Denial-of-Wallet-attacks; hackers drain cloud resources and bank accounts!

Denial-of-wallet-attacks

Server less computing has been gaining hype in the recent years. As organizations began to understand the benefits of an easy scalable, cloud-based infrastructure model, they turned towards server less computing technique.

Studies says that the number of users using server less system has exceeded 7 billion by 2021

Server less computing

Server less computing is a mechanism that provides services on an as-used basis. The server less provider helps the users to write and display code without considering the underlying infrastructure.

Popular server less computing brands are Google Cloud Platform (GCP), Amazon web series (AWS) and Microsoft Azure which together has a million users.

Advantages of server less computing

One of the main advantages of server less mode is that it allows small organizations to access their services live without investing in hardware.

Another pro of this mode is that this works on a pay-as-you-go basis. The user is not charged for any extra resources or bandwidths they didn’t use.

Since there are constant updates in server less systems, this makes it difficult for the malwares to stay dormant inside the infrastructure for a long time.

Disadvantages of server less computing

Server less systems are always prone to risk. For instance, Windish notes can sometimes block the opportunity to perform detailed infrastructure analysis.

This also raises challenges against security observability.

Another con of this method is that they rely on vendor’s security practices. If the server is insecure, apart from Denial of Wallet attacks, other vulnerability attacks can also happen.

However along with the hype comes the risk of cyber-attacks targeting cloud based infrastructure.

Denial of Wallet attack (DOW) is a less popular method of cyber-attack but this technique is easy to execute and can leave the victim, financially damaged.

What is Denial of Wallet attack?

Denial of Wallet attack is almost similar to Denial-of-Service attack (DOS) while both have the same intention to cause disruption.

However when a DOS attack aims to compel the targeted service offline, DOW attack focuses on the target’s financial loss.

When the DDOS attack flood the servers with heavy traffic until it crashes, DOW targets users with server less computers or system.

The name ‘server less’ does not mean that the user is not connected to a server but rather they pay a third party for the access of the servers.

DOW attacks exploit the vulnerability that the users pay only according to the amount of resources used such that if a hacker floods a particular website with heavy traffic, the site owner could be charged with a huge bill.

In DOW attack the hacker does not earn any personal gain but they mainly target on the financial loss of the user.

When you have different servers in your data centre, DDOS attack is enough to bring you hurt by the attacker, says AWS security consultant Scott Piper.

As it comes to cloud service attack, the attacker may stay up the site and can make you bankrupt.

How to understand that you are under DOW attack?

When the bill is unexpectedly higher than your expectation, you are probably under the spell of DOW attack. So to make you alert just activate the billing alert feature so that it will notify you once the spending limit is crossed.

Users should use limits to avoid runaway code, particularly the lines that can stimulate infinite loop scenario.

Without these limits, the hacker could easily spin up a million EC2s but due to these limits he may only spin up to a few dozen EC2s.

Prevention criteria

Actually there is no solid prevention against DOW attacks. Instead the server less systems should be placed above the limits to trigger the alerts.

To safeguard against such attacks AWS provides a chance to configure limits for the budget. If the attacker gains that limit, he can use it to cause DOS attack against the user.

Take measures to protect the credentials associated with the server less account.

Implement least privilege service control policies and enforce multi factor authentication on all the users.

24 comments

  1. I am actually pleased to read this website posts
    which carries lots of valuable information, thanks for
    providing these kinds of information.

  2. Hello! Quick question that’s entirely off topic. Do you know how to make your site mobile friendly?
    My site looks weird when browsing from my iphone4. I’m trying to find a template or plugin that might be
    able to resolve this problem. If you have any recommendations, please share.
    Cheers!

    Have a look at my web site – 토토사이트

  3. I like the helpful info you provide in your articles.
    I will bookmark your blog and check again here frequently.
    I am quite certain I’ll learn many new stuff right here!
    Good luck for the next!

  4. I was recommended this blog by my cousin. I am not sure whether this post is written by
    him as nobody else know such detailed about my trouble. You’re wonderful!
    Thanks!

    Here is my web site :: 토토사이트 (Vance)

  5. Hello, i read your blog from time to time and i own a similar one and i was just wondering if you get a
    lot of spam remarks? If so how do you stop it, any plugin or anything you can recommend?
    I get so much lately it’s driving me insane so any help is very much appreciated.

    Also visit my webpage :: 먹튀검증사이트

  6. Hello there! This blog post couldn’t be written any better!

    Looking through this post reminds me of my previous roommate!
    He continually kept talking about this. I’ll
    forward this information to him. Fairly certain he will have a good read.
    Thank you for sharing!

  7. I have been surfing on-line greater than 3 hours
    lately, yet I never discovered any fascinating article like
    yours. It is lovely price sufficient for me. In my view, if all site owners
    and bloggers made excellent content material as you did, the internet can be much more helpful than ever
    before.

Leave a comment

Your email address will not be published. Required fields are marked *