advise the victims).

As the name suggests, a botCloud is defined as a group of Cloud instances that are commanded and controlled by malicious entity to initiate cyber-attacks.

The research was carried on by subscribing to five common Cloud providers and setting up to 10 Cloud instances targeting a victim host, protected by traditional technologies such as IDS, and flooded with several common attack techniques (malformed traffic, non-RFC compliant packets, port scanning, malware traffic, denial of service, brute force, shellcode and web application attacks) in 4 scenarios:

  1. Victim host placed in a typical network scenario with a public IP, firewall and IDS;
  2. Victim host setup as a cloud instance inside the same cloud service provider then the attackers;
  3. Victim host setup as a cloud instance inside a different cloud service provider then the attackers;
  4. Same scenario as test 1 with a major duration (48 hours) to verify the impact of duration on the experiment;

 The findings are not so encouraging, and confirm that the security posture of the cloud providers needs to be improved:

  • No connection reset or connection termination on the outbound or inbound network traffic was observed;
  • No connection reset or termination against the internal malicious traffic was observed;
  • No traffic was throttled or rate limited;
  • No warning emails, alerts, or phone calls were generated by the Cloud providers, with no temporary or permanent account suspensions;
  • Only one Cloud provider blocked inbound and outbound traffic on SSH, FTP and SMTP, however these limitation was bypassed by running the above service on non-default port.

The other face of the coin is represented by the moderate easiness needed to setup an army of cloud-hidden zombie machined which can leverage the advantages of a Cloud infrastructure. In fact a botCloud

  • Is relatively easy to setup and use;
  • Needs significantly less time to build;
  • Is Highly reliable and scalable;
  • Is More effective;
  • Has a Low cost.

Cloud Service Providers (and their customers), are advised…

About these ads
  1. October 31, 2012 at 1:59 pm | #1
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 2,707 other followers