Full Report
Over at [Rational Survivability] beaker as coined the term EDoS. To describe how “the utility and agility of the cloud computing models such as Amazon AWS (EC2/S3) and the pricing models that go along with them can actually pose a very nasty risk to those who use the cloud to provide service” Of course, this has kicked off the flurry of responses from “How is this different to soaking up the bandwidth of people who pay per gig” to “OMG! thats the new thing.. Cloud Computing is bad”.
Analysis Summary
# Economic Denial of Sustainability (EDoS) Threat Summary
## Main Topic
The core threat intelligence narrative centers around the concept of **Economic Denial of Sustainability (EDoS)**, coined to describe how the inherent **utility and flexible pricing models of cloud computing services (e.g., Amazon AWS EC2/S3)** can be exploited by attackers to impose severe, unsustainable financial costs on the service consumer, effectively denying service sustainability.
## Key Points
- EDoS leverages the pay-as-you-go nature of cloud infrastructure pricing to create significant financial risk for cloud service users.
- The concept is differentiated from traditional Denial of Service (DoS) because distinguishing malicious traffic from legitimate application requests can be exceptionally difficult for the defender.
- The attacker's goal is to drive up the victim's operational costs rapidly by triggering scaling or resource consumption based on usage metrics.
- The narrative acknowledges some skepticism, questioning if this is just an advanced form of bandwidth/resource soaking against metered billing systems.
## Threat Actors
- No specific named threat actors or groups were identified in relation to the definition or exploration of the EDoS concept.
- The threat is posed by a "smart enough attacker" capable of crafting requests that maximize resource consumption under the cloud pricing structure.
## TTPs
- **Resource Exhaustion via Usage Models:** Utilizing the agility and utility of cloud computing models (like AWS EC2/S3) to initiate actions that result in high consumption billing.
- **Traffic Differentiation Difficulty:** Employing techniques that make it hard for the defender to filter out invalid (malicious) requests from valid application traffic, making traditional rate-limiting or black-holing less effective. (No specific MITRE ATT&CK IDs were cited.)
## Affected Systems
- **Cloud Computing Platforms:** Specifically mentions Amazon AWS (EC2/S3).
- **Victim Profile:** Entities relying on cloud computing models to provide services, whose financial sustainability is tied directly to usage-based billing.
## Mitigations
- The article highlights the difficulty of mitigation, specifically noting the challenge in **differentiating valid application requests from invalid/malicious requests**.
- Traditional methods like **black-holing** are suggested to be less effective against this type of attack.
- The author implies ongoing internal research into defenses rather than providing concrete, established mitigations at the time of publication.
## Conclusion
EDoS represents a financial layer of denial of service targeting cloud consumers by weaponizing metered pricing. While the concept has drawn skepticism regarding its novelty, its core danger lies in the high difficulty defenders face in granularly distinguishing malicious cost-driving behavior from legitimate application load, thus circumventing easier denial mechanisms. Further defense exploration is warranted based on the perceived "coolness" (novelty/potential impact) of this vector.