Is it the end of Amazon AWS, Google GCP, and cloud platforms?

Lately we have seen several problems with cloud services, such as those from Amazon, Google Cloud, and other services.

The main problem with these services, is not related to their service itself, but to the fact that these services are on the internet, exposed to attacks by hackers, who are carrying out various coordinated attacks from all over the world to simply: spend their data traffic.

We noticed this when we uploaded a virtual machine, and even though there was no relevant hosted service, it was consuming around 49 GB of traffic, with the monthly free tier limit being just 1 GB. That is, if it weren't for the credits, a very fat bill could have come.

We analyzed the data traffic that was arriving at the VM using various packet analysis concepts, and we identified that the accesses were only traffic on port 80 and 443, that is, thousands and thousands of requests just to spend the band, and make the bill gets bigger, even with nothing relevant hosted, not even an actual attack to gain access to the machine.

Here are some details that reveal IP addresses and websites that access a VM that only has a simple "Hello World" on port 80:

It is possible to see a large number of servers that are accessing only to consume bandwidth.

Using some applications to measure traffic, we see that inbound, there was 1.11 Gbyte in the analyzed period, and 936 Mb of outgoing data.

These tests were done on a machine within the Google Cloud free tier, which has a limit on the cost of data output above 1 Gb, that is, in a few minutes that the instance was active, it has already reached its monthly limit, or that is, in a few minutes you will be out of the free tier, and there will be charges for these requests.

At other times we see a burst of connections being made to a server with a simple "Hello World". This must be the site with the most access in the world, right?

This data was only for a certain moment, but notice the usage graphs of this website with "Hello World" in the GCP cost reports:

There was an output of 43.95 "Gibibyte" data from an instance that has a simple page that should only have 15 bytes of data. The cost of this huge traffic cost R $ 23.84.

The second highest cost there was SSD, as we noticed that we used the premium SSD in a free tier instance, and we saw that the SSD was not included in the free cost, but in the paid cost. You should always use the regular disc.

Another detail is also that during this period that consumed all this data, we left the IP address protected by Cloudflare, but after the period of greatest data consumption, we exposed the IP only to the internet (outside of Cloudflare) and we saw that traffic continued. thus.

The immediate solution to the case was to shut down the instance. Of course, this is not an option for those who have hosted services, but to use only within the free tier, it is not possible to maintain it at zero cost and in just a few minutes the instance already spends the maximum of the free tier of the month.

It is still an attack, after all, an attack can be just consumption to generate some loss for customers. And another thing that we also notice is that when changing the IP address of the instance, there was a significant improvement, however, with an entirely different IP address, probably from another pool.

We do not know exactly the reason for the improvement when changing the IP address, but as time goes back to having consumption in the accesses, that is, it seems that the exposed addresses start to be visible on the internet, and the robots and attackers start to consume data. of port 80 and 443 just to abuse the resources for nothing.

If you want to use inside the free tier, without generating excessive consumption, for small personal projects, the ideal is to have a strict control of IP addresses in the whitelist on your firewall, allowing only the machines that you want to have access to any especially sensitive ones, and any other to avoid unexpected extra costs.

Google Cloud does not have an unlimited data traffic plan even in its paid plans, that is, a major DDoS attack only on port 80 can in addition take your site down, generate a fat bill per minute.

And these attacks appear to come from Amazon or Google Cloud itself, from instances of other customers. Since they are in the same datacenter, there is a low latency advantage to quickly consume data from other instances, and make your bill explode.

Remembering that all these analyzes were made with new instances, containing only a simple "Hello World", with a firewall policy opening ports 80, 443, and we also opened additional ports for FTP and other "common" services, as well as a bank MySQL database.

As soon as the ports are exposed on the internet, despite the large volume of data being on the HTTP ports, there was also traffic on the other ports, perhaps derived from some robot trying to access other resources.

Another form of contour that can be thought of is: put on the homepage that answers port 80, some mandatory delay, thus reducing the number of calls.

Another detail we also saw is that we left Apache with the keep-alive function enabled to reduce the response time between calls, and in this case, it may also have been a useful feature for attackers to take advantage of that port 80 remained open to continue injecting data just to consume traffic for nothing.

Recently we have seen that Amazon also suffers from attacks, which can be similar to the ones found here, which apparently their only intention is to just spend traffic and make customers' bill more expensive.

As long as there is no "free" traffic plan, Amazon and Google may lose customers to proprietary solutions or even to solutions in companies that are able to not charge the customer if there is an unexpectedly large data output.

No comments