back to article Not saying you should but we're told it's possible to land serverless app a '$40k/month bill using a 1,000-node botnet'

If you want to stick it to a startup that relies on serverless infrastructure, you may be able to inflict $40,000 in financial damage every month with a modest 1,000-node botnet. That estimate comes from computer-science boffins Daniel Kelly, Frank Glavin, and Enda Barrett at National University of Ireland, Galway, in their …

  1. katrinab Silver badge
    Meh

    I'm pretty sure this already happens in the advertising sector, which seems to be riddled with fraud at every level of the supply chain.

    1. Ken Hagan Gold badge

      Any time someone manages to serve an ad to me, it's money down the drain. Does that count?

    2. Anonymous Coward
      Anonymous Coward

      Yeah, from the trenches, the process for most agencies is this:

      (1) inflate all your numbers. Lie if you have to, but mostly just project and use the future tense. If you got 10,000 clicks this month and next month you intend to triple the amount of space you're giving to advertising, find a buyer for 30,000 clicks. Plus an extra 10,000 because the consumer market is growing. Plus 5,000, ummm, because.

      (2) take the buyers out and use a small portion of the money you took from them last year to supply a lot of alcohol. And maybe an ITV2 celebrity. That'll prove that your agency is big time and therefore likely to get 45,000 clicks.

      The buyers will lack sufficient experience to spot the con because they've been in post for less than a year. They replaced the last batch, who all got fired for failing to get a measurable return on the advertising budget.

      Rinse and repeat.

  2. MatthewSt

    Functions (et al) are only cheap if they're not used all the time. There's 2.6 million seconds in a month, so to run a 1cpu 1gb RAM function all month would set you back £31.50. For £29/month you can get a 2ish CPU box with 4gb RAM in Azure.

    Just depends how lumpy your workload is

    1. Anonymous Coward
      Anonymous Coward

      I've seen single CPU 1GB instances at some of the big players for even less than that. You can get those resources without any per second billing for a quarter of that price.

      If this is what they charge for serverless setups then it's a scam because you can run the same code on the same resources and expand just as easily for much, much less.

      I've got entire web farms sat behind NGINX proxy clusters with not much more than that which deal with tens of millions of requests per box a month that never cost me more than a tenner a month per box. In front of those I have various CDNs on low tier packages.

      It's surprisingly cheap to handle huge amounts of traffic these days.

      The wheels fall off when the backend is .NET / MSSQL based...shit gets pricey then as it doesn't scale as frugally as other solutions.

      If you stick the tried and tested NGINX, PHP, Mongo setup and you keep your code simple and trim the fat you'll be able to handle mountains of traffic.

      1. Anonymous Coward
        Anonymous Coward

        We've not had problems scaling with MS SQL but we did hit problems with Mongo.....

  3. Graham Cobb Silver badge

    Has this paper been peer reviewed?

    "The number of attack nodes simply linearly affects the financial damage. A botnet of 100,000 nodes will do the same damage in one month that 1,000 nodes would do in a year."

    If it is linear, a botnet of 100,000 nodes will do the same damage in 3 days that 1,000 nodes would do in a year

    This is shown as a quote, so I am posting a comment not a corrections email. If it is actually a Register transcription error my apologies to the authors.

    1. diodesign (Written by Reg staff) Silver badge

      "If it is linear"

      The paper was in error, the authors fixed their version, and let us know -- we've now corrected the quote.

      C.

      1. Claptrap314 Silver badge

        Re: "If it is linear"

        It will be linear unless there are some REALLY weird pricing models in place.

  4. Anonymous Coward
    Coat

    Sorry

    Read this as, '$40k/month bill using a 1,000 nude botnet'

  5. Howard Sway

    A more appropriate report title

    Denial of Wallet – Serverless Computing

  6. MrReynolds2U Bronze badge

    This seems entirely obvious and something a decent coder and ops team would protect against.

    I guess the reason they are publishing a paper is so those who don't fall into the above category might actually realise how obvious and expensive this mistake can be.

    1. Gene Cash Silver badge

      > something a decent coder and ops team would protect against.

      Sure, but I have a feeling 50% of businesses don't have those. I've seen LOTS of "coders" that DGAS how many CPU cycles or disk I/Os they burn. That gets expensive when you're charged for those.

    2. Claptrap314 Silver badge
      Unhappy

      I agree that it is an entirely obvious attack.

      I do NOT agree that it is easy to defend against--especially given the difficulty of monitoring spending on these platforms.

      I have read an article on this subject. The authors of that paper were arguing for some sophisticated analytics, combined with aggressive IP-level rate limiting. Yeah, sure. I'm going to bet the company on that.

      There are several layers to work this.

      First, use a no-asset LLC to contract the web services. If an outrageous bill arrives, the option of walking away is real. This protects against any number of boo-boos, not just malicious actions by outsiders.

