论文信息 - Web bugs in the cloud: Feasibility study of a new form of EDoS attack

Web bugs in the cloud: Feasibility study of a new form of EDoS attack

Economic Denial of Sustainability (EDoS) is a new form of security attack specifically targeting Cloud-hosted websites/domains. The main goal of EDoS attack is to impose a significant financial burden on the victim through skillful and measured consumption of the victim's metered (pay-as-you-go) bandwidth. The most straightforward way to conduct an EDoS attack is by means of a custom-built or a rented botnet capable of executing application-layer DDoS. However, the common known disadvantages of botnet-based EDoS/DDoS attacks are: a) high cost in cases when the (rented) botnet needs to be used over a prolonged interval of time, b) high chance of bot-blacklisting that could result in a significantly diminished attack potential. The goal of our work presented in this paper was to investigate the technical feasibility of using spam-email with Web-bugs in order to engage the browsers of legitimate users in an EDoS attack. Compared to a botnet-based EDoS, such an attack would be far more difficult to detect and thwart for the victim, while imposing minimal to no cost to the attacker. Our preliminary results, involving real-world spam-email and an actual `victim' site set up on Amazon S3 Cloud, show that EDoS using Web-bugs is a technically feasible attack option with a reasonably sufficient attack potential. To the best of our knowledge, this study is the first one to combine the topics/concepts of EDoS, Web-bugs and spam-email, and point to a potentially problematic interplay among them.

Natalija Vlajic | Armin Slopek

[1] Susan T. Dumais,et al. Modeling and predicting behavioral dynamics on the web , 2012, WWW.

[2] Periklis Akritidis,et al. Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure , 2008, TSEC.

[3] Douglas Jacobson,et al. The Insecurity of Cloud Utility Models , 2013, IT Professional.

[4] John C. Mitchell,et al. Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[5] Khaled Salah,et al. EDoS-Shield - A Two-Steps Mitigation Technique against EDoS Attacks in Cloud Computing , 2011, 2011 Fourth IEEE International Conference on Utility and Cloud Computing.

[6] Natalija Vlajic,et al. Dirt Jumper: A key player in today's botnet-for-DDoS market , 2012, World Congress on Internet Security (WorldCIS-2012).

[7] Blair White. Evolving DDoS Botnets: 1. BlackEnergy , 2012 .

[8] Spyros Antonatos,et al. Puppetnets: misusing web browsers as a distributed attack infrastructure , 2006, CCS '06.

[9] Gianluca Stringhini,et al. The Underground Economy of Spam: A Botmaster's Perspective of Coordinating Large-Scale Spam Campaigns , 2011, LEET.

[10] Derek Manky. Cybercrime as a service: a very modern business , 2013 .