Amazon Spot Pricing Black Hat Style: Manipulating the Market Through DoS

Amazon just announced "Spot Pricing" for their EC2 instances:

"Spot Instances are a new way to purchase and consume Amazon EC2 Instances. They allow customers to bid on unused Amazon EC2 capacity and run those instances for as long as their bid exceeds the current Spot Price. The Spot Price changes periodically based on supply and demand, and customers whose bids meet or exceed it gain access to the available Spot Instances. Spot Instances are complementary to On-Demand Instances and Reserved Instances, providing another option for obtaining compute capacity.

For customers with flexibility in when their applications can run, Spot Instances can significantly lower their Amazon EC2 costs. Additionally, Spot Instances can provide access to large amounts of additional capacity for applications with urgent needs. Just a few examples of categories of applications well-suited to Spot Instances are:

* Image and video processing, conversion and rendering
* Scientific research data processing
* Financial modeling and analysis"

This is innovative and in a world of "fair play" is a smart move by Amazon. But lets consider this from a Black Hat hacker perspective for a moment:

Black Hats have all kinds of reasons for needing massive compute power. The obvious one is password cracking and that can take an awful lot of CPU power...

But bad guys feel the credit crunch too and don't like to pay list price even when its not their money (think stolen credit cards). Spot prices for EC2 instances are discounts on regular EC2 pricing for all. The downside is, you have to wait until the spot price is equal to, or lower than your maximum bid. Some people won't wait for "the market" - they want their goodies faster. Since the market is nothing more than current utilization level of EC2, the spot price goes down when EC2 is less utilized. As a Black Hat, you might want to influence that to drive the spot price down. Suddenly all those DoS attacks that you could only use to either cripple your online enemies or bribe gambling sites and the like, have a new use case - crashing existing customers EC2 instances to artificially decrease demand for EC2 instances and thus lower the spot price.


The counterargument is that Black Hats won't bother going to all this effort - they don't need to. They already have access to enough disposable credit lines and/or vulnerable machines that they just won't bother. It's hard to disagree today. In Amazon PR terms, this is more a 'theoretical' attack - for now.

Regardless, the downside is that the introduction of an innovative pricing model today by Amazon, leaves existing EC2 customers more exposed to DoS attack than they were before.


Amazon note in their updated AWS Customer Agreement:

"You may not, directly, indirectly, alone or in cooperation with any third party, attempt to control, influence or manipulate the price for Spot Instances. Without limiting the foregoing, you may not submit requests for Spot Instances through any third party (e.g., “proxy bidding”) or share information with any third party regarding the maximum prices specified in your Spot Instance Requests".

Written on December 14, 2009 by Craig Balding
Stay up to date! Subscribe by RSS or email