In a recent post on Cloudave, there was an interesting discussion of a different type of security risk to a Cloud Computing environment. The author discussed the challenge of someone 'spamming" a site and creating artificial demand which in turn drives up the costs uncontrollably.
Today if someone is not using a Cloud Computing solution and they come under a DOS or DDOS attack, their application will generally crash under the load. For most mainstream e-commerce or SaaS applications the cost of downtime is significantly greater than any fees that might be imposed upon you by an insensitive provider.
That being said, even with a cloud, a DOS/DDOS attack will still crash the application it will just take longer. Cloud providers cannot themselves take the risk of giving every individual application full unrestricted access to their excess capacity, so every application is put into a resource box. The box is typically much larger than what the application would normally need with some allowance for burst, but isn’t large enough to allow one application to cause harm to its neighbors or much worse, take the entire cloud itself offline.
Here are some graphs that I mocked up quickly to illustrate the point.
Traditional web facing application, no cloudburst capability, crashes at ~800 concurrent user sessions under a DDOS attack in about 15 minutes.
Cloud hosted web application with about 350% burst capability, crashes at ~3000 concurrent user sessions under a DDOS attack in about 20 minutes.
So your fees for that time period might reflect a lot of excess capacity within your resource box for a short number of minutes prior to the crash, but they’re hardly a financial tornado, especially if you have an understanding cloud provider. Network providers have had this model in use for over a decade on their burstable product lines and it works very well to provide capacity on demand, but not create a large financial exposure risk.
For more information check out Pat's article IaaS, threat or a weapon
Today if someone is not using a Cloud Computing solution and they come under a DOS or DDOS attack, their application will generally crash under the load. For most mainstream e-commerce or SaaS applications the cost of downtime is significantly greater than any fees that might be imposed upon you by an insensitive provider.
That being said, even with a cloud, a DOS/DDOS attack will still crash the application it will just take longer. Cloud providers cannot themselves take the risk of giving every individual application full unrestricted access to their excess capacity, so every application is put into a resource box. The box is typically much larger than what the application would normally need with some allowance for burst, but isn’t large enough to allow one application to cause harm to its neighbors or much worse, take the entire cloud itself offline.
Here are some graphs that I mocked up quickly to illustrate the point.
Traditional web facing application, no cloudburst capability, crashes at ~800 concurrent user sessions under a DDOS attack in about 15 minutes.
Cloud hosted web application with about 350% burst capability, crashes at ~3000 concurrent user sessions under a DDOS attack in about 20 minutes.
So your fees for that time period might reflect a lot of excess capacity within your resource box for a short number of minutes prior to the crash, but they’re hardly a financial tornado, especially if you have an understanding cloud provider. Network providers have had this model in use for over a decade on their burstable product lines and it works very well to provide capacity on demand, but not create a large financial exposure risk.
For more information check out Pat's article IaaS, threat or a weapon
Comments for Security and Cloud Computing