Last week at the security conference DEF CON 2010, two security researchers demonstrated how easy and powerful it is to use cloud computing for malicious activities.
The two rented ten virtual machines on Amazon EC2 Infrastructure-as-a-Service (IaaS) cloud computing platform and used them to produce a denial of service (DoS) against a target SMB.
The striking thing is that taking down the target infrastructure for two hours costed just $6.
The two researchers highlighted that Amazon doesn’t enforce any bandwidth limitation and doesn’t check for malicious activity inside its Amazon Machine Instances (AMIs).
Of course this is not just an Amazon fault. Any IaaS or PaaS could be used for malicious activities like this one, and it’s extremely hard to believe that any cloud provider on the market is enforcing such kind of security checks at the moment.
Of course, it’s also true that a DoS or a Distributed DoS (DDoS) can be arranged even without using a public cloud. But using a IaaS or PaaS cloud makes it faster, cheaper, and scalable: the two experts started with just three AMIs and eventually rented another seven, until the target was completely down.
Amazon also failed to return the calls and emails of the company under attack, reports DarkReading.
Considering that the company just launched a new policy to report about vulnerabilities, maybe it’s a good time to launch a new policy for incident handling too.