      The next this to do is to closely monitor your costs. Even if the platform is denying you the actual numbers, you should be able to get almost minute-by-minute data by cost-modelling based on monitoring. A circuit breaker can then be applied.

      Note that this attack is actually less disruptive than a Black Swan Event. If your company gets mentioned in a prominent way, you might see a tremendous amount of legitimate traffic. You really are hoisted by your own petard, because you can be ruined by reputation if the site is not available, and ruined by costs if it is. (Very, very little of the traffic will generate profits in the first month.)

      If you can handle a BSE, a EDOS (or DOW) attack doesn't look nearly so bad. The solution is that you never go with pure serverless. I don't even know if the platforms support this, however. Unbounded cost is still a concern, but autoscaling was designed in part to handle a BSE. Again, with proper monitoring, the costs should not be a surprise.

      So, if your mixed deployment uses "serverless" functionality until your system detects that it would be cheaper to switch over to autoscaling, then I suspect that EDOS loses much of its threat. Not all, but the hyper-expensive by API call costs of "serverless" deployments at least are contained.

      But defending against (or even detecting) an EDOS attack where the individual nodes are tagging you at less than one qpm is going to be HARD. The statistical analysis that says "real transactions follow X distribution pattern" just means that the attackers will conform their attacks to the X distribution pattern. It's almost as easy to write attack code as it is to write the monitoring code. Sometimes, it will be easier--and since the analysis is statistical, there WILL be false positives.

      If (and it is a HUGE if) the attacker is actually bearing the costs of the attack, one effective defense would be to force the attacker to spend more than you do. This can be done by requiring requests effectively mine a block. The mining is expensive compared to verifying it. But doing that means that your site is likely to trigger malware warnings on the botnet, and might get you classified as a malware site. Therefore, such a response must be limited to cases where you are fairly certain that you are facing an EDOS attack....

      Defending against this is hard. Beware the inherent risks of "serverless".

  7. Bitsminer Bronze badge
    Pint

    Etymology

    I appreciate your providing the etymology of the phrase "denial of wallet".

    Although when first reading it, I thought that the phrase was very Register-esque!

  8. Alan Brown Silver badge

    insert quote about asymetric warefare here

    expending small amounts of money/effort to cause your opposition to spend LARGE amount

    We've seen unintentionall results of this kind of thing already when spammers targetted relay servers on the epsensive fringes of the net back in the 1990s. It's what caused the creation and rapid adoption of blacklists

  9. ecofeco Silver badge

    I cannot parse that headline

    "Land serverless app?"

    Some new jargon I'm not aware of?

    1. diodesign (Written by Reg staff) Silver badge

      Headline

      As in, 'land a serverless app a $40k/month bill'. Just keeping the headline snappy. Too many 'a's make it a mouthful.

      If you can't parse a headline, the good news is that the article will immediately explain it.

      C.

  10. Duncan Macdonald Silver badge

    Cloud services

    Cloud working is just the modern version of using timesharing mainframes from the early days of computing.

    For almost all sustained workloads it is cheaper to use your own kit rather than rent services from a cloud provider.

    Valid reasons for using a cloud

    1) Short term peak (under 3 months)

    2) Insufficient internet connectivity at own premises

    3) Keeping development and testing well away from production

    4) Temporary substitute for unavailable systems (eg after a fire)

    Reasons for NOT using a cloud

    1) Cost - in under 3 years (under 1 year in many cases) running the job on own hardware will be cheaper than the cloud price

    2) Legal constraints - any company in the EU that allows personal data to be on a cloud controlled by US firms is in danger of massive fines due to the EU GDPR and the US CLOUD act.

    3) Data security - if the access to the cloud application is not set correctly then massive data breaches are all too easy - this again raises the potential of nasty fines to companies that trade in the EU due to GDPR. Data breaches on own kit behind a firewall are usually due to an attack (rather than the stupidity that has left so many Amazon storage buckets with world access).

    4) Lock in to one cloud supplier. It is far too easy to embed implicit assumptions about the available facilities into applications resulting (for example) in an application that works on AWS but needs extensive rework to run on Azure.

    PLEASE before committing a job to "the cloud" price the costs of own kit vs cloud kit over the expected timeframe. Include the costs of 2,3,and 4 above in the analysis before committing to the cloud.

    1. Richocet

      Re: Cloud services

      Add to reasons for not having a cloud

      5) The cost of having people procuring the hardware

      6) Maintaining a data center, and patching the servers.

      7) The one-off costs of upgrading old hardware can be much harder to get approved than a higher steady cost of renting capacity. I've seen plenty of examples of production systems running on obsolete unsupported hardware and OS because it was never cost effective to upgrade it.

  11. TechHeadToo

    Well, that seems like a really good idea for ... each of the following to use. They'll have way plenty spare boxes to run DoW attacks on their clients. Silently, insidiously.... profitably.

    " Google Cloud Functions cost the most, followed by AWS Lambda, IBM Cloud Functions and lastly Azure Functions."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021