Web bugs in the cloud: Feasibility study of a new form of EDoS attack

Economic Denial of Sustainability (EDoS) is a new form of security attack specifically targeting Cloud-hosted websites/domains. The main goal of EDoS attack is to impose a significant financial burden on the victim through skillful and measured consumption of the victim´s metered (pay-as-you-go) bandwidth. The most straightforward way to conduct an EDoS attack is by means of a custom-built or a rented botnet capable of executing application-layer DDoS. However, the common known disadvantages of botnet-based EDoS/DDoS attacks are: a) high cost in cases when the (rented) botnet needs to be used over a prolonged interval of time, b) high chance of bot-blacklisting that could result in a significantly diminished attack potential. The goal of our work presented in this paper was to investigate the technical feasibility of using spam-email with Web-bugs in order to engage the browsers of legitimate users in an EDoS attack. Compared to a botnet-based EDoS, such an attack would be far more difficult to detect and thwart for the victim, while imposing minimal to no cost to the attacker. Our preliminary results, involving real-world spam-email and an actual `victim´ site set up on Amazon S3 Cloud, show that EDoS using Web-bugs is a technically feasible attack option with a reasonably sufficient attack potential. To the best of our knowledge, this study is the first one to combine the topics/concepts of EDoS, Web-bugs and spam-email, and point to a potentially problematic interplay among them.