Oops! Amazon Web Services Customer Unleashes ‘Denial of Money’ Attack -- on Himself

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/wiredenterprise/2012/04/aws-bill-in-minutes/

By Robert McMillan
Wired Enterprise
Wired.com
April 27, 2012

When Panos Ipeirotis checked his Amazon Web Services bill last week, he 
started to sweat. It was $1,177.76 -- much more than he’d ever been 
charged before -- and it was going up another $50 to $100 with each 
passing hour. He had no idea why.

After a some investigation, he found the problem. He had accidentally 
invented a brand new type of internet attack, thanks to an idiosyncrasy 
in the online spreadsheets Google runs on its Google Docs service, and 
he had inadvertently trained this attack on himself. He calls it a 
Denial of Money attack, and he says others could be susceptible too.

As the world moves more and more information to cloud services from the 
likes of Amazon and Google, these services don’t always interact as 
effectively as they should. Amazon Web Services can save you money, but 
Ipeirotis’ tale also shows that there are cases where the cloud can 
backfire.

Ipeirotis, an information operations professor at New York University, 
had created a pretty unusual spreadsheet. As part of an experiment in 
how to use crowdsourcing to generate descriptions of images, he had 
posted thumbnails of 25,000 pictures into a Google document, and then he 
invited people to describe the images. The problem was that these 
thumbnails linked back to original images stored on Amazon’s S3 storage 
service, and apparently, Google’s servers went slightly bonkers. “Google 
just very aggressively grabbed the images from Amazon again and again 
and again,” he says.

Soon Google had sucked nearly nine terabits of bandwidth from Ipeirotis’ 
Amazon storage servers. And bandwidth like that costs money.

[...]

_______________________________________________
LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
http://www.layerone.org