What is EDoS?
Economic Denial of Sustainability (EDoS) is a cybersecurity threat targeting cloud environments. EDoS attacks exploit the elasticity of clouds, particularly auto-scaling capabilities, to inflate the billing of a cloud user until the account reaches bankruptcy or large-scale service withdrawal.
EDoS attacks exploit the cloud’s economies of scale to disrupt or discontinue the availability of cloud services and infrastructure that support applications, systems, and corporate networks. It typically involves remotely-controlled bots that covertly send fake requests. If these requests bypass security controls, the cloud service provisions additional resources and charges the cloud user.
Traditional incident response strategies are ill-equipped with EDoS threats for several reasons:
- EDoS traffic uses IP spoofing and is difficult to detect using existing network analysis techniques, unless attackers are using known bad IPs.
- The application and end-users are not initially affected by EDoS attacks. Cloud resources scale up to meet the additional traffic, at least until the budget is depleted, so application performance metrics cannot be used to detect the attack.
- System hardening techniques are not effective against EDoS because traffic does not exploit any type of vulnerability in the traditional sense.
- Even once an EDoS attack is detected, incident responders cannot react using existing tools. They must establish an interface to cloud cost-management systems, to be able to short-circuit automatic scaling mechanisms.
DoS vs DDos vs EDoS
Let’s explore the difference between the more familiar “..oS” attacks and the new kid on the block – EDoS.
In a Denial of Service (DoS) attack, attackers send fake requests that can prevent legitimate users from accessing the system, use resources, such as server processing power, memory, and network bandwidth, and in some cases crash the target system.
Broadly speaking there are two variants of DoS attack. A flood DoS attack exploits the fact that server buffers cannot process packets when there are too many incoming requests, causing service degradation, or rejection of traffic. A “crash” DoS attack constructs corrupt packets or requests that exploit vulnerabilities in the target system, causing it to crash or fail.
A Distributed Denial of Service (DDoS) attack is an evolved version of a DoS attack. This type of attack is often used by attackers as a smoke screen, occupying security teams, while in the background attackers penetrate an organization’s network.
DDoS attacks are made possible by massive botnets, created by attackers who install malware on thousands or even millions of computing systems. These systems may be as small as end-user devices, Internet of Things (IoT) devices, or larger entities, such as servers, or any other internet-connected system. All these devices are “herded” into a robot network, under central control of the attacker who operates the Command and Control (C&C) server.
DDoS attacks target a particular characteristic of the internet protocol architecture. A common technique used by attackers is IP spoofing, in which attackers send packets using a fraudulent originating IP address, making the traffic appear legitimate, thus making it difficult to detect, track, and block.
EDoS attacks exploit the rapid scalability and resilience available in cloud environments. The attackers aim to make the victim’s cloud account financially unsustainable.
Attackers primarily target infrastructure as a service (IaaS) solutions. EDoS attacks use a common pattern of DDoS attack methods: exploiting cloud system vulnerabilities, such as old software versions, unsafe protocols, and publicly exposed IP addresses to install malicious software. They take over devices or cloud resources, which follow the attacker’s instructions and send fake traffic packets to a target system or service. This additional traffic causes the cloud service to scale up until it becomes economically unsustainable.
Why Attackers Use These Methods to Damage a Business
EDoS attacks, like the early DDoS attacks, are aimed at disrupting a business and causing financial loss. They do not have direct benefit for the attackers. For individual cybercriminals, these attacks could be a “show of force”, or the attacker’s personal revenge against an organization. For hacktivists, they could be used to sabotage organizations opposed to the hacktivist’s cause. For larger criminal groups sponsored by hostile nation states, they could be a way to disrupt economic activity in a target population.
Today DDoS is a billion-dollar business, with DoS platforms being made available as a service, and attackers generating revenue by demanding ransom and other means. I predict that EDoS attacks will become more prevalent, therefore it is likely that a business model and criminal ecosystem will evolve around them as well.
The concept of EDoS attacks was described in research over a decade ago. The main challenge in EDoS protection is detecting the attack, because to a traditional security tool, it would appear the same as a regular scale-up event in a cloud system. As soon as the attack is detected, the operators can disable auto scaling mechanisms, and thus end the attack.
Several theoretical frameworks have been suggested to detect EDoS attacks. However, these approaches suffered from drawbacks, and as a result were not implemented in widely-used security tools:
- Support vector machines (SVM) and self-organizing maps (SOM) – these are Machine Learning (ML) models that are successful at detecting an EDoS attack. However, they are comparatively slow, and thus unable to process real-time data in a large-scale attack.
- Fully connected neural network (FCNN) – this deep learning method is more performant than ML algorithms, because it can extract features more efficiently using multiple neural layers. However, their accuracy is relatively low because EDoS is an ongoing process that requires time-series analysis, whereas an FCNN does not have “memory” capability (it analyzes each event or data packet separately).
- Recurrent neural network (RNN) and long short-term memory (LSTM) – RNN is more successful at detecting EDoS because it can analyze a sequence of events. It is more accurate when equipped with LSTM cells that can capture a memory of recent events and take it into account when analyzing a current event. However, RNN models are again inefficient when applied to real time data.
A novel approach was suggested in recent research by Vinh Quoc Ta and Minho Park.
They suggest a framework that makes both training and prediction stages faster than LSTM, using a parallel processing strategy. The approach works as follows:
- Leverage LSTM attention cells to predict one unit in an attack traffic sequence by determining how strongly it is correlated with other units.
- Compute an attention score leveraging the widely used Transformer Encoder-Decoder model. However, the EDoS detection model uses only one encoder module to compute inputs in parallel. This dramatically improves performance while retaining the accuracy of earlier LSTM models.
- Consider relative scores of one network packet compared to others in a flow, which helps the model “remember” historical features of previous units in the sequence.
- Use one score for multiple features to improve computational efficiency. In other words, when the model analyzes one packet, it uses the score in all related packets to reduce processing time.
- Able to classify zero-day attack outputs using an unsupervised learning strategy.
- Real-time updates to the model enable it to re-train on live data and fine tune parameters to adapt to changes in attacks.
The researchers tested the model on realistic flooding attacks used to perform EDoS actions and found it capable of detecting attacks and processing data with sufficient performance.
The elasticity and flexibility of the cloud reduce the potential for traditional DDoS attacks. However, attackers can bombard systems with additional traffic, causing the systems to scale-up indefinitely until the victim incurs unsustainable economic costs.
Even though EDoS attacks are difficult to detect using traditional security tools, there are alternative methods available to enable early mitigation.
The important thing to understand is that, while the threat is real, the tools to defend against it are slow in the making. This article should serve to help you understand the new threat landscape, adopt new security approaches as they are introduced, and even develop your own practical approaches for stopping EDoS attacks.