@inproceedings{f2502975ecb14bd99832a84a8ea03b2c,
title = "Exploiting Miscoordination of Microservices in Tandem for Effective DDoS Attacks",
abstract = "Today's software development landscape has witnessed a shift towards microservices based architectures. Using this approach, large software systems are implemented by combining loosely-coupled services, each responsible for specific task and defined with separate scaling properties. Auto-scaling is a primary capability of cloud computing which allows systems to adapt to fluctuating traffic loads by dynamically increasing (scale-up) and decreasing (scale-down) the number of resources used.We observe that when microservices which utilize separate auto-scaling mechanisms operate in tandem to process traffic, they may perform ineffectively, especially under overload conditions, due to DDoS attacks. This can result in throttling (Denial of service - DoS) and over-provisioning of resources (Economic Denial of Sustainability - EDoS).This paper demonstrates how an attacker can exploit the tandem behavior of microservices with different auto-scaling mechanisms to create an attack we denote as the Tandem Attack. We demonstrate the attack on a typical Serverless architecture and analyze its economical and performance damages. One intriguing finding is that some attacks may make a cloud customer paying for service denied requests.We conclude that independent scaling of loosely coupled components might form an inherent difficulty and end-to-end controls might be needed.",
keywords = "Auto-scaling, Cloud security, Denial of service (DDoS) attacks, Economic Denial of Sustainability, Microservices architecture",
author = "Anat Bremler-Barr and Michael Czeizler and Hanoch Levy and Jhonatan Tavori",
note = "Publisher Copyright: {\textcopyright} 2024 IEEE.; 2024 IEEE Conference on Computer Communications, INFOCOM 2024 ; Conference date: 20-05-2024 Through 23-05-2024",
year = "2024",
doi = "https://doi.org/10.1109/INFOCOM52122.2024.10621335",
language = "الإنجليزيّة",
series = "Proceedings - IEEE INFOCOM",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "231--240",
booktitle = "IEEE INFOCOM 2024 - IEEE Conference on Computer Communications",
address = "الولايات المتّحدة",
}