Could Zombie Toasters DDoS My Serverless Deployment?

Never mind the hype about serverless. Never mind about whether the word “serverless” is even the right word. We need to start thinking about whether AWS Lambda and similar services are potentially opening up a way for the malicious to hit companies where it hurts the most: the bank balance.
Hosting Costs Under Attack
If your business is the target of a distributed denial of service (DDoS) attack, your service very likely grinds to a halt under the weight of too many requests. Let’s suppose you’re using virtual machines on a cloud service like AWS or Azure, and you have autoscaling set up, so you’ll get new machine instances created automatically because the current ones are over-worked.
You quite possibly have a maximum number of autoscaling instances set up, and that will give an upper bound to the costs: the maximum number of instances x the cost per hour of those instances x the time it takes for you to realize you’re under attack.
Many people have notifications set up for scaling events, so you might know very soon that new machines are being added. If that number of new machines looks unusual, your team have the opportunity to spot the attack pretty fast. The hourly price to rent a typical machine is just a few cents, so although there may be many costs to your business if you suffer a DDOS attack, it’s unlikely that the additional spend on hosting is going to figure as anything but a footnote.
But What if You’re Using Serverless?
With serverless, there is essentially no limit on the number of requests you could be handling — the service scales up automatically and almost instantaneously for every concurrent request. This is great if your product suddenly becomes successful, as you don’t really need to plan for additional scale; it is all handled for you automatically without even the need to think about an autoscaling set-up.
But what if your service isn’t suddenly rising up the popularity charts, and is simply the victim of a coordinated attack by a botnet? You’re being charged by the function call. Could the unlimited cost of all those function calls take you out of business? Let’s look at the possible costs.
Although other serverless providers exist, we’ll use AWS Lambda pricing for our examples. Lambda pricing is based on the number of requests, and the amount of compute resources. AWS system architect firm Trek10 put together this handy guide to whether serverless or virtual machines will be cheaper for your workload. The conclusion arrived at is that for most businesses of modest scale, you’re better off with serverless, although it does matter considerably how intensive your calculations are. These are forecasts anticipating a “normal” level of traffic.
Let’s look at how the costs could rise if you’re under attack.
The Scale of Attack
What is the scale of a denial-of-service attack? Although initially reported to consist of “tens of millions” of IP addresses, the Mirai botnet that attacked Dyn last October is now estimated to have involved around 100,000 endpoints. Let’s suppose they are recruited to attack your Lambda service at a rate of 1 request per second, each, so we might see 100,000 * 3,600 = 360 million requests per hour.
The first part of AWS Lambda pricing is $0.20 per million requests, so that’s $72 per hour to handle 360 million requests. Then there is the charge for GB-seconds of compute time. Let’s suppose the function uses 1 GB and takes 200ms. AWS charges you $0.00001667 for every GB-second used, so this is $1200. Our total cost to handle an hour of attack is under $1300. That’s unlikely to put many startups out of business.
At one request per second, those bots aren’t working very hard. Suppose each bot hits your service as hard as it can, by sending another request as soon as it has received the previous response. If we ignore network latency and any processing time at the client, we could suppose that the worst-case scenario is that each bot is causing your lambda function to run 100 percent of the time.
Just looking at the compute time costs, 100,000 botnets all constantly hammering that function will cost $1.667 per second, or $6,000 per hour, so we’re within the same order of magnitude. Depending on how well-funded your startup is, at this level, you might be thinking about the importance of getting alerts to wake someone up in the middle of the night to make sure an attack like this doesn’t go unaddressed for too long.
When Toasters Attack
We all know that another highly fashionable area of technology, the Internet of Things, is massively increasing the scale of internet-connected devices. It’s estimated there are already half a million IoT devices with weak security.
That’s five times as many devices as took part in the Mirai / Dyn attack. But even if they are all recruited to attack your service at once, we’re still looking at serverless costs of around 5 x $6,000 = $30,000 per hour. That’s a big irritation, and if your startup is operating at the edge of its finances it could be enough to put you out of business, but we are talking about a highly unlikely combination of events.
But not everyone’s toaster is internet-enabled yet, and the number of attached devices is growing fast. Let’s go with Cisco’s estimate of 50 billion machines, and assume a doomsday scenario where they are all taken over by a malicious botnet, intent on attacking your company. That’s 100,000 times more attack power, and even at the 1 request per second rate, it could be costing $100 million per hour. That would certainly make a dent!
Of course, it’s highly, highly unlikely that all the internet devices in the world would be vulnerable to the same takeover. And if your service suffers a denial of service attack, the thing you really need to be concerned about is the fact that your real users can’t use your product properly.
Mitigating the Disaster
Also mitigating against the disaster scenario are the limits that Amazon has thought to put in place. By default, a Lambda function is limited to 100 concurrent executions as a safety measure to prevent runaway functions. You can increase the limit, and may well want to do so as your service becomes popular, but this does act as a cap on your spending. (I suppose when I said above that you don’t need to plan for autoscaling in a serverless environment, that neglects the thinking you’ll want to do about what a reasonable number of concurrent executions is for your service.)
AWS offers additional services, such as the WAF (Web Application Firewall) to help protect your deployment from attack. It also offers lots of good advice on best practices — albeit they are currently more focused on EC2 than Lambda-style deployments
Conclusion — the costs of a zombie attack won’t show up on your hosting bill
If you’re a startup founder, there are plenty of things that might cause you sleepless nights. But worrying about the hosting costs you might incur if a horde of zombie toasters decide to attack your service doesn’t need to be one of them.
Feature image: Zombie Walk by Carlos Adampol Galindo, Attribution-ShareAlike 2.0 Generic license.